[sniffer] Spam Storm - Watch for high traffic rates - ecard malware new PDF variant
Hello SNF Folks, We've just seen another very high spike (attached image). All rulebases appear to be up to date now to handle this content, however you should be watching for very volumes. Based on telemetry from systems testing the new SNF alpha we are seeing an average of 150% of normal spam traffic with spikes well in excess of 300% Hope this info is helpful, Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.attachment: 20070703SpamstormSpike.pngattachment: 20070703SpamStormRateSnapshot.png# This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Spam storm -- Greeting card malware w/ numbered links.
Hello Sniffer Folks, The greeting card malware spam is being pushed right now with amazing bandwidth! This is the first 11000+ / hour spike we've seen in quite a while. Rules are in place for this, but be on the look out in case it hits you before your update is ready. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] Spam Storm
Has anybody notices any new spam storms out there? Since yesterday, about 10 times the normal spam get's through (normally 2-3 messages a day, now it's like 2-3 messages per hour). Sniffer returns 0 (clean) for all of them, while they don't even get a high enough score with SpamAssasin (less than 4.0) to get tagged. -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION
[sniffer]AW: [sniffer]Spam Storm
Hi Pete Durring your last reports I haven't seen such a storm on my systems but now this one I can notice it one some of my servers. BTW: One of this servers has an usual spam/ham rate of 50/50% In the last 24 hours it was 90/10% From the 90% spam 79% was blocked with SBL-XBL durring SMTP-Envelope before hitting Imail/Declude/Sniffer/... Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Pete McNeil Gesendet: Dienstag, 30. Mai 2006 14:45 An: Message Sniffer Community Betreff: [sniffer]Spam Storm Hello Sniffer Folks, This morning we have a new spam storm starting with an unusually difficult image spam and following up with the usual characters including a new wave of variants for chatty drugs.org. 48 hour image attached, messages/hour w/ trends. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Spam Storm - It's a big one.
Hello Sniffer Folks, Watch out for today's spam storm -- it's a lot bigger than we've seen in a long while. 48 hour image attached. A large component of this one is a broken spam with an empty subject and two empty quoted printable segments. There is a wide variety of other spam mixed in also however. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Spam Storm - It's a big one.
Hi Pete, Watch out for today's spam storm -- it's a lot bigger than we've seen in a long while. 48 hour image attached. This has low priority but. I've tried to find a live version of that graph you've sent but I cannot find it at http://kb.armresearch.com/index.php?title=Message_Sniffer.LiveReports which would seem to be the logical place. Is it nowhere live to be found or am I looking at the wrong place? Groetjes, Bonno Bloksma --- [E-mail scanned at tio.nl for viruses by Declude Virus] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
Nothing too out of the ordinary here - ~17,000 blocked messages between 10-11 AM EST. Yesterday same time frame was ~16,000. - greg -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, May 23, 2006 10:35 AM To: Message Sniffer Community Subject: [sniffer]spam storm Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
For a couple days I have seen a increase in general spam (lots of male enhancements), but particularly Nigerian letters. John C -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, May 23, 2006 9:35 AM To: Message Sniffer Community Subject: [sniffer]spam storm Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
Tuesday, May 23, 2006, 10:35:01 AM, you wrote: Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Hello Michael Sniffer Folks, http://reports.messagesniffer.com/Performance/FlowRates.jsp Logs since about 0523.0100 have shown a spike and a heavy increase. I was also called in on a new image spam wave early this morning (about 6 hours ago), and there is a new snake-oil spam going around - just text about canadian drugs and a link - but prolific, lots of bandwidth, and an inexhaustible supply of domains (luckily that's not all we use). Today seems a stair step up from the previous spam storm alert a few days ago. 48 hour image attached. Note: We've throttled back one of our heaviest spamtraps to keep our sampling more current (the increased volume was causing some queueing). As a result, the peaks on the graph are lower than they might normally be... the shape of the graph is the important part of the image. The flow rates analysis (link at top) shows the shelf starting at 0100 and building. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. getchart.jsp.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re[2]: [sniffer] Spam Storm Alert...
