Hi Pete, Thank you for the information and advice on how to check our own messages for the problem. Since asking about this issue I've discovered another user got hacked. Their account sent out about 45,000 spam emails today. It seems pretty clear that was culprit.
I'm now in the process of forcing all our users to use a password manager and to use complex, unique passwords for everything. Thanks Again, Daniel ----- Original Message ----- From: "Pete McNeil" <madscient...@armresearch.com> To: "Message Sniffer Community" <sniffer@sortmonster.com> Sent: Friday, November 2, 2018 2:21:45 PM Subject: [sniffer] Re: Our IP got listed on GBUdb Truncate On 11/2/18 11:52, Daniel Bayerdorffer wrote: > > Is there anyway for us to see what the offending email was that got us > on the list? Or some other data point to help us clean up our system? SNF doesn't leak message info -- With the exception of auto-sampling of spam (truncated messages, and only if you have it enabled) we don't see message content. What we do get are anonymous statistics and training data. The good news is that you are running SNF, so you can scan your messages and identify any content that might have triggered SNF. Truncate is trained by counting good and bad events -- bad events are when a message matches spam/malware patterns. ... so you can actually check with your own scanner. Truncate is completely automated... so we can't change the list data. It actually doesn't come from a database but rather by skimming the telemetry for these events. In effect the reputation for any given IP resides in each SNF instance around the globe and the truncate list works by eves-dropping on the conversations between those nodes as they "discuss" IP reputations. If the IP is still listed and you send a note to support with the IP requesting a trace then we can collect some events with timestamps. That may help you track things down -- but since you're an SNF user you would probably do better with your own scanner. Hope this helps. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>