[sniffer] Re: Opening truncate.gbudb.net
I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global truncate test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
We had a hacker send bogus requests for login name, password and birth date to all our mail customers on one domain. 6 gave it up and made my life fun babysitting the mail server for the last week. Makes ya wonder how many give up credit card and bank info? The message did appear very legitimate, much better than average grammar, spelling and syntax. We never ask anyone for their BD but they probably forget that. One impacted customer wanted me to put back their original pw back in. Boss can't learn a new one! Sheesh.. -- Original Message -- From: Colbeck, Andrew acolb...@bentall.com Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Mon, 10 May 2010 09:03:27 -0700 I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Now OT: Re: [sniffer] Re: Opening truncate.gbudb.net
One impacted customer wanted me to put back their original pw back in. Boss can't learn a new one! Sheesh.. That makes me... cry. Not mail-related: a user of our web app forgot his password today and was having a ridiculously hard time using our password reset form (basic enter-your-e-mail-and-submit, but he kept missing the submit part). He declared it broken and demanded a completely new account. I noted we can't do that without giving him a new username (old accounts stick around, the usual primary key/audit trail restriction) and suggested it would be harder to remember jimpatient2 than jimpatient. He got all kinds of crazy on me. Fine, I said, I'll break policy. You have a brand-new account with the same name. And did nothing at all. Then, he said, the reset form started working. Cheers, S. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
Hey, Pete. I contacted one of the recipients and ran down one of those intermediate hops which triggered on truncate.gbudb.net ... It was an intermediate hop at AOL (rly presumably means relay) Received: from smtprly-dd03.mx.aol.com (smtprly-dd03.mx.aol.com [205.188.84.131]) by cia-mb07.mx.aol.com (v128.3) with ESMTP id MAILCIAMB071-d4074be4e089be; Fri, 07 May 2010 23:54:50 -0400 This IP address seems to bridge the gap between AOL webmail and SMTP delivery. In this case, the user used the AOL webmail and then forwarded the message to the mailbox on our system. The GBU list is emitting TXT records as well as the A record, perhaps it would be useful to actually state the IP as well in that text. C:\tempdig @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; DiG 9.7.0rc1 @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;131.84.188.205.truncate.gbudb.net. IN ANY ;; ANSWER SECTION: 131.84.188.205.truncate.gbudb.net. 3600 IN A127.0.0.2 131.84.188.205.truncate.gbudb.net. 3600 IN TXT GBUdb Cloud Truncate c 0.2, p 0.9 ;; Query time: 812 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 10 13:08:17 2010 ;; MSG SIZE rcvd: 117 I suggest that if others find this valuable as well, and you find it reasonable, that the text could look like this: GBUdb Cloud Truncate c 0.2, p 0.9 for [205.188.84.131] I'll send the whole header to support@ in case you are interested in this particular IP. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, May 10, 2010 9:03 AM To: Message Sniffer Community Subject: [sniffer] Re: Opening truncate.gbudb.net I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the edge cases that are close to my hold weight. In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global truncate test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer
[sniffer] Re: Opening truncate.gbudb.net
On 5/10/2010 4:16 PM, Colbeck, Andrew wrote: Hey, Pete. I contacted one of the recipients and ran down one of those intermediate hops which triggered on truncate.gbudb.net ... It was an intermediate hop at AOL (rly presumably means relay) Ok. snip/ The GBU list is emitting TXT records as well as the A record, perhaps it would be useful to actually state the IP as well in that text. snip/ I suggest that if others find this valuable as well, and you find it reasonable, that the text could look like this: GBUdb Cloud Truncate c 0.2, p 0.9 for [205.188.84.131] That's a useful suggestion. We're working on the GBUdb.com site now. We will want to include the URL in the text also. I'll combine the two suggestions when we're ready and then change the generator code appropriately. I'll send the whole header to support@ in case you are interested in this particular IP. Presumably this is causing some false positives for somebody using SNF -- though they have not been reported. For folks who want a more refined GBUdb response it would probably be useful to program drilldown directives for AOL servers. This would allow GBUdb to drill past the intermediate servers toward the original source where appropriate. Of course, if this particular intermediate server is in the position to be heavily abused by folks hacking web mail on AOL then of course it's reputation is going to be reflect that. Thanks, _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Opening truncate.gbudb.net
I've added it as a warn_if_reject on a backup mx that only seems to process junk... -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 4:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com