On Saturday, January 29, 2005, 9:15:23 PM, Glenn wrote: GR This is question is a little off subject, but do you have any GR recommendations for Imail queue manager settings? We are running Sniffer GR with declude 1.82 under Imail 8.15 and the server seems to bog down GR sometimes. It is likely that your system is being pushed to it's limits. While I don't have any recommendations for queue manager settings I can recommend the following to help ease performance issues (these things work here in the lab anyway... ymmv) * In Declude AV (if you use it) use: AVAFTERJM PRESCAN ON * Be sure you're using a persistent instance of Sniffer: http://www.sortmonster.com/MessageSniffer/Help/PersistentHelp.html * It often helps to run a DNS resolver on your MTA and use the loopback address (127.0.0.1) to attach to it. I recommend BIND. It sounds counterintuitive at first - since this is yet another program running on the server, however in practice I find that things go much faster this way... theoretically because: -- Using the loopback address _may_ allow your system to skip some of the network stack - particularly NIC drivers etc thus eliminating some hardware and network related system loads and resource contention. -- Using the DNS server on your MTA eliminates all network delays / queueing. * Have plenty of RAM in the system. * Be sure your storage system is regularly defragmented and that you have sufficient free space. NTFS REALLY HATES a crowded and/or fragmented drive. * Be sure your spool is on it's own physical drive(s) if possible. If you haven't done this already, you'd be surprised how much performance a cheap, fast hard drive can add to your MTA when dedicated to your spool. The spool is constantly being read and written for what amount to temporary files. In addition, files from the spool are frequently going to be rewritten in your mailbox directories. If both of these operations are on the same physical device then you are guaranteed to impose the drive's seek time (and related OS queue related delays) to the processing of each message because the two operations will consistently compete with each other for the physical position of the drive head. Also, this particular mix of activity can effectively defeat any caching the drive may have by exceeding it's capacity and causing frequent cache flushing. Separating these operations on different physical drives results in far less drive head movement and a dramatic increase in the effectiveness of caching mechanisms in each of the separate drive systems. ___ I'm sure there are many additional opinions and hints floating around on this list both in general and also specifically for Imail/Declude installations. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
My only suggestion for QM is to disable DNS Cache and Failed Domain Skipping, both of these caused problems for me in the early 8.xx versions, so I have just left them off. As far a the thread settings, that really depends on how many messages you process per day. You may find some guidance in the IMail archive and/or the IMail knowledge base. Bill -Original Message- From: Glenn Ratliff [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 6:15 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Spam Storm Alert... This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
Hmmm, a day and a half later this shows up on the list...??? Bill -Original Message- From: Landry William Sent: Saturday, January 29, 2005 6:51 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Spam Storm Alert... My only suggestion for QM is to disable DNS Cache and Failed Domain Skipping, both of these caused problems for me in the early 8.xx versions, so I have just left them off. As far a the thread settings, that really depends on how many messages you process per day. You may find some guidance in the IMail archive and/or the IMail knowledge base. Bill -Original Message- From: Glenn Ratliff [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 6:15 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Spam Storm Alert... This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
Well, after a second look (reviewing the headers), it looks like the message got hung-up in the convoluted mess of internal mail gateways that Siemens maintains (which I have no control over). Sorry for the noise...! Bill -Original Message- From: Landry William Sent: Monday, January 31, 2005 9:19 AM To: sniffer@SortMonster.com Subject: RE: [sniffer] Spam Storm Alert... Hmmm, a day and a half later this shows up on the list...??? Bill -Original Message- From: Landry William Sent: Saturday, January 29, 2005 6:51 PM To: sniffer@SortMonster.com Subject: RE: [sniffer] Spam Storm Alert... My only suggestion for QM is to disable DNS Cache and Failed Domain Skipping, both of these caused problems for me in the early 8.xx versions, so I have just left them off. As far a the thread settings, that really depends on how many messages you process per day. You may find some guidance in the IMail archive and/or the IMail knowledge base. Bill -Original Message- From: Glenn Ratliff [mailto:[EMAIL PROTECTED] Sent: Saturday, January 29, 2005 6:15 PM To: 'sniffer@SortMonster.com' Subject: RE: [sniffer] Spam Storm Alert... This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam Storm Alert...
