This artcile will explain, in detail, how to enable and configure the Declude Internal Message Sniffer.
1.) If you are currently running the external Message Sniffer, you need to let us know that you would like to switch to the Internal Message Sniffer so we can enable the internal Sniffer in our system and let Armresearch know you are switching. We will also need you to let us know what your current Message Sniffer key is. If you are not currently running any version of Sniffer, please let us know as well because we still need to enable it on our end. You can contact us at support@declude.com with this information.
2.) Go to the following directory... declude\scanners\SNF and you will see the following files...
AuthenticationProtocol.swf
curl.exe
d3cludex.snf
GBUdbIgnoreList.txt
getRulebase.cmd
gzip.exe
snf_engine.xml
wget.exe
( If you do not have a SNF directory, create one in declude\scanners and go to the following link to download the zip file which contains the files you will need... http://interim.declude.com/41048/Scanners/SNF/ The username and password for the interim site can be found on your account page. Download the SNF-Files.zip to your newly created SNF folder at declude\scanners. Extract the files to the declude\scanners\SNF directory
3.) Open the getRulebase.cmd file using notepad and edit the following line... SET SNIFFER_PATH=[PATH]\declude\scanners\SNF\
To edit this, remove [PATH] and replace it with the path to your SNF directory. For example, if your installation path is D:\Smartermail\Declude\Scanners\SNF, you would edit the line as follows...
SET SNIFFER_PATH=D:\Smartermail\declude\scanners\SNF\
4.) Open the snf_engine.xml with notepad and edit the following lines...
<log path='[PATH]\declude\scanners\SNF\'/>
<rulebase path='[PATH]\declude\scanners\SNF\'/>
<workspace path='[PATH]\declude\scanners\SNF\'/>
<update-script on-off='on' call='[PATH]\declude\scanners\SNF\getRulebase.cmd'
Edit these with the same path as you did with the getRulebase.cmd file. For example...
<log path='D:\Smartermail\declude\scanners\SNF\'/>
<rulebase path='D:\Smartermail\declude\scanners\SNF\'/>
<workspace path='D:\Smartermail\declude\scanners\SNF\'/>
<update-script on-off='on' call='D:\Smartermail\declude\scanners\SNF\getRulebase.cmd'
5.) Next we have to add the call lines for Sniffer to the global.cfg file. Take these lines and paste them into your current global.cfg file...
SNFIPCAUTION SNFIP x 4 5 0
SNFIPBLACK SNFIP x 5 10 0
SNFIPTRUNCATE SNFIP x 6 10 0
IPREPUTATION SNFIPREP x 0 10 -5
SNIFFER-TRAVEL SNF x 47 10 0
SNIFFER-INSURANCE SNF x 48 10 0
SNIFFER-AV-PUSH SNF x 49 10 0
SNIFFER-WAREZ SNF x 50 10 0
SNIFFER-SPAMWARE SNF x 51 10 0
SNIFFER-SNAKEOIL SNF x 52 12 0
SNIFFER-SCAMS SNF x 53 10 0
SNIFFER-PORN SNF x 54 10 0
SNIFFER-MALWARE SNF x 55 10 0
SNIFFER-ADVERTISING SNF x 56 10 0
SNIFFER-SCHEME SNF x 57 10 0
SNIFFER-CREDIT SNF x 58 10 0
SNIFFER-GAMBLING SNF x 59 10 0
SNIFFER-GENERAL SNF x 60 10 0
SNIFFER-SPAM SNF x 61 10 0
SNIFFER-OBFUSCATION SNF x 62 10 0
SNIFFER-IP-RULES SNF x 63 10 0
SNFTRUNCATE SNF x 20 10 0
Here is an explanation of the values you see above...
SNFIPBLACK SNFIP the 2nd variable value is 5 = Block and works as an exit code.
IPREPUTATION works differently.
SNFIPREP represents a scale of -1----- 0 ----- 1 when the 2nd variable (BASEPOINT) is set to 0 this will convert the IP reputation to this scale as the examples below:
If final score is 0 no score is added to the email
dec0430.log 1842 04/30/2010 00:01:20.700 49319588 SNFIPRep the Value of Result = 0.000000
If final score is + the 3rd variable score is used in this case 10
dec0430.log 7351 04/30/2010 00:07:14.043 49319625 SNFIPRep the Value of Result = 0.267262
If final score is – the 4th variable score is used in this case -5
dec0430.log 11926 04/30/2010 00:08:50.340 49319647 SNFIPRep the Value of Result = -0.267262
The BASEPOINT is the point value at which an email will be considered “Good” if the result is to the left or “Bad” if to the right.
