[sniffer] Re: Fw: lot's of legit mailservsr in spamdatabases
Hi Bonno tin.it is one of Italians largest ISP's and the (not new) problem is that many blacklists does catch a RELATIVE high number of spam messages COMPARED to the number of legit messages simply because the traps measuring this traffic are located elsewhere then Italy or Europe. There are certainly spam messages delivered trough this tin-servers (I believe vsmtp21 is one of around at least 64 machines in this cluster) but from what I can see on my servers (located in the north of Italy and processing mostly central-european traffic) there are less then 1% of spam messages comming from tin-servers. I've had this problem already around 5 years ago and solved it in declude by assigning a relative low weight for all IP4R-tests and then use a text filter with COUNTRY END and TESTSFAILED statements. Markus _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Thursday, April 19, 2007 1:02 PM To: Message Sniffer Community Subject: [sniffer] Fw: lot's of legit mailservsr in spamdatabases Hi, I just posted this in the Declude.Junkmail list: --quote How do you guys deal with it, LOTS of legit mailservers are listed in what used to be reliable spamsender databases. X-RBL-Warning: SPAMBAG: 109.176.216.212.blacklist.spambag.org. X-RBL-Warning: SPAMCANNIBAL: blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup http://www.spamcannibal.org/cannibal.cgi?page=lookuplookup=212.216.176.109 lookup=212.216.176.109 X-RBL-Warning: UCEPROTECT-1: Sorry 212.216.176.109 is Level 1 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109; X-RBL-Warning: UCEPROTECT-2: Sorry 212.216.176.109 is Level 2 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=212.216.176.109; But 212.216.176.109 is a normal mailserver vsmtp21.tin.it and is trying to deliver mail from a customer to us. Have spammers won this race, can we no longer trust these databases? Is there a ip list with all legitimate mailservers for most ISP that I can use to reduce points? For the hotmail mailservers it was easy to reduce the points, it's a lot harder to do for all the other real mailservers. --quote Pete, Is this something the new Sniffer can help us with, identifying legit mailservers? Will hits have a separate exit code we can use to identify legit mailservers and reduce points accumulated in Declude via other tests and have the mail go through? Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] / http://www.tio.nl www.tio.nl
[sniffer] Re: SPAM Problems
Ciao Filippo Can you see any pattern of mailfrom, mailto or IP-Address what causes all this messages in your spool folder? Telneting to your MX show that you're using Imail 8.05 and I assume in conjunction with Declude and Sniffer. It turn's also out that both logos.net and logos.it are not open for nobody-aliases and so all xour incomming messages must be for real existing recipients. How much messages does this server handle under normal cirmustances and how much messages are now in the spool folder? What about CPU-usage and other loads on this server? Can you publish some message headers from a tipical message? Sniffer very probably will identify and catch most of this messages. The question is, if the wheigting system is configured in a way that this messages are catched as spam and does not finish in the recipients mailboxes. As sayd Sniffer very probably will catch the messages but it's one of the latest segments in the filter-chain. So the problem causing all this messages in your spool folder very probably is located another place. Markus Alto Adige Italy -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: Monday, October 23, 2006 11:18 AM To: Message Sniffer Community Subject: [sniffer] SPAM Problems Hello Pete, since friday our mail server is overwhelmed by a very lot of spam messages. Because of this the spool of my IMail Server gets full and it actually get stuck. Do you have any hint that can help me to fix this problem? Filippo Palmili # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Re: AW: [sniffer] Re: Update pacing...
