[sniffer]Concerned about amount of spam going through
Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? Groet, Michiel
[sniffer]Numeric spam
Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Attached are some examples from the last 8 hours. All has failed some other tests and all has reached a final weight in order to be marked in the subject line. However none of this messages was identified as spam by sniffer. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. Markus ---BeginMessage--- 5556 ---End Message--- ---BeginMessage--- 5556 ---End Message--- ---BeginMessage--- 6J---End Message--- ---BeginMessage--- 969 ---End Message--- ---BeginMessage--- M---End Message--- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Concerned about amount of spam going through
I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Michiel Prins Sent: 06 June 2006 08:11 To: Message Sniffer Community Subject: [sniffer]Concerned about amount of spam going through Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? Groet, Michiel # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 23 2 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 41 41 0605SNIFFER-EXP-A 450 0 0 36 7 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 23 2 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 41 41 0605SNIFFER-EXP-A 450 0 0 36 7 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to
[sniffer]A design question - how many DNS based tests?
Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
Hello Markus, Tuesday, June 6, 2006, 3:27:32 AM, you wrote: Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Thanks for those samples... I've coded an additional abstract for the ones you sent. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. It took a bit of work to generalize the pattern for the png stock spam but I've got a new family of rules in place for it now... I'm waiting on results to tally but I believe the rules will be effective. If not we will continue to work on them. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
Hi _M, Do you mean like reverse PTR records, or HELO lookups, etc..? --Paul R. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
Hi Pete, Pete McNeil wrote: How many DNS based tests do you use in your filter system? approx 100 How many of them really matter? depends :) I generally weight them all very low; its the combination of several that make each 'matter'. As I review held mail I remove ones that are blatant fp's; double up on some by considering the last hop as a preference over any hop, etc. -Nick Thanks! _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Concerned about amount of spam going through
Hello Michiel, Tuesday, June 6, 2006, 3:10:52 AM, you wrote: Crew, I'm a bit concerned about the amount of spam that Sniffer's not getting. It used to be a near 99% catch rate, but now it looks like it's down to 70%...? I opened my own mailbox this morning and saw 5 false negatives, while 11 others were caught by Sniffer. Haven't checked with my clients yet, but I think it will be the same. Is there an explanation, besides another spam storm? IMO, the spam storm explanation is certainly applicable today - we've seen a few spikes, this time bunched together in an unusual - nearly continuous chain... still working on a theory for that. In general, the image based spam trend has given everyone more challenges.. I'm working on engine upgrades that will be out soon to help with those and future threats. Another thing that may have effected the last few days is that our primary spam-trap processor ate itself causing large backlogs and heavy fragmentation. There were a few hours (off-and-on) where the box was not processing traffic so we were delayed responding with new rules. I've changed the software on that box and cleaned up the damage and it is now happily sustaining ~900 msgs/minute so I don't expect further problems from it in the short term. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Peer-to-Peer, That's a good point. Any kind, perhaps by category. I was originally thinking of just RBLs of various types. Thanks, _M Tuesday, June 6, 2006, 9:46:01 AM, you wrote: Hi _M, Do you mean like reverse PTR records, or HELO lookups, etc..? --Paul R. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 9:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick,
What is your false positive rate with that pattern?
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something I'm not seeing?
_M
Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
Nick, very good method. I have added that to my configuration as well now.
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:05 AM
Subject: Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png
image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA
SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
The png combo I just did it last night when I first saw the spam. So
far I have not see any fp. [ I combo it (the regex) with other tests as
well - which makes it much more reliable.]
-Nick
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
I use about 100 dnsbl/rbl/rhsbl list of varying weights and reliabilities. How many matter... I'd have to say the shining star is CBL. Hits 45% of the spam with a very low false positive rate. The relay RBLs days are way behind them, The proxy RBLs most useful days are behind them The DUL RBLs I don't think have ever been comprehensive/correct enough to be as useful as they should be in the day of the spam zombie. The spam source RBL's (other than CBL) are a little over-zealous to me causing me some false positives problems, thus lower than weight. They seem to be on the downtrend too. Oddly Fiveten Spam (127.0.0.2) has had a big jump in the last two months catching 60% of the spam although with a 1 % false positive rate. I have 2 1/4 years of my spam test results posted at All tests: http://it.farmprogress.com/declude/Testsbymonth.html Spam tests: http://it.farmprogress.com/declude/spamtestbymonth.html ham tests: http://it.farmprogress.com/declude/hamtestsbymonth.html - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 8:26 AM Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick,
Thanks.
