Re: [sniffer]Numeric spam
You know we are dealing with some pretty sick puppies when it comes to these spammers. It would be ironic if one is just doing this to play with our heads. John C -- Original Message -- From: Colbeck, Andrew [EMAIL PROTECTED] Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Tue, 6 Jun 2006 16:07:25 -0700 So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/threa d/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with spammers fake the from address on a regular basis, yes, even yours and hey, we don't know what this is. The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addresses at one go by using the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories that I can get behind revolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Tuesday, June 06, 2006 3:46 PM To: Message Sniffer Community Subject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]spam storm
For a couple days I have seen a increase in general spam (lots of male enhancements), but particularly Nigerian letters. John C -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support Sent: Tuesday, May 23, 2006 9:35 AM To: Message Sniffer Community Subject: [sniffer]spam storm Dear Sniffer Friends, Our servers are really getting slammed with spam. Is anyone else seeing a hugh spam storm right now? Michael Stein Computer House # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
RE: [sniffer] False Positives
A program like freeware Baregrep (http://www.baremetalsoft.com/baregrep/) might be helpful to you. Do you not regularly cycle your logs and submit them? John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Thursday, February 23, 2006 4:49 AM To: sniffer@SortMonster.com Subject: [sniffer] False Positives So when I asked how I would send in false positives, someone mentioned that I should look up the appropriate log entry and send that in. That brings up another question. My log file is 270MB and climbing. I've never opened it cause it's too big. Do you have a reader for your log files? I think it would be nice to have a little list of things to do to send in false positives: 1. Have your users send you the false positive. Save it as an .eml file (?) 2. Look up (somehow) the entry in your log file that corresponds to that .eml file. Copy and paste that text into a new email. 3. Send an email from your primary Sortmonster email address, attaching the .eml file and any log portion as necessary. Is this correct? --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Downloads are slow.
Agreed, my last report showed pretty slow times. All today were slower now that I look at them. I normally see up to 1.3M with overall times around 800-900K. John C 0K .. .. .. .. .. 36.79 KB/s 50K .. .. .. .. .. 11.51 KB/s 100K .. .. .. .. .. 19.76 KB/s 150K .. .. .. .. .. 11.98 KB/s 200K .. .. .. .. .. 37.20 KB/s 250K .. .. .. .. .. 10.60 KB/s 300K .. .. .. .. .. 16.00 KB/s 350K .. .. .. .. .. 19.05 KB/s 400K .. .. .. .. .. 22.22 KB/s 450K .. .. .. .. .. 10.32 KB/s 500K .. .. .. .. .. 13.50 KB/s 550K .. .. .. .. ..2.74 KB/s 600K .. .. .. .. ..8.40 KB/s 650K .. .. .. .. ..6.00 KB/s 700K .. .. .. .. ..9.97 KB/s 750K .. .. .. .. ..6.07 KB/s 800K .. .. .. .. ..5.89 KB/s 850K .. .. .. .. ..9.20 KB/s 900K .. .. .. .. ..6.46 KB/s 950K .. .. .. .. ..4.94 KB/s 1000K .. .. .. .. ..7.67 KB/s 1050K .. .. .. .. ..9.97 KB/s 1100K .. .. .. .. .. 13.28 KB/s 1150K .. .. .. .. .. 24.61 KB/s 1200K .. .. .. .. .. 12.36 KB/s 1250K .. .. .. .. .. 31.06 KB/s 1300K .. .. .. .. ..4.87 KB/s 1350K .. .. .. .. .. 34.77 KB/s 1400K .. .. .. .. .. 14.29 KB/s 1450K .. . .. .. .. 16.24 KB/s 1500K .. .. .. .. .. 33.33 KB/s 1550K .. . .. .. .. 21.48 KB/s 1600K .. .. .. .. .. 23.19 KB/s 1650K .. .. .. .. .. 27.34 KB/s 1700K .. .. .. .. .. 14.68 KB/s 1750K .. .. .. .. .. 47.76 KB/s 1800K .. .. .. .. .. 15.17 KB/s 1850K .. .. .. .. .. 16.17 KB/s 1900K .. .. .. .. .. 18.39 KB/s 1950K .. .. .. .. .. 74.40 KB/s 2000K .. .. .. .. .. 14.10 KB/s 2050K .. .. .. .. .. 12.70 KB/s 2100K .. .. .. .. .. 29.36 KB/s 2150K .. .. .. .. .. 16.58 KB/s 2200K .. .. .. .. .. 21.62 KB/s 2250K .. .. .. .. .. 17.49 KB/s 2300K .. .. .. .. .. 11.00 KB/s 2350K .. .. .. .. .. 21.20 KB/s 2400K .. .. .. .. .. 31.69 KB/s 2450K .. .. .. .. .. 