On Monday, January 31, 2005, 12:28:00 PM, Landry wrote: LW Well, after a second look (reviewing the headers), it looks like the message LW got hung-up in the convoluted mess of internal mail gateways that Siemens LW maintains (which I have no control over). Sorry for the noise...! Whew! Thought I was slipping for a minute. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert...
This is question is a little off subject, but do you have any recommendations for Imail queue manager settings? We are running Sniffer with declude 1.82 under Imail 8.15 and the server seems to bog down sometimes. Thanks, Glenn -- From: Pete McNeil[SMTP:[EMAIL PROTECTED] Reply To: sniffer@SortMonster.com Sent: Monday, January 24, 2005 2:11 PM To: sniffer@sortmonster.com Subject: [sniffer] Spam Storm Alert... Hello sniffer, Yes folks, in case you haven't already seen it, we have quite a spam storm going. I've just watched more than a dozen new campaigns with heavy polymorphism push through the filters since 1300 EST and early this morning we were already at our daily nominal number for new rules. The way it looks now we might double that... Check here for details as they progress: http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp As of now I am declaring spam storm rules which means we will be accelerating new rule generation efforts and operating in a spam-noc mode for at least the next several hours. This may delay other support requests for a bit. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Spam Storm Alert Follow Up
Hello sniffer, One other note before I go join the rule coders... Many of the new spam coming through are resurrecting old spam rules... I've seen this kind of thing before (which is why we have a deep-scan robot looking for this kind of activity), however I've not seen it in such numbers before. Something interesting is definitely going on. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Spam Storm Alert...
Hello sniffer, Yes folks, in case you haven't already seen it, we have quite a spam storm going. I've just watched more than a dozen new campaigns with heavy polymorphism push through the filters since 1300 EST and early this morning we were already at our daily nominal number for new rules. The way it looks now we might double that... Check here for details as they progress: http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp As of now I am declaring spam storm rules which means we will be accelerating new rule generation efforts and operating in a spam-noc mode for at least the next several hours. This may delay other support requests for a bit. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam Storm Alert Follow Up
For what it's worth, I'm definitely seeing an increase in volume over the weekend (double the spam, actually), and I believing it is tapering off already. In addition to the volume of separate messages, the number of recipients is generally up. The messages look generally like the kind of jobs outsourced to spam gangs, who then create variations of the email. I haven't looked close enough to check whether the payload URLs are the same. YMMV... Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, January 24, 2005 11:15 AM To: sniffer@sortmonster.com Subject: [sniffer] Spam Storm Alert Follow Up Hello sniffer, One other note before I go join the rule coders... Many of the new spam coming through are resurrecting old spam rules... I've seen this kind of thing before (which is why we have a deep-scan robot looking for this kind of activity), however I've not seen it in such numbers before. Something interesting is definitely going on. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
At 01:57 AM 3/26/2004, you wrote: I once noticed that transferring data through TCP/IP is NOT error-free, if the connection is very slow. At least not if it is going through Microsoft's software (Windows). Me 2. One possibility that has been suggested is that we could gzip these files. That would be a somewhat radical change - but so would any change to the file format so this may be the best option. Why don't you just put gzip files in addition to the uncompressed files into the download directory. Those who want to download the zipped files then would have to make a only small change in their download script. I think we will probably try this. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