That's all good then :-)
_M
Tuesday, June 6, 2006, 10:46:55 AM, you wrote:
Pete McNeil wrote:
Hello Nick,
What is your false positive rate with that pattern?
Hmm lets go to the MDLP for yesterday :)
SS HH HS SH SA SQ
REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565
COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547
The regex alone will fp; I score it with a 3 [hold on 10; delete on 24]
The png combo I just did it last night when I first saw the spam.
So far I have not see any fp. [ I combo it (the regex) with other
tests as well - which makes it much more reliable.]
-Nick
_M
Tuesday, June 6, 2006, 10:05:18 AM, you wrote:
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch
to the DIGEST mode, E-mail to [EMAIL PROTECTED]To
switch to the INDEX mode, E-mail to
[EMAIL PROTECTED]Send administrative queries to
[EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Tuesday, June 06, 2006 5:46 AM To: Message Sniffer Community Subject: Re: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through We just use a single test, we don't categorise. If SNIFFER returns a result we weight it. However, SNIFFER oftens returns a zero result when the email is obviously junk i.e. SNIFFER returns a positive result (spam) in about 30% of all identified junk mail. SNIFFER external nonzero \declude\sniffer\sniffer.exe 23 0 -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 11:17 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages Date TestSS SH HH HSIMP 0605 SNIFFER-TRAVEL 12 0 0 23 2 0605 SNIFFER-INSUR 4 0 0 0 0 0605 SNIFFER-AV 0 0 0 0 0 0605 SNIFFER-MEDIA 13450 0 0 8 0605 SNIFFER-SWARE 73 0 0 0 0 0605 SNIFFER-SNAKE 83860 0 0 9 0605 SNIFFER-SCAMS 138 0 0 2 3 0605 SNIFFER-PORN908 0 0 1 3 0605 SNIFFER-MALWARE 12 0 0 2 3 0605 SNIFFER-INK 2 0 0 0 0 0605 SNIFFER-RICH28650 0 2 219 0605 SNIFFER-CREDIT 363 0 0 0 1 0605 SNIFFER-CASINO 300 0 0 0 0 0605 SNIFFER-GENERAL 28810 0 41 41 0605 SNIFFER-EXP-A 450 0 0 36 7 0605 SNIFFER-OBFUSC 4 0 0 5 0 0605 SNIFFER-EXP-IP 28 0 0 8 5 SSSniffer says spam, final result too SHSniffer says spam, final result not HHSniffer says ham, final result too HSSniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to
[sniffer]Re[2]: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Hello Andrew, Tuesday, June 6, 2006, 11:44:46 AM, you wrote: David, Are you using the free version of sniffer? Or did you deliberately change your .exe name in your posting to sniffer.exe to hide your licence number? I certainly expect that the rulebase lag with the free version will result in lower Message Sniffer hit rates. Actually, since we've been offering production ready 30 day trials, what once was the free version (as you put it) has been reduced to a technology demonstrator. It is only useful for proving your system configuration and barely catches spam at all ;-) I believe the sniffer.snf rulebase has not been maintained in some time. I've seen the free version with hit rates as low as 10% on the remaining messages that have been already filtered by a gateway, which I thought was still decent because these were the messages that had already evaded the blacklist tests. And free is good. On the same system, I noted that this made Sniffer about half as effective as fresh SURBL/URIBL testing, but I had no way to compare their overlap. Interesting. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]A design question - how many DNS based tests?
I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first hit, and furthered by being able to do combo tests such as the example Nick offered on a different thread this morning. SPAMHAUS XBL (CBL and the Blitzed OPM), SPAMCOP, FIVETEN, MXRATE-BL are consistent good performers for me. Tests that I try out tend to stay in my configuration after they've become inutile as long as they do no harm. I groom the lists perhaps four times per year. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 6:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for
tilting the scales on more occurrences than other image types.
