Re[4]: [sniffer] POP Approach
On Friday, October 14, 2005, 9:39:33 AM, Rick wrote: RH What is going on with the sniffer not catching any of the spam that is now RH coming through? We are getting slammed with medication, mortgage and other RH junk email? Your license has expired. Please send a note to [EMAIL PROTECTED] to renew. We will send you an invoice you can pay online. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Large amounts of spam still getting through
On Friday, October 14, 2005, 10:59:05 AM, Chuck wrote: CS We are seeing a lot of the drug spam getting through. Anyway that sniffer CS could start catching these. And yes I am forwarding them all. There are a number of new campaigns launched today with some heavy bandwidth behind them. We have rules in place for most (if not all) of the new stuff, however there is a delay before these rules might get to you - during that window some of these will get through. Over the past few months we have increased the rate at which we send out updates - nearly cutting the time in half. Updates are now sent every 180 minutes or so. We are also working on the next version which will allow for nearly instantaneous updates. In the mean time we will continue to work on speeding things up as much as we can. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] POP Approach
Hello Pete, Are you going to implement something similar for false positives? Thanks, Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, October 14, 2005 12:32 AM To: William Van Hefner Subject: Re[2]: [sniffer] POP Approach On Wednesday, October 12, 2005, 6:30:45 PM, William wrote: WVH Pete, WVH Was just wondering, I have all of my e-mail pass through an IMGate/Postfix WVH machine prior to hitting my main mail server. Sometimes, e-mail (especially WVH spam) gets forwarded from the secondary MX as well. If we use the POP method WVH of redirecting spam to an appropriate mailbox are you just going to be WVH scanning the messages for content, or inspecting the headers for IP WVH information as well? We will inspect all parts of the messages manually and with automated tools. This is true of all spam that arrives at our system no matter how it gets there. WVH Reason I'm asking is, I just want to make sure that one of my own servers WVH doesn't end up included in some type of blacklist rule. It seems like it WVH would take an awful lot of work on your part to ensure that any filters WVH don't contain IPs of one of your customer's machines, if you are scanning WVH header information. When you throw-in the fact that the redirect may come WVH from the client of an entirely different network with no link whatsoever to WVH our DNS records, that would seem to make taking any header information WVH (except maybe the Subject or From lines) into account a very risky WVH proposition. Thanks!!! Actually, we can often be very precise about the routing of messages pulled from pop accounts. That said, there is always a non-zero risk that an IP which is listed in certain black lists and also arrives at one of our traps may be added to our rulebase. This is almost always an automated process since we have determined that manually entered IPs are prone to errors. If an IP on one of your servers does get tagged, then you would be able to use to rule-panic procedure for immediate relief and once the problem was solved it could not be recreated. Part of our system is that it remembers every mistake we ever made and prevents us making that same mistake again --- unless we're really, really determined ;-) Understand, I'm not making light of this possibility... we take all false positive cases (real or imagined) very seriously. I do want to point out that these cases are rare, easily solved, and nearly impossible to repeat. I should also point out that this risk is not increased by using the pop3 method. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] POP Approach
On Friday, October 14, 2005, 11:18:18 AM, Daniel wrote: DB Hello Pete, DB Are you going to implement something similar for false positives? No. The false positive process is very interactive, so each case is handled individually until it is resolved. This works best as it is currently described because a new email thread is created for each new case and that thread can be followed to ground. In contrast, spam submissions are treated anonymously without any further interaction so it is appropriate for us to pick up the messages and move on with our processing. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Large amounts of spam still getting through
Pete: Thanks. I am just frustrated by the continued spam growth. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Friday, October 14, 2005 9:08 AM To: Chuck Schick Subject: Re: [sniffer] Large amounts of spam still getting through On Friday, October 14, 2005, 10:59:05 AM, Chuck wrote: CS We are seeing a lot of the drug spam getting through. Anyway that CS sniffer could start catching these. And yes I am forwarding them CS all. There are a number of new campaigns launched today with some heavy bandwidth behind them. We have rules in place for most (if not all) of the new stuff, however there is a delay before these rules might get to you - during that window some of these will get through. Over the past few months we have increased the rate at which we send out updates - nearly cutting the time in half. Updates are now sent every 180 minutes or so. We are also working on the next version which will allow for nearly instantaneous updates. In the mean time we will continue to work on speeding things up as much as we can. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[4]: [sniffer] POP Approach
Hi Pete, Do you send out notices to licensees to let them know to renew ahead of time? I think we're getting close to renewal, and want to make sure we don't lapse. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Rick Hogue sniffer@SortMonster.com Cc: [EMAIL PROTECTED] Sent: Friday, October 14, 2005 11:03 AM Subject: Re[4]: [sniffer] POP Approach On Friday, October 14, 2005, 9:39:33 AM, Rick wrote: RH What is going on with the sniffer not catching any of the spam that is now RH coming through? We are getting slammed with medication, mortgage and other RH junk email? Your license has expired. Please send a note to [EMAIL PROTECTED] to renew. We will send you an invoice you can pay online. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Large amounts of spam still getting through
We do exactly this at our Postfix gateways, it's called greylisting. See http://isg.ee.ethz.ch/tools/postgrey/. You may want to consider setting up a gateway in front of your IMail server that supports greylisting. Bill -Original Message- From: Mike Nice [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 12:43 PM To: sniffer@SortMonster.com Subject: Re: [sniffer] Large amounts of spam still getting through getting much better at what they do. When a spammer uses Geocities links, hijacks real accounts on major providers to send spam through, and changes their techniques every few hours, it makes it difficult for Sniffer to proactively block them, and the delay between rulebase updates means a delay in catching things that have been tagged. This brings to mind a technique with optional adaptive delay - enabled by the user. Each mail is assigned a 'triplicate': (To_Email, From_Email, and domain_of_sending_server). Previously unknown triplicates are held for a period of time before being examined for spam. The delay is long enough that SpamCop, Sniffer, and InvURIBL mailtraps see copies of the spam and update the blacklists. This would be hard to do with the stock IMail, but possibly could be done by Declude with the V3 architecture and a database. It still doesn't provide a good answer to the problem of spammers hijacking a computer and sending spam through legitimate servers. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Large amounts of spam still getting through
- Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] http://projects.puremagic.com/greylisting/ My experience with Greylisting is that it is very effective in stopping spam and also other mail as well. Most scripts that send direct will never get through to a greylisted server as they only try once. Also, many servers do not have a very reliable schedule of retrys on sending mail. David Payer This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html