Thanks for the insight. You're also sharing a maxed out T1 so I'm not sure how to interpret that data - I suppose that 10K isn't awful if 10 other systems are hitting it at once. I have to stop my testing now. I've got Sprint queued up to do some intrusive testing so I have to bring the line back up. Hopefully we'll get to the bottom of things though. _M At 03:23 AM 3/26/2004, you wrote: I'm doing a download as we speak. I am on a 100mb connection. Getting between 6-10K with several short stops in download. H. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 26, 2004 2:17 AM Subject: RE: [sniffer] Spam storm? At 02:50 AM 3/26/2004, you wrote: -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Normally our bandwidth is sufficient. We have considered mirror sites also, and we have plans to move our hosting into a local Equinix facility where we will have similar bandwidth to yours and other benefits. Unfortunately we are not quite up to that level of revenue yet. We currently have two T1s through two networks (Savvis Sprint). More than 90% of the time more than 80% of our bandwidth is avaialable. There are occasional short-lived peaks where this is not the case, but those are rare. Ah, that's probably it, since one of our Internet circuits is with Sprint, as well, so the traffic would have been prioritized over the Sprint network. Since we're both up at this insane hour. Would you mind making a test? I've just shut down the Sprint line - so we're running through Savvis exclusively. If I'm right about the connectivity issue then you should be able to get a good download. Would you give that a shot for me and tell me the stats when you're done? Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
At 03:39 AM 3/26/2004, you wrote: -Original Message- From: Pete McNeil [mailto:[EMAIL PROTECTED] Since we're both up at this insane hour. Would you mind making a test? I've just shut down the Sprint line - so we're running through Savvis exclusively. If I'm right about the connectivity issue then you should be able to get a good download. Would you give that a shot for me and tell me the stats when you're done? Well, it didn't start out well, stalled, restarted, and then picked up: Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
At 07:42 AM 3/26/04 -0500, Russ Uhte (Lists) wrote: Pete, Just wanted to interject a couple observations. I'm connected to the Internet through a 15Mb frac ds/3 from ATT and a T1 from Sprint. I of course of no way of telling which pipe our automated downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a clean download. I haven't seen a single instance of the error_bad_matrix. I have a Sprint T as well, and have had no download problems using wget on Win2000 aside from periodic slowdowns. Just ran a download this morning and speed never went over 5K. I also have had no bad_matrix instances. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
At 07:42 AM 3/26/2004, you wrote: Pete, Just wanted to interject a couple observations. I'm connected to the Internet through a 15Mb frac ds/3 from ATT and a T1 from Sprint. I of course of no way of telling which pipe our automated downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a clean download. I haven't seen a single instance of the error_bad_matrix. I also wanted to pass on a tool that I've heard a lot about. It's called Matt's Traceroute. I've never actually used it myself, but I'm told it's excellent for detecting flaky T circuits and such. Here is the link to the program. http://www.bitwizard.nl/mtr/ I don't no if it will help with what you're doing or not, but thought I'd suggest it! Hope one of these days everything gets back to normal, and you can finally get some sleep!! Thanks for that. I'm sure we're on to something now. Sprint tested the circuit and detected an increasing number of errors. Now it's just a matter of finding out where they are and fixing that piece of work. I'm off to the shop for that right after this rule-base update. I will be forcing the Sprint line down until I get ready to do some more testing. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
Have you considered isolating this by type of mail server? We run MDaemon and no error_bad_matrix in our log files over the past week. We use wget on Win2000 server over a Verizon network. Just a thought. Paul Roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Friday, March 26, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? At 07:42 AM 3/26/2004, you wrote: Pete, Just wanted to interject a couple observations. I'm connected to the Internet through a 15Mb frac ds/3 from ATT and a T1 from Sprint. I of course of no way of telling which pipe our automated downloads are coming from. However, I too have noticed really slow download speeds. I use wget, and I've never had a single problem, other than occasionally it is extremely slow sometimes. Once it does actually download, it's always a clean download. I haven't seen a single instance of the error_bad_matrix. I also wanted to pass on a tool that I've