ouch I forgot in my previous message: Great script Andrew -thank you! Markus From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Thursday, June 22, 2006 6:01 PMTo: Message Sniffer CommunitySubject: [sniffer] Re: AW: [sniffer] Re: Update pacing... FWIW I take the belt and suspenders approach. The rulebase notification by email does trigger a Message Sniffer update script on my system, but I don't rely on it solely. In addition, I also use an "at" schedule every four hours. As in Markus' (and Bill's) sample, I use the -N parameter for wget so as toavoid bandwidth abuse by only downloading the file if it is newer than the one I've already got. The specific time I schedule it for I determined from this page: http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.LogFiles.Submit because after I download a rulebase, I upload my logs. Still on my to-do list is updating my script so as to compress my logs before I upload them. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus GuflerSent: Thursday, June 22, 2006 2:15 AMTo: Message Sniffer CommunitySubject: [sniffer] Re: AW: [sniffer] Re: Update pacing... Instead of sending a mail for each update I've disabled the email-notifcation (REM) and changed the wget-line as followswget -N -nv http://www.sortmonster.net/Sniffer/Updates/%LicenseID%.snf -O %LicenseID%.new.gz --header=Accept-Encoding:gzip --http-user=sniffer --http-passwd=ki11sp8m -a snfupd.txt As Alex sugested I've added the -nv switch in order to avoid unneccessary data. I've also changed the last parameter from -o to -a in order to append the results of each update to snfupd.txt. So I have a logfile where I can easily see time and result of each update. Her's an example: 13:32:22 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2923892] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 15:43:22 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2929252] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 17:54:41 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2943056] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! 20:08:18 URL:http://www.sortmonster.net/Sniffer/Updates/x.snf [2952731] - "t918t3eg.new.gz" [1]New RuleBase File Tested Good! Markus -Original Message- From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Hirthe, Alexander Sent: Tuesday, June 20, 2006 9:46 AM To: Message Sniffer Community Subject: [sniffer] AW: [sniffer] Re: Update pacing... Hello, I switched from just downloading the file every xx hours to the snfupd.cmd form the Imail Package. The only thing I additionally modified is a '-nv' switch for wget. With this you'll only get the result of the download, not a line for every 50 kB. Alex -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:sniffer@sortmonster.com] Im Auftrag von Pete McNeil Gesendet: Montag, 19. Juni 2006 23:46 An: Message Sniffer Community Betreff: [sniffer] Re: Update pacing... Hello Harry, Monday, June 19, 2006, 4:47:14 PM, you wrote:My script does not check for update first. Is there a sample that does do that that you can point me to? This page describes automated updates and lists several scripts. http://kb.armresearch.com/index.php?title=Message_Sniffer.Tech nicalDetails.AutoUpdates The one I recommend most for Winx based systems is ImailSnifferUpdateTools.zip Don't let the name fool you - if you are NOT using IMail the scripts are still great --- you will only need to find another way to call them if your system does not provide a "program alias" functionality. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative
[sniffer] AW: [sniffer] Numeric spam source has been revealed
So now we know too that stock spam is send out by beagly infected zombies. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Colbeck, Andrew Gesendet: Freitag, 9. Juni 2006 17:36 An: Message Sniffer Community Betreff: [sniffer] Numeric spam source has been revealed It was broken code in the latest Bagel/Beagle: http://securityresponse.symantec.com/avcenter/venc/data/w32.be agle.fc.ht ml Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]Numeric spam
Today I've noticed that there is a relation between the recipient adresses that was used in the past 36 hours in the numeric spam messages and the following wave of stock-spam messages containing this png-graphic. After checking around 10 Mailboxes there is a correspondence of 100%. Or they have received both or none of this two messages. For example my personal mailbox "markus" who's well spread and destination of many other spams hasn't received it. Other mailboxes like "domain" and "internet" that are pretty unknown and rarely used has received both. Markus Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von John T (Lists)Gesendet: Mittwoch, 7. Juni 2006 01:26An: Message Sniffer CommunityBetreff: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer]Numeric spam
Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Attached are some examples from the last 8 hours. All has failed some other tests and all has reached a final weight in order to be marked in the subject line. However none of this messages was identified as spam by sniffer. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. Markus ---BeginMessage--- 5556 ---End Message--- ---BeginMessage--- 5556 ---End Message--- ---BeginMessage--- 6J---End Message--- ---BeginMessage--- 969 ---End Message--- ---BeginMessage--- M---End Message--- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 23 2 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 41 41 0605SNIFFER-EXP-A 450 0 0 36 7 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]A design question - how many DNS based tests?