- Original Message -
From: Pete McNeil [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:44 AM
Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock
spam
Hello Jonathan,
I urge caution from experience... png images are not entirely rare,
and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar
attempts in the past.
Is there more to this than the two elements I just described -
something I'm not seeing?
_M
Tuesday, June 6, 2006, 10:19:36 AM, you wrote:
Nick, very good method. I have added that to my configuration as well
now.
- Original Message -
From: Nick Hayer [EMAIL PROTECTED]
To: Message Sniffer Community sniffer@sortmonster.com
Sent: Tuesday, June 06, 2006 10:05 AM
Subject: Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus -
Markus Gufler wrote:
There is also another type of spam (stock spam now with attached png
image)
this morning passing our filters.
I am catching these fairly easily -
a combo filter -
#combo-stockspammer-png.txt
SKIPIFWEIGHT26
TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY
BODY5CONTAINSContent-Type: image/png;
#
The body regex is this:
src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@
-Nick
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to
[EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
To unsubscribe, E-mail to: [EMAIL PROTECTED]
To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]
To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]
Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]A design question - how many DNS based tests?
I use around 80 tests on one system in order to watch them and how theri performance is going up and down. On other (high traffic) servers I use only the best one. I can confirm what others has mentoined as reliable blacklists (expect fiveten for european systems: fiveteen has a FP-Rate of around 10% and it seems that they are caused by IP-Adresses outside of America. However I give each IP4R-Test only a relative small weight (between 1 and 10% of the hold weight. There is one combo-Test that has a list of the reliablest IP-Blacklists. This combo-test is nearly as effective as Sniffer, but it has definitively more FPs. The combination of IP4R-tests is used further to combine them with other reliable tests and I use them also to add different weights for positives IP4R-Results depending of whats the originating country. Some weeks ago one of my servers was not more able to reach the configured DNS-Server (reconfigured firewall) and even if most spam was still catched there was a noticeable reduction of spam-detection until I discovered the problem. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Colbeck, Andrew Gesendet: Dienstag, 6. Juni 2006 18:09 An: Message Sniffer Community Betreff: Re: [sniffer]A design question - how many DNS based tests? I use just shy of 60 DNS based tests against the sender, both IP4R and RHSBL. Perhaps 10-12 matter. Due to false positives, I rate most of them relatively low and have built up their weights as a balancing act. That act is greatly assisted by using a weighting system and not reject on first hit, and furthered by being able to do combo tests such as the example Nick offered on a different thread this morning. SPAMHAUS XBL (CBL and the Blitzed OPM), SPAMCOP, FIVETEN, MXRATE-BL are consistent good performers for me. Tests that I try out tend to stay in my configuration after they've become inutile as long as they do no harm. I groom the lists perhaps four times per year. Andrew 8) -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 06, 2006 6:26 AM To: Message Sniffer Community Subject: [sniffer]A design question - how many DNS based tests? Hello Sniffer Folks, I have a design question for you... How many DNS based tests do you use in your filter system? How many of them really matter? Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through