heard a lot about. It's called Matt's Traceroute. I've never actually used it myself, but I'm told it's excellent for detecting flaky T circuits and such. Here is the link to the program. http://www.bitwizard.nl/mtr/ I don't no if it will help with what you're doing or not, but thought I'd suggest it! Hope one of these days everything gets back to normal, and you can finally get some sleep!! Thanks for that. I'm sure we're on to something now. Sprint tested the circuit and detected an increasing number of errors. Now it's just a matter of finding out where they are and fixing that piece of work. I'm off to the shop for that right after this rule-base update. I will be forcing the Sprint line down until I get ready to do some more testing. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
We have also seen some slow downloads here, but we are currently on a 256k connection from CoreComm/Voyager, but we are updating to a full T1 in the next couple of weeks thru someone different. 03/26/04 10:20:37 Fast traceroute sortmonster.com Trace sortmonster.com (216.88.37.62) ... 1 208.15.190.65 0ms0ms0ms TTL: 0 (No rDNS) 2 64.77.152.137 210ms 80ms 150ms TTL: 0 (se1-3-17.rtr0.wb2023.smor.in.voyager.net bogus rDNS: host not found [authoritative]) 3 64.77.152.9 50ms 190ms 150ms TTL: 0 (se3-1-0.rtr0.clmb.in.voyager.net ok) 4 209.212.206.26 421ms 180ms 91ms TTL: 0 (s60.rtr0.ipls.in.voyager.net bogus rDNS: host not found [authoritative]) 5 169.207.224.93 441ms 80ms 130ms TTL: 0 (483.at-0-1-0.rtr0.chcg1.il.voyager.net ok) 6 63.208.138.173 431ms 331ms 290ms TTL: 0 (ge-8-0-513.ipcolo1.Chicago1.Level3.net ok) 7 4.68.112.201220ms 231ms 210ms TTL: 0 (so-7-0-0.bbr1.Chicago1.Level3.net ok) 8 4.68.112.190 90ms 130ms 110ms TTL: 0 (so-8-0.core1.Chicago1.Level3.net ok) 9 209.0.225.2 60ms 50ms 221ms TTL: 0 (uschcg-j20c.savvis.net bogus rDNS: host not found [authoritative]) 10 209.83.222.49 111ms 310ms 281ms TTL: 0 (at-1-2-802.uswash2-01.j20c.savvis.net bogus rDNS: host not found [authoritative]) 11 216.88.33.46440ms 260ms 471ms TTL: 0 (microneil-1.uswash.savvis.net fraudulent rDNS) 12 No Response * * * 13 No Response * * * 14 No Response * * * 15 No Response * * * 16 No Response * * * 17 No Response * * * 18 No Response * * * 19 No Response * * * 20 No Response * * * 21 No Response * * * 22 No Response * * * 23 No Response * * * 24 No Response * * * 25 No Response * * * 26 No Response * * * 27 No Response * * * 28 No Response * * * 29 No Response * * * Sincerely, Grant Griffith, Vice President EI8HT LEGS Web Management Co., Inc. http://www.getafreewebsite.com 877-483-3393 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Stanford Sent: Friday, March 26, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? I have notices this week that the download is also slow over here. I am getting around 2.8 to 3 K/s. We also use Wget, and have with no problems,...just slow download speed. Here is my tracert if it helps... U:\tracert www.sortmonster.net Tracing route to www.sortmonster.net [216.88.37.61] over a maximum of 30 hops: 1 3 ms 2 ms 2 ms 10.100.1.1 2 5 ms 3 ms 2 ms 63.145.109.65 3 7 ms 8 ms 9 ms dal-edge-08.inet.qwest.net [63.145.96.117] 4 8 ms 8 ms 8 ms dal-core-01.inet.qwest.net [205.171.25.117] 517 ms 9 ms 8 ms dal-brdr-02.inet.qwest.net [205.171.25.46] 6 9 ms 8 ms 8 ms POS5-2.BR2.DFW9.ALTER.NET [204.255.168.229] 710 ms 8 ms 8 ms 0.so-1-3-0.xl2.dfw9.alter.net [152.63.99.214] 8 8 ms11 ms11 ms 0.so-0-0-0.tl2.dfw9.alter.net [152.63.2.181] 950 ms51 ms52 ms 0.so-5-0-0.tl2.nyc9.alter.net [152.63.0.110] 1053 ms50 ms51 ms 0.so-3-0-0.xl2.nyc1.alter.net [152.63.29.113] 1151 ms51 ms51 ms 0.so-0-0-0.xr2.nyc1.alter.net [152.63.19.97] 1252 ms51 ms51 ms 508.atm7-0.gw8.nyc1.alter.net [152.63.20.1] 1351 ms50 ms51 ms savvis-ny-gw.customer.ALTER.NET [65.194.72.54] 1450 ms51 ms51 ms so-2-0-0.usnycm2-02.j20c.savvis.net [206.129.9.1 ] 1557 ms56 ms56 ms fe2-3-2.uswash2-01.j20c.savvis.net [209.83.222.7 3] 1673 ms80 ms70 ms microneil-1.uswash.savvis.net [216.88.33.46] 17 *** Request timed out. 18 *** Request timed out. 19 *** Request timed out. 20 *** Request timed out. 21 *** Request timed out. 22 *** Request timed out. 23 *** Request timed out. 24 *** Request timed out. 25 *** Request timed out. 26 *** Request timed out. 27 *** Request timed out. 28 *** Request timed out. 29 *** Request timed out. 30 *** Request timed out. Trace complete. At 08:04 AM 03/26/2004, you wrote: At 08:13 AM 3/26/2004, you wrote: I have a Sprint T as well, and have had no download problems using wget on Win2000 aside from periodic slowdowns. Just ran a download this morning and speed never went over 5K. I also have had no bad_matrix instances. I am consistently getting 45K/sec or better
Re: [sniffer] Spam storm?
