Hey, Pete. I contacted one of the recipients and ran down one of those intermediate hops which triggered on truncate.gbudb.net ... It was an intermediate hop at AOL (rly presumably means relay)
Received: from smtprly-dd03.mx.aol.com (smtprly-dd03.mx.aol.com [205.188.84.131]) by cia-mb07.mx.aol.com (v128.3) with ESMTP id MAILCIAMB071-d4074be4e089be; Fri, 07 May 2010 23:54:50 -0400 This IP address seems to bridge the gap between AOL webmail and SMTP delivery. In this case, the user used the AOL webmail and then forwarded the message to the mailbox on our system. The GBU list is emitting TXT records as well as the A record, perhaps it would be useful to actually state the IP as well in that text. C:\temp>dig @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; <<>> DiG 9.7.0rc1 <<>> @8.8.8.8 131.84.188.205.truncate.gbudb.net any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;131.84.188.205.truncate.gbudb.net. IN ANY ;; ANSWER SECTION: 131.84.188.205.truncate.gbudb.net. 3600 IN A 127.0.0.2 131.84.188.205.truncate.gbudb.net. 3600 IN TXT "GBUdb Cloud Truncate c > 0.2, p > 0.9" ;; Query time: 812 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 10 13:08:17 2010 ;; MSG SIZE rcvd: 117 I suggest that if others find this valuable as well, and you find it reasonable, that the text could look like this: "GBUdb Cloud Truncate c > 0.2, p > 0.9 for [205.188.84.131]" I'll send the whole header to support@ in case you are interested in this particular IP. Andrew. -----Original Message----- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Colbeck, Andrew Sent: Monday, May 10, 2010 9:03 AM To: Message Sniffer Community Subject: [sniffer] Re: Opening truncate.gbudb.net I looked at the effectiveness of this test and I like what I'm seeing. The volume isn't high, but it is making a difference in the "edge cases" that are close to my "hold weight". In particular, I'm finding that it is triggering on pump and dump DKIM spam from fresh netblocks that would otherwise leak into my mailboxes. Some of those also trigger SNIFFERSCAM. So if you don't trust the global "truncate" test alone, it's a good test to combine with other weighted tests. P.s. I'm also finding that truncate is triggering on email from some ISP users when I check multiple hops in the header. That probably means that I'm finding users with zombie infected computers, but I'm letting that mail in, so checking which IP addresses were hit is a small problem if I want to contact those people. Andrew. -----Original Message----- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Thursday, April 29, 2010 2:08 PM To: Message Sniffer Community Subject: [sniffer] Opening truncate.gbudb.net Hi Sniffer Folks, We have been testing a blacklist based on real-time GBUdb data (generated from Message Sniffer). We have decided to experiment with opening up the blacklist for a wider audience and so as of now you can use truncate.gbudb.net as an ip4r test. You should get a result of 127.0.0.1 if the IP is well into the truncate range -- That is: truncate.gbudb.net is designed to be ultra-conservative so that it should be safe to reject connections based on the test in most cases. This also means that it won't block everything -- only the worst of the worst. That said, the folks who have been testing it have reported that it did drop a significant amount of traffic from their systems on average. Please keep us all posted about how it's working for you. Thanks, _M ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>