(SNIFFER RETURN) x 10 – (BASEPOINT) = Result
Example:
0.267262 x 10 – 0 = 2 This is positive then the test is triggered for 10 points.
0.267262 x 10 – 1 = 1 This is positive then the test is triggered for 10 points.
0.267262 x 10 – 2 = 0 Not Triggered.
0.267262 x 10 – 3 = -1 This is negative then the test is not-triggered for -5 points.
0.267262 x 10 – 4 = -2 This is negative then the test is not-triggered for -5 points.
-0.267262 x 10 – 0 = -2 This is negative then the test is not-triggered for -5 points.
-0.267262 x 10 – 1 = -3 This is negative then the test is not-triggered for -5 points.
-0.267262 x 10 – 2 = -4 This is negative then the test is not-triggered for -5 points.
-0.267262 x 10 – 3 = -5 This is negative then the test is not-triggered for -5 points.
-0.267262 x 10 – 4 = -6 This is negative then the test is not-triggered for -5 points.
6.) This part only applies to you if you are taking another action for Sniffer besides WARN in your $default$.junkmail file. If you only WARN on Sniffer, please skip this step. If you DELETE or SUBJECT, etc.. on Sniffer, do the following...
Open your $default$.junkmail file and add the following lines...
SNFIPCAUTION
SNFIPBLACK
SNFIPTRUNCATE
IPREPUTATION
SNIFFER-TRAVEL
SNIFFER-INSURANCE
SNIFFER-AV-PUSH
SNIFFER-WAREZ
SNIFFER-SPAMWARE
SNIFFER-SNAKEOIL
SNIFFER-SCAMS
SNIFFER-PORN
SNIFFER-MALWARE
SNIFFER-ADVERTISING
SNIFFER-SCHEME
SNIFFER-CREDIT
SNIFFER-GAMBLING
SNIFFER-GENERAL
SNIFFER-SPAM
SNIFFER-OBFUSCATION
SNIFFER-IP-RULES
SNFTRUNCATE
Now add whatever action you want each test to have. For example...
SNFIPCAUTION DELETE
SNFIPBLACK SUBJECT: SPAM
SNFIPTRUNCATE ROUTETO spam@example.com
IPREPUTATION MAILBOX spam
7.) If you are currently running the external Message Sniffer, you must disable it before we enable the internal Sniffer. To do this, go to your global.cfg and comment out your current external Sniffer lines if you have them there. For example, you may see something in your global.cfg such as this...
SNIFFER external nonzero "[PATH]\Declude\Sniffer\snfrv2r3.exe xnk05x5vmipeaof7" 12 0
Simply add a pound sign (#) to the beginning of the line...
#SNIFFER external nonzero "[PATH]\Declude\Sniffer\snfrv2r3.exe xnk05x5vmipeaof7" 12 0
Next, if you are running a version of external sniffer which runs as/with a service, go to your Windows Services area (start>run>services.msc) find the Message Sniffer service in the list, right click it and go to "Properties", set it to Disable then stop the service.
8.) Go to your declude.cfg file which is located in your Declude directory. Make sure you have the following directive... BLKLST ON and that it is uncommented. This will help us to test and see if the internal message sniffer is working. If you do not have the directive, add it.
9.) Go back to your Declude directory and delete your current diags.txt file.
10.) Go to your Windows Services area again and restart the decludeproc service.
11.) A new diags.txt file will be generated in your Declude directory. Open the file and make sure that Message Sniffer is showing ON at the top. If it is, not, contact Declude support.
12.) Once you verify that the diags.txt shows Message Sniffer is on, go to your declude\scanners\SNF directory and double-click the getRulebase.cmd file to grab the first Sniffer update. You will not have to worry about doing this going forward because it will be automatic.
13.) Wait a few minutes then go to your \Spool directory. You will see a blklst.txt file. Open the file and do a search through it for the word "Sniffer" (without the quotes). You should see the different Sniffer tests that we added to the global.cfg triggering. If you do not, please contact Declude support.