[sniffer] Re: July 18
Hello greg, Wednesday, July 18, 2007, 3:38:44 PM, you wrote: > Not sure what is up but I'm seeing lots of messages getting through > to my primary folder since yesterday. Lots of .pdf > attachments - Just checked and 10/11 were spam messages in my inbox. There have been several mutations of the pdf spam in the past 15 hours especially. One of the earlier variations took some time to figure out because the blackhats began inserting extra invisible characters into the message that confuse text editors and pattern matching engines-- we have since created rules that compensate (as of about 0230E) Moments ago we saw a new version that we were able to predict jsut before it went live--- For a period just longer than 2 hours we saw 4x our normal traffic (all blocked) as new bots were launched to emit the new version. At the moment we seem to have the current versions of pdf spam under control and telemetry indicates that these rules are fully deployed as of this time. Please understand, however, this is an ongoing process. We will no doubt see more variations that bypass all/most filters for some period of time -- that is, after all, the goal of the blackhats. The ones behind the pdf spam are perhaps the most well funded, dedicated, and sophisticated of the bunch. There is no doubt that they test each version against most filtering systems before publishing them to their bot nets with a heavy emphasis on new bots that are not yet known to blocking lists. This strategy virtually guarantees that a useful fraction of their content will get through before it becomes blocked. We will continue to develop predictive rule sets and rapid-response mechanisms to thwart these efforts wherever possible and to minimize the leakage in any case. Thanks for your patience and understanding! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: July 18
There have been a lot reported today. It started for us about 8:30am. We use Declude and added a filter to catch messages with subjects starting with "Emailing:", ending with ".pdf" and having a body containing "The message is ready to be sent with the following file or link". This combination may result in false positives, but has not for us today. The headers appear too varied to identify anything in them for use in the filtering process. Darin. - Original Message - From: <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Wednesday, July 18, 2007 3:38 PM Subject: [sniffer] July 18 Not sure what is up but I'm seeing lots of messages getting through to my primary folder since yesterday. Lots of .pdf attachments - Just checked and 10/11 were spam messages in my inbox. Thanks, Greg CoffeyNet/AllureTech v 307-473-2323 1546 E. Burlington cell 307-259-7962 Casper, WY 82601 fax 307-237-3709 # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] July 18
Not sure what is up but I'm seeing lots of messages getting through to my primary folder since yesterday. Lots of .pdf attachments - Just checked and 10/11 were spam messages in my inbox. Thanks, Greg CoffeyNet/AllureTech v 307-473-2323 1546 E. Burlington cell 307-259-7962 Casper, WY 82601 fax 307-237-3709 # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>