Crew,
I'm a bit concerned about the amount of spam that Sniffer's not
getting. It used to be a near 99% catch rate, but now it looks like it's
down to70%...? I opened my own mailbox
this morning and saw 5 false negatives, while 11 others were caught by
Sniffer. Haven't checked with my
Mabe people at Sniffer are already aware of this new type of spam. Not the
malformed mailfrom one but this with the short number and nothing else in
subject and body)
Attached are some examples from the last 8 hours. All has failed some other
tests and all has reached a final weight in order to be
I only see Sniffer catching about 30% of SPAM and that's the highest it's
ever been.
David
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Michiel Prins
Sent: 06 June 2006 08:11
To: Message Sniffer Community
Subject: [sniffer]Concerned about
Hi
There mus be something wrong with your configuration of the sniffer test(s)
Here are my numbers from yesterday based on 24462 processed messages
DateTestSS SH HH HS IMP
0605SNIFFER-TRAVEL 12 0 0 23 2
0605
We just use a single test, we don't categorise. If SNIFFER returns a result
we weight it. However, SNIFFER oftens returns a zero result when the email
is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30%
of all identified junk mail.
SNIFFER external nonzero
Hello Sniffer Folks,
I have a design question for you...
How many DNS based tests do you use in your filter system?
How many of them really matter?
Thanks!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message
Hello Markus,
Tuesday, June 6, 2006, 3:27:32 AM, you wrote:
Mabe people at Sniffer are already aware of this new type of spam. Not the
malformed mailfrom one but this with the short number and nothing else in
subject and body)
Thanks for those samples... I've coded an additional abstract for
Hi _M,
Do you mean like reverse PTR records, or HELO lookups, etc..?
--Paul R.
-Original Message-
From: Message Sniffer Community [mailto:[EMAIL PROTECTED]
Behalf Of Pete McNeil
Sent: Tuesday, June 06, 2006 9:26 AM
To: Message Sniffer Community
Subject: [sniffer]A design question - how
Hi Pete,
Pete McNeil wrote:
How many DNS based tests do you use in your filter system?
approx 100
How many of them really matter?
depends :)
I generally weight them all very low; its the combination of several
that make each 'matter'. As I review held mail I remove ones that are
Hello Michiel,
Tuesday, June 6, 2006, 3:10:52 AM, you wrote:
Crew,
I'm a bit concerned about the amount of spam that Sniffer's not
getting. It used to be a near 99% catch rate, but now it looks like it's
down to 70%...?
I opened my own mailbox this morning and saw
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINS
Hello Peer-to-Peer,
That's a good point.
Any kind, perhaps by category.
I was originally thinking of just RBLs of various types.
Thanks,
_M
Tuesday, June 6, 2006, 9:46:01 AM, you wrote:
Hi _M,
Do you mean like reverse PTR records, or HELO lookups, etc..?
--Paul R.
-Original
Hello Nick,
What is your false positive rate with that pattern?
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA
SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
The regex alone will fp; I
I use about 100 dnsbl/rbl/rhsbl list of varying weights and reliabilities.
How many matter...
I'd have to say the shining star is CBL. Hits 45% of the spam with a very
low false positive rate.
The relay RBLs days are way behind them,
The proxy RBLs most useful days are behind them
The DUL RBLs
We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are
Hello Nick,
Thanks.
That's all good then :-)
_M
Tuesday, June 6, 2006, 10:46:55 AM, you wrote:
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS
David,
Are you using the free version of sniffer? Or did you deliberately change your
.exe name in your posting to sniffer.exe to hide your licence number?
I certainly expect that the rulebase lag with the free version will result in
lower Message Sniffer hit rates.
I've seen the free version
Hello Andrew,
Tuesday, June 6, 2006, 11:44:46 AM, you wrote:
David,
Are you using the free version of sniffer? Or did you deliberately
change your .exe name in your posting to sniffer.exe to hide your licence
number?
I certainly expect that the rulebase lag with the free version will
I use just shy of 60 DNS based tests against the sender, both IP4R and
RHSBL.
Perhaps 10-12 matter.
Due to false positives, I rate most of them relatively low and have
built up their weights as a balancing act. That act is greatly assisted
by using a weighting system and not reject on first
Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:44 AM
I use around 80 tests on one system in order to watch them and how theri
performance is going up and down. On other (high traffic) servers I use only
the best one.
I can confirm what others has mentoined as reliable blacklists (expect
fiveten for european systems: fiveteen has a FP-Rate of around
Sorry I was out of office.
You're right there must be something wrong with the second column. Yesterday
there was a little bit of confusion as I changed different things on the
database and additionaly there was this issue with the malformed mailfrom
address. I will try to publish the correct
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus
So no one has any idea what
the purpose of these emails
are?
The bad guys aren't telling. The good guys have lots
of theories, such as:
http://isc.sans.org/diary.php?storyid=1384
and also:
http://www.f-secure.com/weblog/archives/archive-062006.html#0894
which
in turn points to
You know we are dealing with some pretty sick puppies when it comes to these
spammers. It would be ironic if one is just doing this to play with our heads.
John C
-- Original Message --
From: Colbeck, Andrew [EMAIL PROTECTED]
Reply-To: Message Sniffer
Hello Matt,
Tuesday, June 6, 2006, 12:37:56 PM, you wrote:
snip/
appropriately and tend to hit less often, but the FP issues with
Sniffer have grown due to cross checking automated rules with other
lists that I use, causing two hits on a single piece of data. For
instance, if SURBL has an
I thought that having an SPF record would prevent a
spammer from forging your domain name, but our SPF record did not seem to help
with these odd numeric E-mails which appear to be coming from our
owndomain.
Does anyone have any info about SPF records and if they
really work to combat this
They do, but you have to both specify that email
for your domains only comes from your mail servers AND use a test in your spam
filtering that checks SPF and pushes fails over your hold limit.
Darin.
- Original Message -
From: Computer
House Support
To: Message Sniffer Community
Hi Darin,
Thanks for your reply. Sure wish I understood what
you're saying
Michael SteinComputer House
- Original Message -
From:
Darin Cox
To: Message Sniffer Community
Sent: Tuesday, June 06, 2006 8:10
PM
Subject: Re: [sniffer]Numeric spam
They do, but
What's your hold weight? If spam is only
failing SPF and nothing else, then the message doesn't get held, so you don't
see it.
Also, I do not recommend negative weighting
SPFPASS. Spammers have SPF records, too, so you're giving them an
opportunity to exploit it.
Lastly, I think you may
32 matches
Mail list logo