[sniffer] Volume spike Mon 9AM EST
Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
I'm seeing it, too. Darin. - Original Message - From: Peer-to-Peer (Support) suppor...@peertopeer.net To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 9:21 AM Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
I am getting a lot of complaints from my customers concerning the huge spikes too. DustyC -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Monday, May 10, 2010 9:51 AM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST I'm seeing it, too. Darin. - Original Message - From: Peer-to-Peer (Support) suppor...@peertopeer.net To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 9:21 AM Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 11:12 AM, NetEase Operations Manager wrote: I am getting a lot of complaints from my customers concerning the huge spikes too. Do you mean huge spikes in leakage? Hope not-- because we're not seeing that in our instrumentation. If anything is leaking please be sure to get it to us so we can filter it. We did see a few short spikes for new campaigns that have a lot of bandwidth behind them but those are well captured now and were captured very quickly. We would love to get our eyes on anything new that we're not already seeing. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
I'm not seeing any spike in inbound connections or accepted message counts. Actually, it's lower than Friday's volume and about the same as Thursday. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 6:21 AM To: Message Sniffer Community Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global truncate test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
We had a hacker send bogus requests for login name, password and birth date to all our mail customers on one domain. 6 gave it up and made my life fun babysitting the mail server for the last week. Makes ya wonder how many give up credit card and bank info? The message did appear very legitimate, much better than average grammar, spelling and syntax. We never ask anyone for their BD but they probably forget that. One impacted customer wanted me to put back their original pw back in. Boss can't learn a new one! Sheesh.. -- Original Message -- From: Colbeck, Andrew acolb...@bentall.com Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Mon, 10 May 2010 09:03:27 -0700 I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
That is the case here as well. I should have clarified that in my earlier post. Sniffer is doing its job. Unfortunately I am running through two levels of spam filtering systems and a ton is getting through still. DustyC -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 11:12 AM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST Just for clarification: Sniffer is working extremely well. No issues there. We're simply seeing a high volume of incoming connections / messages (from botNets) and wanted to verify that we weren't alone. :) --Paul R. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com]on Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 9:21 AM To: Message Sniffer Community Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 11:46 AM Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 11:12 AM, NetEase Operations Manager wrote: I am getting a lot of complaints from my customers concerning the huge spikes too. Do you mean huge spikes in leakage? Hope not-- because we're not seeing that in our instrumentation. If anything is leaking please be sure to get it to us so we can filter it. We did see a few short spikes for new campaigns that have a lot of bandwidth behind them but those are well captured now and were captured very quickly. We would love to get our eyes on anything new that we're not already seeing. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 12:23 PM, Darin Cox wrote: Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. I checked on telemetry and found a mixed bag -- some systems were up quite a bit-- others were nominal. We have seen a few new storms come though too... but other than that a reasonably normal Monday. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Sniffer is doing its job well, but I am nearly overwhelmed by the load - to the point where I might have to turn sniffer off to reduce my processing footprint. I've already commented out INVURIBL. My customers don't like lag at all. That being said, I wonder how I can better protect myself from botnets. Do you think that if I parsed the sniffer / declude logs and harvested IPs that sent me X pieces of mail rating a ridiculous score of X and then adding them to an internal RBL or blacklist would make a difference? Or are these botnets too varied and well managed for that to make a difference? Looking in my SmarterMail connects and blocks, I see that it is fairly proficient at not getting caught by my e-mail harvesting block settings. Hmmm. -- Michael Cummins -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, May 10, 2010 1:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 12:23 PM, Darin Cox wrote: Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. I checked on telemetry and found a mixed bag -- some systems were up quite a bit-- others were nominal. We have seen a few new storms come though too... but other than that a reasonably normal Monday. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 2:15 PM, Michael Cummins wrote: Sniffer is doing its job well, but I am nearly overwhelmed by the load - to the point where I might have to turn sniffer off to reduce my processing footprint. I've already commented out INVURIBL. My customers don't like lag at all. That being said, I wonder how I can better protect myself from botnets. Do you think that if I parsed the sniffer / declude logs and harvested IPs that sent me X pieces of mail rating a ridiculous score of X and then adding them to an internal RBL or blacklist would make a difference? We do that in real-time with most eWall installations. SNF hits are added to the black-list for 1 hour in some cases... works pretty well. Also (new) Have you looked at truncate.gbudb.net ? IPs consistently in truncate on GBUdb nodes across the 'Net (not just your system) are listed. (returns 127.0.0.2) Or are these botnets too varied and well managed for that to make a difference? RD shows that it works -- but must be done quickly to be effective. Best, _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Is there a way we could get a SNIFFER feature like that implemented as an internal DECLUDE test? Barring that, perhaps get it to write a text file of current IPs to block? -- Michael Cummins -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, May 10, 2010 1:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 12:23 PM, Darin Cox wrote: Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. I checked on telemetry and found a mixed bag -- some systems were up quite a bit-- others were nominal. We have seen a few new storms come though too... but other than that a reasonably normal Monday. