News and Updates
2020-10-19 Windows SDK Updated (New version 3.4 with SNF Engine 3.2.2)
We have released Windows SDK Version 3.4 which includes the latest SNF engine updates. In particular we've removed the saccades engine to allow for deeper scans and more extensive use of "above band" rule groups.
The growing use of above-band rule groups like "Experimental Bulk/Noisy" and additional groups for machine learning feature extraction has changed the paradigm for heuristic competition in the SNF world. Where previously it was important to optimize scanning performance for low-powered hardware and heuristic competition could add pressure to select for more efficient rules; the new paradigm requires that any available patterns will match (at least once) and hardware constraints are no longer a serious concernt. For example, SNF is easily able to operate at scanning rates that are 3 orders of magnitude higher than most deployments require on modern equipment.
This isn't to say that heuristic efficiency optimization will be going away -- but rather that the mechanisms for optimizing that efficiecncy can be moved more toward the back-end so that the front-end scanners can concentrate on making all available matches available for analysis and even more sophisticated learning algorithms.
Saccades was fun, and effective, but it's time has passed.
2020-06-11 GBUdbBots Refactored
Our GBUdb system has been updated to be more dynamic and responsive; and to have a longer memory for bad actors and suspicious IP addresses. The new machine learning model keeps track of IPs that develop a purely black reputation keeping them just below the truncate blacklist threshold until some new behaviors are observed.
Using a dynamic, iterative system of interacting processes, a zone of structured criticality now exists just below the threshold of the tuncate RBL for any IP that has a purely black reputation. This creates a kind of statistical "event horizon" where these IPs get trapped until something new about their behavior is observed.
This means that repeat offenders that simply stop sending for a period of time will have a slight bias against them when they begin sending again - but not so much that they will be penalized if they start to send good content (such as an IP in the cloud that once was a bad actor, but has been reassigned to a new owner.)
If the new activity proves positive then the IP is rapidly pushed away from the event horizon and receives the reputation it is earning from it's new activity; but if the IP is again sending bad content then it will be rapidly pushed onto the truncate list and reflections on that IP will be strongly biased toward the black so that rapid sampling will occur (where it is allowed) and filtering patterns that are sensitive to IP reputation will be activated sooner.
2020-05-01 Rulebots refactored
Our rule-bots have been refactored to reduce latency and generate rulbases at a faster pace. This will reduce the window of opportunity for emerging threats by closing the window on them quicker.
2016-04-19 SNF Engine Update to 3.2.1 / Short Buffer Bug Fix
Today we have released a new SNF engine with a minor bug fix. Please update your SNF installation at your convenience. Chances are that you've not seen any problems from this bug. If you have experienced problems they most likely presented as very rare, random errors possibly causing a crash.
As with most SNF engine updates the simplest process is to replace your binary with the latest. For windows users here are some links to the latest engine:
http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox32-3.2.1.exe
http://www.armresearch.com/message-sniffer/download/updates/SNFServer-windows-7-prox64-3.2.1.exe
Simply stop your SNFServer, swap in the new .exe (renamed of course) and restart SNFServer.
For folks running linux platforms the packages and source tarballs on our web site have all been updated on the Downloads page. OEMs using the windows SDK should upgrade to the latest DLL which should be a swap-in replacement.
Technical details
The bug fix is for a short buffer allocation in the codedweller/configuration.cpp module. The bug fix also solves problems unrelated to SNF where applications using the CodeDweller/configuration engine to parse unusually large XML attributes could cause a stack overflow. The solution allocates the buffer for attributes from the heap instead of the stack and eliminates a short-by-one allocation error.
Those curious about the source code can see the important diff here:2015-12-29 Updated Windows SDK Posted with SNFMulti 3.2
The latest Windows SDK is posted. It's exactly like the previous one except we changed the version number and the DLLs have been updated. They should be a drop-in replacement for the previous DLLs. Visit the Downloads page to download the new Windows SDK (version 3.3).
2015-12-24 SNFMulti 3.2.0:Strangers Released!
A new version of Message Sniffer is available. The most exciting new feature for this version is: Strangers.
The "Strangers" algorithm replaces the previous White-Guard algorithm.
Strangers prevents high-intensity pre-tested spam from poisoning IP reputations in GBUdb and enhances SNF's sensitivity to these kinds of attacks. Once pattern rules begin to match the pre-tested attack the IP reputations quickly climb into the black enhancing all of SNF's learning systems. Normal, but new, IP sources are held to low-confidence reputations for several hours, but after that are allowed to develop normally.
Short summary: Strangers lets SNF close the door more quickly on pre-tested spam while enhancing SNF's learning sensitivity to those events and without interfering with normal IP reputation processing.
Visit the Downloads page for the latest package downloads.
2015-12-03 Updated SNF Version Available!
A rare bug has been discovered and corrected. The bug can allow a specific kind of rulebase corruption to cause short pattern matches in error and potentially create false positives. We experienced this problem during the last few days in November and we call it the "short-match" problem. In addition to changes in our back-end systems and processes, we have released a new version of the Message Sniffer engine that is immune to these short-match events.
While the bug is rare and unlikely to recur, we do recommend that you upgrade your systems to the latest version of Message Sniffer (a good idea anyway) so that your systems will be protected. Details on how to do this were posted to the sniffer community list http://www.mail-archive.com/[email protected]/msg04437.html
2015-06-10 SmarterTools is now offering Message Sniffer as a tightly-integrated add-on for SmarterMail!