Sorry I was out of office. You're right there must be something wrong with the second column. Yesterday there was a little bit of confusion as I changed different things on the database and additionaly there was this issue with the malformed mailfrom address. I will try to publish the correct numbers tommorrow. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Michiel Prins Gesendet: Dienstag, 6. Juni 2006 12:30 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Are you sure? That would mean you only nees sniffer, coz none of sniffer's ham is spam in the final result... -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: dinsdag 6 juni 2006 12:25 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Sorry in the table below the column header SH and HS must be switched. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Markus Gufler Gesendet: Dienstag, 6. Juni 2006 12:17 An: Message Sniffer Community Betreff: [sniffer]AW: [sniffer]AW: [sniffer]Concerned about amount of spam going through Hi There mus be something wrong with your configuration of the sniffer test(s) Here are my numbers from yesterday based on 24462 processed messages DateTestSS SH HH HS IMP 0605SNIFFER-TRAVEL 12 0 0 232 0605SNIFFER-INSUR 4 0 0 0 0 0605SNIFFER-AV 0 0 0 0 0 0605SNIFFER-MEDIA 13450 0 0 8 0605SNIFFER-SWARE 73 0 0 0 0 0605SNIFFER-SNAKE 83860 0 0 9 0605SNIFFER-SCAMS 138 0 0 2 3 0605SNIFFER-PORN908 0 0 1 3 0605SNIFFER-MALWARE 12 0 0 2 3 0605SNIFFER-INK 2 0 0 0 0 0605SNIFFER-RICH28650 0 2 219 0605SNIFFER-CREDIT 363 0 0 0 1 0605SNIFFER-CASINO 300 0 0 0 0 0605SNIFFER-GENERAL 28810 0 4141 0605SNIFFER-EXP-A 450 0 0 367 0605SNIFFER-OBFUSC 4 0 0 5 0 0605SNIFFER-EXP-IP 28 0 0 8 5 SS Sniffer says spam, final result too SH Sniffer says spam, final result not HH Sniffer says ham, final result too HS Sniffer says ham, final result not IMP Sniffer says spam and final result is slight above the hold weight. (This column is a part of the SS-column: 100-150% of hold) So a.) it's an important test because it's able to bring the spam above the hold weight and without this test it wasn't hold as spam. or b.) it's a risky test because it brings legit messages above the hold weight What result codes are you using in your test configuration? (please not publish your sniffer-id!) Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von David Waller Gesendet: Dienstag, 6. Juni 2006 11:51 An: Message Sniffer Community Betreff: Re: [sniffer]AW: [sniffer]Concerned about amount of spam going through Of all SPAM identified SNIFFER is finding about 30%. We see an awful lot of junk email not being caught by SNIFFER, it's being processed by Declude and failing some technical tests but not by SNIFFER. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: 06 June 2006 09:41 To: Message Sniffer Community Subject: [sniffer]AW: [sniffer]Concerned about amount of spam going through I only see Sniffer catching about 30% of SPAM and that's the highest it's ever been. 30% of spam or 30% of all processed messages? Sniffer is still one of the best tests in my arsenal. Markus # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative
Re: [sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The fromand to are the same (ie you sent it to yourself). I am tagging it butthere is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are?Random numbers for no apparent reason...?Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
Re: [sniffer]Numeric spam
So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with "spammers fake the from address on a regular basis, yes, even yours" and "hey, we don't know what this is". The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addressesat one go byusing the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories thatIcan get behindrevolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
You know we are dealing with some pretty sick puppies when it comes to these spammers. It would be ironic if one is just doing this to play with our heads. John C -- Original Message -- From: Colbeck, Andrew [EMAIL PROTECTED] Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Tue, 6 Jun 2006 16:07:25 -0700 So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/threa d/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with spammers fake the from address on a regular basis, yes, even yours and hey, we don't know what this is. The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addresses at one go by using the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories that I can get behind revolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Tuesday, June 06, 2006 3:46 PM To: Message Sniffer Community Subject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]A design question - how many DNS based tests?