It's starting to come together now. Wget on windows + errors on the Sprint line since the move = corrupted downloads for folks who end up routing through sprint along the way? Could be. We use Windows 2k, Wget and have our connection at our end from Sprint... Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
That is possible. I'm still looking for an alternate repeatable cause. _M At 08:43 PM 3/24/2004, you wrote: I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
This has been a bad week here! A big increase in total email volume, a huge increase in false positives as well as a huge increase in spam getting past our filters. Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
We've found that when we do a manual download, everything works fine. It's the automatic download on the Windows 2000 server that seems to corrupt things. M. Stein Computer House - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 6:05 PM Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
By 8pm we had done at least 6 that I was part of. _M At 04:32 PM 3/25/2004, you wrote: How many updates have happened today...I have only received 1 today.. Richard Farris Ethixs Online 1.270.247. Office 1.800.548.3877 Tech Support - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 25, 2004 2:52 PM Subject: Re: [sniffer] Spam storm? Big uptick of new and broken spam. Half way through the day and already at 445 new rules. We may be getting it under control though... (fingers crossed). _M At 06:02 PM 3/24/2004, you wrote: Am I the only one seeing a spam storm today? This is the worst I have EVER seen!!! Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
I'm exploring that possibility - though there is nothing in the logs. I've seen some instability on the Sprint T1 though it seems stable now. Sprint made an announcement that they were going to change their routing and that seems to coincide with these new events. Perhaps instability on that part of the network is causing some ftp/wget downloads to become corrupted - though that's not supposed to happen. I've bounced the server just in case something was hung up there that I couldn't see - although some folks are not having trouble so there is nothing conclusive at this time. _M At 06:19 PM 3/25/2004, you wrote: Could it possibly be your FTP server. This morning it timed out 4 times when trying to manually download using my SecureFX program while this afternoon wget has had no problem. Maybe your getting hammered maliciously with outside requests. -Butch *** REPLY SEPARATOR *** On 3/25/2004 at 6:05 PM Pete McNeil wrote: This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Spam storm?
At 06:25 PM 3/25/2004, you wrote: We also saw many BAD_MATRIX errors last night. If the problem was 'wget', shouldn't the snf2check utility detect a corrupt file? Also, we did a manual update yesterday afternoon and there were no 'wget' error messages. The problem got corrected sometime between last night and this morning. Perhaps though some have had trouble throughout the day. At the very least the verification on snf2check should be improved to catch this issue. Updating with a bad ruleset creates many problems. Agreed. I'm looking for some simple ways to do that without changing the rulebase file format. There aren't any simple mechanisms that come to mind. Perhaps there will be no choice but to change the format in order to prevent this possibility. _M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, March 25, 2004 7:06 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
snf2check.exe makes the assumption that if the entire file is there and the head and tail of it can be verified that it must have survived the transfer. Clearly something is happening where that is not the case - something new. One possibility that has been suggested is that we could gzip these files. That would be a somewhat radical change - but so would any change to the file format so this may be the best option. On the other hand the system has worked as is for quite some time. I would like to discover what has changed as that clearly represents a problem that must be corrected. _M At 06:35 PM 3/25/2004, you wrote: If that were the case then there is something wrong with either snf2check.exe and/or autosnf.cmd. The autosnf.cmd calls snf2check.exe to validate the downloaded file. If snf2check.exe found the downloaded file invalid, an error is suppose to be returned to keep it from going into production. So if I assume the file does get corrupted during the download, snf2check.exe must not be returning the correct value to indicate the file is bad, snf2check.exe hasn't changed in a long time. So while I can't argue that the file is bad before or after download. I will try to watch the logs more closely and manually test the snf files that begin to generate bad_matrix errors to see if their bad at that time. -Original Message- From: Pete