[sniffer] Stock spam
Hi, Another topic on stock spam? Lots of them are coming through. What do you guys do to limit the number of false negatives? Michiel
[sniffer] Re: Stock spam
We've been getting a horrendous amount of complaints as well the past few weeks. I keep hoping the sniffer folks will pull through sooner than later. Jonathan At 09:57 AM 12/12/2006, you wrote: Hi, Another topic on stock spam? Lots of them are coming throughÂ… What do you guys do to limit the number of false negatives? Michiel # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Stock spam
Hello Herb, Tuesday, December 12, 2006, 12:32:09 PM, you wrote: We were seeing lots of unmarked pump and dump stock spam a week or so ago but now almost non is getting thru. Sniffer is catching most of it and some other declude and rbl tests are as well. It's interesting to see such mixed results posted. It makes me wonder what the differences are between the systems reporting high catch rates (which we also see, once a campaign has been analyzed) and low catch rates. Also -- are the poor catch rates reported on text based stock-push spams or image based? Text based stock-push leakage is not likely because we generally catch these very fast and there are a range of rules in place to capture new campaigns even before we've seen them - so if you have this kind of leakage and it persists then start looking for problems with your system (errors, rulebase updates working, etc...) Image based stock-push is a problem, as is all image spam, but we do generally get these handled pretty fast. If you haven't already - recognize that since about mid September the black hats have significantly shifted toward image spam, have increased their volumes by between 4x and 20x (depending on who you talk to), and have increased the rate at which new campaigns are launched by at least 5x. If you are seeing image spam leakage check your weighting system (if you have one) and be sure that SNF rule groups 60 and 61 are rated highly enough to hold a message on their own. Previously we had always advised that SNF plus at least one other test should be required to hold a message simply for philosophical reasons: no single test should hold a message in order to improve accuracy. Unfortunately the recent changes in blackhat behavior are such that SNF is often the only test to fire on image spams so it has become necessary to abandon that tactic in order to minimize leakage. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Stock spam
On the sub topic of increased spam rates we're seen a 10x increase from 30-40k per day to 250-450k per day in over the last 3 months, none of this due to increased customer count :( -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: 12 December 2006 17:43 To: Message Sniffer Community Subject: [sniffer] Re: Stock spam # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Stock spam
We went from about 40K total messages a day on about 10K good at the beginning of the year, to 60K over summer, 90K in Sept, and about 180K now with about 13K good, w about a 20% increase in mailboxes. Had to upgrade our server a few weeks ago. We also for the first time went to deleting messages that scored 2X the marked as spam level. So we now delete about 120K messages a day with Declude level. We are also having sniffers point by itself mark as spam, used to take at least one other test to fail. I don't know what we will do if we see another 5X increase next year, I guess buy another server and move some domains. Herb David Waller wrote: On the sub topic of increased spam rates we're seen a 10x increase from 30-40k per day to 250-450k per day in over the last 3 months, none of this due to increased customer count :( -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: 12 December 2006 17:43 To: Message Sniffer Community Subject: [sniffer] Re: Stock spam # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Stock spam
It's interesting to see such mixed results posted. It makes me wonder what the differences are between the systems reporting high catch rates (which we also see, once a campaign has been analyzed) and low catch rates. I personally found the importance of triggered updates. I was receiving lots of stock and image spam. I had scheduled updates several times a day so I didn't think that had much to do with it. I couldn't get the Triggered update script to work until last week when I executed each line manually and found my bonehead mistake. Spam has all but disappeared. I would encourage anyone using scheduled updates, no matter how frequently, to move to a Triggered Update script Bill Green dfn Systems # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Sniffer White List
We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
I'm using 000, isnt that right ? not sure how we can check logs when we call sniffer from declude Pete, why keep the confusion ? why not have a different code than 0 or 000 ? something like -1, or 100 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Sniffer White List
posted this before getting pete's post please disregard - Original Message - From: Serge [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 8:11 PM Subject: [sniffer] Re: Sniffer White List I'm using 000, isnt that right ? not sure how we can check logs when we call sniffer from declude Pete, why keep the confusion ? why not have a different code than 0 or 000 ? something like -1, or 100 - Original Message - From: Colbeck, Andrew [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, December 12, 2006 7:49 PM Subject: [sniffer] Re: Sniffer White List Serge, what return value are you using for this snifferwhitelist? The official and current list of return codes is here: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetai ls.ResultCodes If you're using 0, then don't do that, because zero is also used for no result. According to this page, it would only be useful if you were checking the log file and also see WHITE in the row. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Serge Sent: Tuesday, December 12, 2006 11:22 AM To: Message Sniffer Community Subject: [sniffer] Sniffer White List We started using tests for the different sniffer categories recently and are finding that snifferwhitelist is very innacurate ot is substracting wheight from more real spam than it does of non-spam messages should we just drop it ? what are you guys doing about this ? TIA # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Uploading problems
Pete, Is it ok to submit spam where the header and subjet were modified by declude ? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: Uploading problems
Hello Serge, Yes. Wednesday, December 13, 2006, 12:44:13 AM, you wrote: Pete, Is it ok to submit spam where the header and subjet were modified by declude ? # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