I use around 80 tests on one system in order to watch them and how theri performance is going up and down. On other (high traffic) servers I use only the best one. I can confirm what others has mentoined as reliable blacklists (expect fiveten for european systems: fiveteen has a FP-Rate of around 10% and it seems that they are caused by IP-Adresses outside of America. However I give each IP4R-Test only a relative small weight (between 1 and 10% of the hold weight. There is one combo-Test that has a list of the reliablest IP-Blacklists. This combo-test is nearly as effective as Sniffer, but it has definitively more FPs. The combination of IP4R-tests is used further to combine them with other reliable tests and I use them also to add different weights for positives IP4R-Results depending of whats the originating country. Some weeks ago one of my servers was not more able to reach the configured DNS-Server (reconfigured firewall) and even if most spam was still catched there was a noticeable reduction of spam-detection until I discovered the problem. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Colbeck, Andrew Gesendet: Dienstag, 6. Juni 2006 18:09 An: Message Sniffer Community Betreff: Re: [sniffer]A design question - how many DNS based tests? I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first hit, and furthered by being able to do combo tests such as the example Nick offered on a different thread this morning. SPAMHAUS XBL (CBL and the Blitzed OPM), SPAMCOP, FIVETEN, MXRATE-BL are consistent good performers for me. Tests that I try out tend to stay in my configuration after they've become inutile as long as they do no harm. I groom the lists perhaps four times per year. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 6:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Sorry I was out of office. You're right there must be something wrong with the second column. Yesterday there was a little bit of confusion as I changed different things on the database and additionaly there was this issue with the malformed mailfrom address. I will try to publish the correct numbers tommorrow. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Michiel Prins Gesendet: Dienstag, 6. Juni 2006 12:30 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Are you sure? That would mean you only nees sniffer, coz none of sniffer's ham is spam in the final result... -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: dinsdag 6 juni 2006 12:25 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Sorry in the table below the column header SH and HS must be switched. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Markus Gufler Gesendet: Dienstag, 6. Juni 2006 12:17 An: Message Sniffer Community Betreff: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 232 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 4141 0605SNIFFER-EXP-A 450 0 0 367 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative
[sniffer]AW: [sniffer]Spam Storm
Hi Pete Durring your last reports I haven't seen such a storm on my systems but now this one I can notice it one some of my servers. BTW: One of this servers has an usual spam/ham rate of 50/50% In the last 24 hours it was 90/10% From the 90% spam 79% was blocked with SBL-XBL durring SMTP-Envelope before hitting Imail/Declude/Sniffer/... Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Pete McNeil Gesendet: Dienstag, 30. Mai 2006 14:45 An: Message Sniffer Community Betreff: [sniffer]Spam Storm Hello Sniffer Folks, This morning we have a new spam storm starting with an unusually difficult image spam and following up with the usual characters including a new wave of variants for chatty drugs.org. 48 hour image attached, messages/hour w/ trends. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: [sniffer] [Fwd: Diann Helms]
Heimir, It's not a Sniffer-related answer but I personaly use a combination of a text filter file (looking for known geocities-links) and the IP-blacklist SORBS-DUHL (who contains dialup ip-ranges). As all my customers are connecting with SMTP-Auth or from known IP-ranges I can whitelist them. So the combination of this two filters can catch most of this stuff, as legit messages containing geocities-link shouldn't come from dial-up Ip's to my server. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Heimir Eidskrem Sent: Wednesday, February 15, 2006 2:53 PM To: sniffer@sortmonster.com Subject: [sniffer] [Fwd: Diann Helms] Anyway to stop this spam. We are getting hundreds of them. I have personally gotten 23. From - Wed Feb 15 07:51:25 2006 X-Account-Key: account3 X-UIDL: 384485764 X-Mozilla-Status: 0001 X-Mozilla-Status2: Received: from DM [206.53.51.56] by deepspace.i360.net (SMTPD-8.22) id A08B07E0; Wed, 15 Feb 2006 06:37:31 -0600 Received: from gmail.com (8.8.8/8.8.8) id XAA47062; Wed, 15 Feb 2006 06:37:38 -0600 Message-Id: [EMAIL PROTECTED] From: Shane Redmond [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Diann Helms X-Mailer: Opera7.20/Win32 M2 build 2981 Date: Wed, 15 Feb 2006 06:37:38 -0600 X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail detected. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 206.53.51.56 with no reverse DNS entry. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-RBL-Warning: COUNTRYFILTER: Message failed COUNTRYFILTER test (line 36, weight 0) X-Declude-Sender: [EMAIL PROTECTED] [206.53.51.56] X-Declude-Spoolname: D208b017db78a.smd X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOLEGITCONTENT, IPNOTINMX, REVDNS, CMDSPACE, COUNTRYFILTER, CATCHALLMAILS [70] X-Country-Chain: CANADA-destination X-Note: This E-mail was sent from [No Reverse DNS] ([206.53.51.56]). X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 384485764 X-IMail-ThreadID: 208b017db78a Braxton, http://uk.geocities.com/proboycott45571 Shane Redmond This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] [Fwd: Diann Helms]
would you share your filters? I assume Declude filters. Yes. Attached is the original message from Scott Fisher regarding the geocities-filter file. (I call it GEOCITIESLINKS) I've replaced each weight (100 and 75 points) with 0. So this test will add no weight to the final result. In addition you have to set up SORBS-DUHL as a standard IP4R-Test. Then you need an additional text filter file (I call it COMBO-DUHL-GEOCITIES) ~~ TESTFAILED END NOTCONTAINS GEOCITIESLINKS TESTFAILED 80 CONTAINS SORBS-DUHL ~~ The first line will stop the combo-filter if there was no geocities-links in the message body The second line will add 80 points if the message cames in from a DUHL-ip. Markus ---BeginMessage--- Title: Message Here's my geocities filter. It's a little more specific so I can weight foreign geocities more than US geocities. STOPATFIRSTHIT BODY100CONTAINSar.geocities.comBODY100CONTAINSgeocities.com.arBODY100CONTAINSar.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.ar BODY100CONTAINSasia.geocities.comBODY100CONTAINSasia.geocities.yahoo.com BODY100CONTAINSau.geocities.comBODY100CONTAINSgeocities.com.auBODY100CONTAINSau.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.au BODY100CONTAINSbr.geocities.comBODY100CONTAINSgeocities.com.brBODY100CONTAINSbr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.br BODY100CONTAINSca.geocities.comBODY100CONTAINSgeocities.caBODY100CONTAINSca.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.ca BODY100CONTAINScf.geocities.comBODY100CONTAINScf.geocities.yahoo.com BODY100CONTAINScn.geocities.comBODY100CONTAINSgeocities.cnBODY100CONTAINScn.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.cn BODY100CONTAINSde.geocities.comBODY100CONTAINSgeocities.deBODY100CONTAINSde.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.de BODY100CONTAINSes.geocities.comBODY100CONTAINSgeocities.esBODY100CONTAINSes.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.es BODY100CONTAINSespanol.geocities.comBODY100CONTAINSespanol.geocities.yahoo.com BODY100CONTAINShk.geocities.comBODY100CONTAINSgeocities.com.hkBODY100CONTAINSgeocities.hkBODY100CONTAINShk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.hkBODY100CONTAINSgeocities.yahoo.hk BODY100CONTAINSin.geocities.comBODY100CONTAINSgeocities.co.inBODY100CONTAINSin.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.in BODY100CONTAINSit.geocities.comBODY100CONTAINSgeocities.itBODY100CONTAINSit.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.it BODY100CONTAINSkr.geocities.comBODY100CONTAINSgeocities.co.krBODY100CONTAINSkr.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.kr BODY100CONTAINSmx.geocities.comBODY100CONTAINSgeocities.com.mxBODY100CONTAINSmx.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.mx BODY100CONTAINSsg.geocities.comBODY100CONTAINSgeocities.com.sgBODY100CONTAINSsg.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.com.sg BODY100CONTAINSuk.geocities.comBODY100CONTAINSgeocities.co.ukBODY100CONTAINSuk.geocities.yahoo.comBODY100CONTAINSgeocities.yahoo.co.uk BODY75CONTAINSgeocities.comBODY75CONTAINSgeocities.yahoo.com - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:09 AM Subject: Re: [Declude.JunkMail] Stock Spam If you're referring to the geocities stuff that's been out the last couple of days, I just use a body filter. BODY3CONTAINSau.geocities.com Sniffer, which I weight at 7,picks it up OK, and the added weight of 3 is enough to get to my hold weight of 10. -Dave Doherty Skywaves, Inc. - Original Message - From: Michael Jaworski To: Declude.JunkMail@declude.com Sent: Thursday, February 02, 2006 9:32 AM Subject: [Declude.JunkMail] Stock Spam Anyone have a good filter strategy on the increasing amount of stock spam??? Thanks, Mike ---End Message---
RE: [sniffer] problems!!!!