Unlike our SNFServer/SNFClient based options, SmarterMail's OEM integration option allows the Message Sniffer scanning engine to do its work during the SMTP session allowing for spam/malware handling options that are not possible otherwise -- such as rejecting some messages before they are written to disk to reduce IO overhead and improve system performance.
We look forward to working with the SmarterMail folks to take maximum advantage of the SNF engine and this new feature.
This is not a once-size-fits-all solution either! All of the current integration options (and others that are sure to arise) are still available for the folks who fit those better.
2015-05-13 Rulebase Compiler Improvements
We have improved our rulebase compiler scheduling and efficiency. This has allowed us to increase the pace of rulebase updates by approximately 50%. You should see a further reduction in leakage rates and slightly more frequent rulebase updates.
2015-03-15 Snapshot Packages Now Available!
We have begun posting .DEB and .RPM packages for a variety of Linux distributions. The packages generally come in two parts. The first part installs the Message Sniffer components. The second part (optional) installs a particular default integration -- for example: connecting Message Sniffer to Postfix with a filter script. There are many combinations posted and more on the way.
2014-11-18 SNF4SA Updated for Compatibility with SpamAssassin-in-a-Box
SNF4SA has been tweaked for compatibility with SpamAssassin-in-a-box and other Windows based ports of SpamAssassin.
2014-11-03 RPMs and DEBs are Now Available for Most Linux Platforms by Request
To request one of the new RPMs or DEBs now available for most Linux platforms, please send a note to the support team.
2014-08-15 Version 3.1 of SNF is Available for All Platforms Except MDaemon (pending)
Version 3.1 of SNF is available for all platforms except MDaemon (pending). This update includes Saccades Engine which improves scanning efficiency by 10x in most cases. This update also includes an update of White-Guard to each SNF node, so it is more powerful and less heavy handed. White Guard helps to reduce IP reputation poisoning caused by new, pre-tested spam/malware.
You can get the latest SNF distributions from the Downloads page.
2014-02-13 Beta Version of Updated SNFServer Available for Download!
We are preparing to release a new version of the Message Sniffer engine that includes an exciting new technology.
The "saccades engine" allows SNF to intelligently skip large portions of most messages without missing any important content. The engine borrows from MicroNeil's synthetic intelligence research relating to visual systems processing and essentially gives SNF a behavior similar to what we all do with our eyes: http://en.wikipedia.org/wiki/Saccade.
The engine learns where matches are most likely to occur and then applies what it is learning in real-time. This allows SNF to rapidly identify messages of a type it has already seen without having to scan the entire contents. This has the potential to improve scanning efficiency by 90% or more. That is, scanning typical messages can happen with 1/10th the work for a 10x improvement in efficiency. Not kidding, we're actually seeing these results on some of our testbed servers! You may have seen me tweet about it: https://twitter.com/codedweller/status/434020178352148480
If you'd like to test the BETA verion and you are using SNFServer.exe then you can find a copy of the new engine at the following link:
BETA Version: http://www.armresearch.com/message-sniffer/download/SNFServerV3.0.2-E3.1.0.zip
To swap it in,
- Download and unzip the new engine.
- Stop your Message Sniffer.
- Rename your SNFServer.exe to something like SNFServer.exe.bakup (always a good idea to keep a backup).
- Rename the new engine to SNFServer.exe
- Restart your Message Sniffer.
Please let us know how this works for you.
2013-11-08 ARM Research Labs, Inc. Launches New Website!
2013-08-26 White-Guard Implemented
We've been experimenting with a new machine learning behavior. White-Guard is improving early capture rates for new spam and with it overall accuracy and throughput. For example, one thing we've seen since implementing White-Guard is higher truncate numbers across the network-- meaning that more messages are blocked for having bad IP reputations than before we implemented White-Guard.
Here is a new blog post that explains what White-Guard is and how it works:
http://www.lifeatwarp9.com/2013/08/lies-machine-learning-and-blackhatzes/
You DO NOT need to install or change anything to take advantage of this. White-Guard is implemented in the "bigger brain" back here in the lab.
2013-08-21 Haraka 2.2 with Message Sniffer Plugin Released!
Haraka 2.2 has just been released with the Message Sniffer plugin.
Check out the annoucement on their site: http://baudehlo.wordpress.com/2013/08/21/announce-haraka-v2-2-0/
2013-04-30 Rulebase Compiler Improvements
We have improved our rulebase compiler scheduling and efficiency. This has allowed us to increase the pace of rulebase updates by approximately 20%.
You should see a further reduction in leakage rates and slightly more frequent rulebase updates.
2013-04-10 Convert Your Declude OEM License Now and Get Full Credit!
It appears that Declude (the company) is failing. After many rumors of problems and some first hand experience, today the Declude web site has gone dark.
We have a long standing relationship with the Declude community, and we want to make sure we do what we can to support them even if Declude itself goes away.
Place an order for Message Sniffer (SNF) now and we will give you credit for any time you have left on your Declude OEM license subscription. Tell us your Declude OEM expiration date and we will add the time you have left to your new SNF license + the renewal year.
For the best pricing we recommend you purchase through one of our resellers.
Please let us know if there is more we can do!