McNeil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 25 Mar 2004 18:05:39 -0500 Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M At 10:08 PM 3/24/2004, you wrote: I've noticed that if I do a manual download of the rule base file, it works well, but if it is downloaded automatically via the Windows Task CMD, then sniffer fails and the log fills up with the BAD_MATRIX errors. Anyone else seeing this? Mike - Original Message - From: Landry William [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 8:43 PM Subject: RE: [sniffer] Spam storm? I see over a 1000 of these ERROR_BAD_MATRIX entries in my Sniffer log file today, as well. Is this due to the ruleset issue from earlier today? Bill -Original Message- From: Sheldon Koehler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? Well it may not be a spam storm. Log file shows: nsx4b3eh 20040324200108 De90392330028271a.SMD 421 0 ERROR_BAD_MATRIX 71 0 0 2 5 nsx4b3eh 20040324200117 De90c923a00284b5b.SMD 422 0 ERROR_BAD_MATRIX 71 0 0 What is a Bad Matrix? Sheldon Sheldon Koehler, Owner/Partnerhttp://www.tenforward.com Ten Forward Communications 360-457-9023 Nationwide access, neighborhood support! Whenever you find yourself on the side of the majority, it's time to pause and reflect. Mark Twain This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- --- - This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer
RE: [sniffer] Spam storm?
At 06:51 PM 3/25/2004, you wrote: Looks like a bandwidth issue to me, since even doing the download manually, my connection stalled 5 times before I could complete a successful download. And the download speeds were atrocious, many times in bytes/second rather than even kb/second - and my connection speeds to the Internet are in multiple 100mb connections. Have you considered mirror sites or adding bandwidth? Normally our bandwidth is sufficient. We have considered mirror sites also, and we have plans to move our hosting into a local Equinix facility where we will have similar bandwidth to yours and other benefits. Unfortunately we are not quite up to that level of revenue yet. We currently have two T1s through two networks (Savvis Sprint). More than 90% of the time more than 80% of our bandwidth is avaialable. There are occasional short-lived peaks where this is not the case, but those are rare. Rulebase compilation is metered so that each file is generated in about the same amount of time it takes to download the file through a single T1. Generally this pacing leaves our bandwidth mostly open most of the time. However, it appears that something odd has been going on recently with the Sprint side of the network - I suspect that what you've observed is related to some flapping going on under some heavy load conditions and that this has led to a number of dropped packets. I am investigating this further. An event such as this would reduce our bandwidth by more than half and many packets would be lost. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam storm?
snf2check does a byte length and partial checksum by default. The first and last few kbytes of the file are encrypted in sequence using Mangler. If any single bit of those two segments is missing or altered then the file will fail to authenticate. The only thing missing is a CRC for the middle parts of the file. In theory this is covered by TCP - but in practice not so much :-( _M At 12:48 AM 3/26/2004, you wrote: How about a byte length compare or checksum of some sort? Matt Pete McNeil wrote: At 06:25 PM 3/25/2004, you wrote: We also saw many BAD_MATRIX errors last night. If the problem was 'wget', shouldn't the snf2check utility detect a corrupt file? Also, we did a manual update yesterday afternoon and there were no 'wget' error messages. The problem got corrected sometime between last night and this morning. Perhaps though some have had trouble throughout the day. At the very least the verification on snf2check should be improved to catch this issue. Updating with a bad ruleset creates many problems. Agreed. I'm looking for some simple ways to do that without changing the rulebase file format. There aren't any simple mechanisms that come to mind. Perhaps there will be no choice but to change the format in order to prevent this possibility. _M -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Thursday, March 25, 2004 7:06 PM To: [EMAIL PROTECTED] Subject: Re: [sniffer] Spam storm? This helps narrow things down. Specifically we know that the rulebase files are not corrupted on the server but during the download. That explains why I haven't been able to recreate a problem in the lab. I have a suspicion that wget may be failing intermittently. Another customer recently had unexplainable, intermittent issues with wget. They replaced wget with code of their own and have had no further problems. Can we narrow this down to wget under heavy traffic conditions perhaps? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