Hello Matt, Tuesday, June 6, 2006, 12:37:56 PM, you wrote: snip/ appropriately and tend to hit less often, but the FP issues with Sniffer have grown due to cross checking automated rules with other lists that I use, causing two hits on a single piece of data. For instance, if SURBL has an FP on a domain, it is possible that Sniffer will pick that up too based on an automated cross reference, and it doesn't take but one additional minor test to push something into Hold on my system. Please note. It has been quite some time now that the cross-reference style rule-bots have been removed from our system. In fact, at the present time we have no automated systems that add new domain rules. Another observation I might point out is that many RBLs will register a hit on the same IP - weighting systems using RBLs actually depend on this. An IP rule hit in SNF should be treated similarly to other RBL type tests. This is one of the reasons that we code IP rules to group 63 - so that they are tumped by a rule hit in any other group and therefore are easily isolated from the other rules. snip/ handling false positive reports with Sniffer is cumbersome for both me and Sniffer. The current process has a number of important goals: * Capture as much information as possible about any false positive so that we can improve our rule coding processes. * Preserve the relationship with the customer and ensure that each case reaches a well-informed conclusion with the customer's full knowledge. * Protect the integrity of the rulebase. This link provides a good description of our false positive handling process: http://kb.armresearch.com/index.php?title=Message_Sniffer.FAQ.FalsePositives Can you recommend an alternate process, or changes to the existing process that would be an improvement and would continue to achieve these goals? We are always looking for ways to improve. I would hope that any changes seek to increase accuracy above all else. Sniffer does a very good job of keeping up with spam, and it's main issues with leakage are caused by not being real-time, but that's ok with me. At the same time Sniffer is the test most often a part of false positives, being a contributing factor in about half of them. Log data shows that SNF tags on average more than 74% of all email traffic and a significantly higher percentage of spam typically. It would seem that it is likely that SNF would also represent highly in the percentage of false positives (relative to other tests with lower capture rates) for any given system since it is represented highly in email traffic as a whole. You've also indicated that you weight SNF differently than your other tests - presumably giving it more weight (this is frequently the case on many systems). How much do you feel these factors contribute to your findings? About 3/4 of all FP's (things that are blocked by my system) are some form of automated or bulk E-mail. That's not to say that other tests are more accurate; they are just scored more appropriately and tend to hit less often, but the FP issues with Sniffer have grown due to cross checking automated rules with other lists that I use, causing two hits on a single piece of data, W/regard causing two hits on a single piece of data: SNF employs a wide variety of techniques to classify messages so it is likely that a match in SNF will coincide with a match in some other tests. In fact, as I pointed out earlier, filtering systems that apply weights to tests depend on this very fact to some extent. What makes weighting systems powerful is that when more than one test does trigger on a piece of data, such as an IP or URI fragment, that the events leading up to that match were distinct for each of the matching test. This is the critical component to reducing errors through a voting process. Test A uses process A to reach conclusion Z. Test B uses process B to reach conclusion Z. Process A is different from process B and so the inherent errors in process A are different than the errors in process B and so we presume it is unlikely that an error in Test A will occur under the same conditions as the errors in Test B. If a valid test result is the signal we want, and an erroneous test result is noise on top of that signal then it follows: By combining the results of Test A and Test B we have the opportunity to increase the signal to noise ratio to the extent our assumptions about errors are true. In fact, if no error occurs in both A and B under the same circumstances, then defining a new test C as (A+B/2) will produce a signal that is twice as clear as test A or B on it's own. If I follow what you have said about false positives and SNF matching other tests, then you are describing a situation where the process for SNF and the alternate tests are the same - or put another way, that SNF somehow represents a copy of the other test and so will also contain the same errors. If that's the case then the
Re: [sniffer]Numeric spam
I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
Hi Darin, Thanks for your reply. Sure wish I understood what you're saying Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:10 PM Subject: Re: [sniffer]Numeric spam They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]SPF
What's your hold weight? If spam is only failing SPF and nothing else, then the message doesn't get held, so you don't see it. Also, I do not recommend negative weighting SPFPASS. Spammers have SPF records, too, so you're giving them an opportunity to exploit it. Lastly, I think you may be confused on your SPF records. They should not have the "name" portion. There is only one SPF record per domain. So, for computerhouse.com, your SPF record should simply be v=spf1 mx -all which tells it your MX is allowed to send mail for your domain (the "mx" part) , but all others should fail ( the "-all" part). Please keeprelated communication on the list for others' benefit as well. Darin. - Original Message - From: Computer House Support To: [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 9:40 PM Subject: SPF Hi Darin, Thanks for your offer to help. I am E-mailing you off-list. We do use Declude. The entry in our $default$.junkmail filelooks like this: SPFFAILWARNSPFPASSWARNSPFUNKNOWNWARN However, I have never seen an "SPF Failure"in the header of a spam mail. Global.cfg: SPFFAILspffailx30SPFPASSspfpassx-10 Our SPF Record looks like this: computerhouse.com. IN TXT "v=spf1 mx mx:mail.computerhouse.com"mail.computerhouse.com. IN TXT "v=spf1 a -all" Your insight is appreciated. Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 9:30 PM Subject: Re: [sniffer]Numeric spam What do you use for spam filtering? Declude has the ability to test SPF, for example. Also, what is your SPF record for the domain in question? Darin.
