I've nothing of value to add, I just want to say thanks for posting
things like this. It is very interesting to get these behind the
scenes views of what the spammers are doing. It also gives me a valid
explanation to give to my bosses when they complain that they're
suddenly getting all kinds of spam.
Dan Horne
TAIS
Director of Operations
www.taisweb.net
[EMAIL PROTECTED]
828.252.TAIS (8247)
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
Behalf Of
Pete McNeil
Sent: Thursday, August 28, 2008 5:13 AM
To: Message Sniffer Community
Subject: [sniffer] Stampede - amazing!
Hello Sniffer Folks,
I had been wondering why the blackhats had been pushing so hard for
new bots these last few weeks.
Then the other day I saw something very strange in the SNF telemetry.
A storm came in that seemed to stop all other traffic. For more than
an hour I really thought something was broken -- but I wasn't sure I'd
really seen it.
Just a short time ago our SortMonster on duty (Mitchell Skull)
called all-hands for a new spam storm. This was another of the new
penis spams.
We coded the rules quickly and as they went out I saw it again:
T rates fell to zero on many systems and close to that on all of the
others. This means that virtually all of the IPs were brand-new. At
the same time traffic spiked on all systems and capture rates went
off-scale high as the new rules tagged virtually every message.
This is not an entirely new tactic by the blackhats-- I've talked
about it before. It is essentially a high-amplitude burst - where a
new campaign is pre-tested against all known filters and then launched
on a large number of new bots that are unknown to IP reputation
systems.
What is new is the purity of these recent events. When we've seen them
before they were mixed in with a lot of other traffic from other bot
nets and even other campaigns from the same bot net. While there was
still a trickle of this activity, the purity of this burst was
astounding.
This was a stampede where essentially all visible bots started running
in a single new direction.
T rates have recovered now by and large -- so the new bots are already
largely recognized by GBUdb, but the wild swing in telemetry across
the network was amazing to watch -- as is the new telemetry showing
dramatically increased traffic and capture rates indicating a nearly
pure stream of spam from this new herd.
Theories, comments, and observations welcome.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