Harry, (please don't post your entire license code to a public list.) regarding the reliability of sniffer we should know that errors sometimes can happen, even at sniffer-side after they've worked for years now very relaible. I don't expect that such errors will happen now more often. What you can do is trying to configure your declude spamfilter in order to hold only if multiple or at least more then one test failed. For doing this the first step is to set the maximum weight of each test (at least slightly) below your hold weight. I've configured different weights for different sniffer exit codes depending how reliable they seem to me but as a maximum weight for sniffer I've set 95% of the mark-subjectline-weight and around 63% of the hold-weight. So the problematic sniffer-rule from yesterday was not a real problem on our server. There was some single messages who has had a final weight above the the hold weight because we use combinations of the most reliabletests. From several thousand processed messages only around 20 messages has had a false-positive combination caused by sniffer-rule82893 and another spam test. Thanks to Andrew and Goran for their info's and scripts. Saved a lot of time here. Pete: Any info if and if yes when you can adapt MDLP for the declude v3 logfile? I realy miss this data. Once accustomized tothehourly results of MDLP e sometimes feel now like a blind chicken :-) Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harry VanderzandSent: Wednesday, February 08, 2006 4:02 PMTo: sniffer@SortMonster.comSubject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\sniffer.exex" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network Solutions -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of David
RE: [sniffer] problems!!!!
If I understand right you mean that if "experimental" rules are introduced you want to know about and so temporaly disable ruelbase updates on you server. As I know Sniffer has a much smarter way for doing this. They introduce experimental rules in a separate category (sniffer-exp) and look how they will work. In fact I can see that this category is the least reliable. So I've set a relative low weight for this exit code. If a experimental rule showed to be reliable they move them in the appropriate category (rich, fraud,...) I'm not sure about this but I think it's so and so it shouldn't be necessary to do something like manualy block updates. Markus From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Wednesday, February 08, 2006 4:59 PMTo: sniffer@SortMonster.comSubject: Re: [sniffer] problems I have an idea. These problems seem to stem mostly from changes in the methods of handling rulebase updates. We were lucky enough not to be affected with the latest rule issue, but the previous one made for a very long day andsomedisgruntled customers. Would it be feasible to announce in advance when such changes are to be implemented? With advance notice of a date and time for the switch we could choose to freeze our rulebases just before that for a day to make sure the kinks were worked out before updating. A few spam messages that slip through are better than a slough of false positives that require review and are delayed in reaching the customer. Thoughts? Darin. - Original Message - From: Harry Vanderzand To: sniffer@SortMonster.com Sent: Wednesday, February 08, 2006 10:02 AM Subject: [sniffer] problems With the recent issues at sniffer it has caused tremendous problems with the entire client base here. Sniffer has been so reliable for so lond and al of a sudden recently I cannot rely on it any more What is going on with sniffer Will these issues get resolved or is it going to be more unstable than what we have come to rely on? I need my spam trap software to work without spend hours everyday and without getting a large group of my customers questioning the reliability of what I am doing. Hope there will be some indication of improvement. The following is my sniffer code SNIFFERexternal nonzero "D:\IMail\Declude\sniffer\umzqbs4l.exe dky4t444qqpk69j6" 10 0 Should I be doing something different? This has worked very well for a year now. Harry Vanderzand inTown Internet Computer Services 519-741-1222 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Tuesday, February 07, 2006 9:42 PMTo: sniffer@SortMonster.comSubject: RE: Re[4]: [sniffer] Bad Rule - 828931 Goran, this is pretty much what I did to get to re-queuing:gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}" gxamq2kt.log.20060207* msgids.txtThe file msgids.txt will now contain just the GUID part of the D[guid].SMD from column 3 in the tab delimited Message Sniffer log files.I then used a batch file I had previously created called qm.cmd (for queue and move). Note that the folders I specify are for Declude 1.x, which has an overflow folder. I use the overflow folder so that Declude will re-analyze the message:Rem this is the qm.cmd file listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ nulmove d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ nulI then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd %iThat takes of re-queuing all the held messages. I am using a move instead of a copy because I want Declude to be able to move a message it deems spam to the spam folder. If I used a copy, it would fail to do the move because the file is already in the spam folder, and Declude would then pass control back to Imail, which would then deliver the spam inbound.After my queue went back to normal, I then set to work on my dec0207.log file to determine if the entirety of the message was spam or ham based on whether it was held or not (which is the simple scenario I have).I hope that helps,Andrew 8) p.s. Another re-posting in HTML so as to preserve the line breaks. Sorry for the duplication, folks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Goran Jovanovic Sent: Tuesday, February 07, 2006 5:39 PM To: sniffer@SortMonster.com Subject: RE: Re[4]: [sniffer] Bad Rule - 828931 I just ran the grep command on my log and I got 850 hits. Now is there a way to take the output of the grep command and use it pull out the total weight of corresponding message from the declude log file, or maybe the subject? Goran Jovanovic Omega Network