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 2:37 PM, Michael Cummins wrote: Is there a way we could get a SNIFFER feature like that implemented as an internal DECLUDE test? SNFIPREP and SNFIP tests give you some direct access to GBUdb -- of course at that point you've already accepted the message for scanning even if you decide not to do anything else with it. Barring that, perhaps get it to write a text file of current IPs to block? I have been thinking about a feature to produce some zone files (or IP lists) from SNF data but haven't settled on the feature set.. and also haven't had any other call for it so it's been low on the dev list. Are there many folks on the list who would/could use an IP list generating function in the SNF engine? If so what might that look like -- that is, how would you like to tune it and what special features might it have to be most useful? truncate.gbudb.net is available now and has the advantage of seeing IPs that your system may not have yet encountered. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Are there many folks on the list who would/could use an IP list generating function in the SNF engine? If so what might that look like -- that is, how would you like to tune it and what special features might it have to be most useful? If you do generate it, I'd be happy to sync up with you so you can have a copy of all my ugly IPs. Is there a way we could implement it in a SmarterMail / Declude config that would reduce processing footprint? Would using the file as a simple IP blacklist.txt in Declude prevent other checks? Do David and Linda read this list as well? -- Michael Cummins # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 3:04 PM, Michael Cummins wrote: Are there many folks on the list who would/could use an IP list generating function in the SNF engine? If so what might that look like -- that is, how would you like to tune it and what special features might it have to be most useful? If you do generate it, I'd be happy to sync up with you so you can have a copy of all my ugly IPs. GBUdb data is already shared between SNF nodes. GBUdb is a collaborative IP reputation system. Is there a way we could implement it in a SmarterMail / Declude config that would reduce processing footprint? SNF already uses GBUdb to eliminate content scanning when the IP reputation is in the truncate range. If it is not in the truncate range there is a possibility that there would be false positives. The easiest way to reduce processing loads is to reject connections based on truncate.gbudb.net. I suppose it is also possible to skip other tests in Declude based on weights generated by SNFIP and/or SNFIPREP. Would using the file as a simple IP blacklist.txt in Declude prevent other checks? I don't know. Do David and Linda read this list as well? I don't think so. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Now OT: Re: [sniffer] Re: Opening truncate.gbudb.net
One impacted customer wanted me to put back their original pw back in. Boss can't learn a new one! Sheesh.. That makes me... cry. Not mail-related: a user of our web app forgot his password today and was having a ridiculously hard time using our password reset form (basic enter-your-e-mail-and-submit, but he kept missing the submit part). He declared it broken and demanded a completely new account. I noted we can't do that without giving him a new username (old accounts stick around, the usual primary key/audit trail restriction) and suggested it would be harder to remember jimpatient2 than jimpatient. He got all kinds of crazy on me. Fine, I said, I'll break policy. You have a brand-new account with the same name. And did nothing at all. Then, he said, the reset form started working. Cheers, S. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
Hey, Pete. I contacted one of the recipients and ran down one of those intermediate hops which triggered on truncate.gbudb.net ... It was an intermediate hop at AOL (rly presumably means relay) Received: from smtprly-dd03.mx.aol.com (smtprly-dd03.mx.aol.com [205.188.84.131]) by cia-mb07.mx.aol.com (v128.3) with ESMTP id MAILCIAMB071-d4074be4e089be; Fri, 07 May 2010 23:54:50 -0400 This IP address seems to bridge the gap between AOL webmail and SMTP delivery. In this case, the user used the AOL webmail and then forwarded the message to the mailbox on our system. The GBU list is emitting TXT records as well as the A record, perhaps it would be useful to actually state the IP as well in that text. C:\tempdig @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; DiG 9.7.0rc1 @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;131.84.188.205.truncate.gbudb.net. IN ANY ;; ANSWER SECTION: 131.84.188.205.truncate.gbudb.net. 3600 IN A127.0.0.2 131.84.188.205.truncate.gbudb.net. 3600 IN TXT GBUdb Cloud Truncate c 0.2, p 0.9 ;; Query time: 812 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 10 13:08:17 2010 ;; MSG SIZE rcvd: 117 I suggest that if others find this valuable as well, and you find it reasonable, that the text could look like this: GBUdb Cloud Truncate c 0.2, p 0.9 for [205.188.84.131] I'll send the whole header to support@ in case you are interested in this particular IP. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, May 10, 2010 9:03 AM To: Message Sniffer Community Subject: [sniffer] Re: Opening truncate.gbudb.net I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global truncate test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list
[sniffer] Re: Opening truncate.gbudb.net
On 5/10/2010 4:16 PM, Colbeck, Andrew wrote: Hey, Pete. I contacted one of the recipients and ran down one of those intermediate hops which triggered on truncate.gbudb.net ... It was an intermediate hop at AOL (rly presumably means relay) Ok. snip/ The GBU list is emitting TXT records as well as the A record, perhaps it would be useful to actually state the IP as well in that text. snip/ I suggest that if others find this valuable as well, and you find it reasonable, that the text could look like this: GBUdb Cloud Truncate c 0.2, p 0.9 for [205.188.84.131] That's a useful suggestion. We're working on the GBUdb.com site now. We will want to include the URL in the text also. I'll combine the two suggestions when we're ready and then change the generator code appropriately. I'll send the whole header to support@ in case you are interested in this particular IP. Presumably this is causing some false positives for somebody using SNF -- though they have not been reported. For folks who want a more refined GBUdb response it would probably be useful to program drilldown directives for AOL servers. This would allow GBUdb to drill past the intermediate servers toward the original source where appropriate. Of course, if this particular intermediate server is in the position to be heavily abused by folks hacking web mail on AOL then of course it's reputation is going to be reflect that. Thanks, _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
