Pete McNeil
Mon, 10 May 2010 11:25:18 -0700
On 5/10/2010 2:15 PM, Michael Cummins wrote:
Sniffer is doing its job well, but I am nearly overwhelmed by the load - to the point where I might have to turn sniffer off to reduce my processing footprint. I've already commented out INVURIBL. My customers don't like lag at all. That being said, I wonder how I can better protect myself from botnets. Do you think that if I parsed the sniffer / declude logs and harvested IPs that sent me X pieces of mail rating a ridiculous score of X and then adding them to an internal RBL or blacklist would make a difference?
We do that in real-time with most eWall installations.SNF hits are added to the black-list for 1 hour in some cases... works pretty well.
Also (new) Have you looked at truncate.gbudb.net ?IPs consistently in truncate on GBUdb nodes across the 'Net (not just your system) are listed. (returns 127.0.0.2)
Or are these botnets too varied and well managed for that to make a difference?
R&D shows that it works -- but must be done quickly to be effective. Best, _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>