20.12 KB/s 2500K .. .. .. .. .. 57.14 KB/s 2550K .. .. .. 13.94 KB/s 15:52:29 (12.45 KB/s) - `.new.gz' saved [2646653] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 07, 2006 4:46 PM To: Chuck Schick Subject: Re: [sniffer] Downloads are slow. I'm not showing this from my location and the server looks ok. I just downloaded a few rulebases, each in under 3 seconds. Please provide a traceroute -- that should show us where the issue is (if it is still there). Thanks, _M On Tuesday, February 7, 2006, 4:39:35 PM, Chuck wrote: CS Download speeds from your server are running 17 kbps at my location. CS Chuck Schick CS Warp 8, Inc. CS (303)-421-5140 CS www.warp8.com CS This E-Mail came from the Message Sniffer mailing list. For CS information and (un)subscription instructions go to CS http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing
RE: Re[2]: [sniffer] Bad Rule - 828931
Final\t828931 and Final.*828931 both found 850 entries in my current log using Baregrep. John C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 6:12 PM To: sniffer@SortMonster.com Subject: Re[2]: [sniffer] Bad Rule - 828931 Hello Matt, Tuesday, February 7, 2006, 6:27:25 PM, you wrote: M rule number, and I don't have the tools set up or the knowledge of M grep yet to do a piped query of Sniffer's logs to extract the spool file names. http://www.baremetalsoft.com/ is a great grep'er for windows. In BSD I always used .* to represent any number of characters, white space or non, but that didn't seem to work with baregrep. That's why I was trying to confirm with anyone on the list my regex of Final\t828931 was an accurate regex to find every message that 'finaled' on that rule. I'm praying that I screwed up the expression and I don't have 22,055 messages held by that rule. M BTW, David, it is generally better not to hold or block on one single M test, especially one that automates such listings (despite whatever M safeguards there might be). I know, shame on me. I guess I'm used to the days that we used to be able to hold on sniffer alone. We have some safeguards in place now and are transitioning our rule methodologies but hadn't gotten to this one yet as this always seems to hit back-burner. This is also why I'd really like to see the content of the rule to see how it made it passed our safeguards. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Date/time stamp in logs
I don't get into the sniffer logs like I should, but just noticed this. It is 2/7/06 6:42 CST here, but my logs show 20060208004243, which would indicate +6 hours off of Zulu, Greenwich, Coordinated Universal Time, or whatever we are calling these days. Is that right, sniffer doesn't stamp local time? John C This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Bad Rule - 828931
So, in my terms (simple), this rule only catches msg if the two drug names are in that order and in all capitals, but not necessarily one immediately following the other? John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, February 07, 2006 6:44 PM To: David Sullivan Subject: Re: [sniffer] Bad Rule - 828931 On Tuesday, February 7, 2006, 6:15:13 PM, David wrote: DS Sorry, wrong thread on the last post. DS Add'l question. Pete, what is the content of the rule? The rule info is: Rule - 828931 NameC%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Created 2006-02-07 Source C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A Hidden false Blocked false Origin User Submission TypeManual Created By [EMAIL PROTECTED] Owner [EMAIL PROTECTED] Strength3.84258274153269 False Reports 0 From Users 0 Rule belongs to following groups [252] Problematic The rule was an attempt to build an abstract matching two ed pill names (you can see them in there) while compensating for heavy obfuscation. The mistake was in using %+ through the rule. The rule would match the intended spam (and there was a lot of it, so 22,055 most likely includes mostly spam. Unfortunately it would also match messages containing the listed capital letters in that order throughout the message. Essentially, if the text is long enough then it will probably match. A greater chance of FP match if the text of the message is in all caps. Also if there is a badly coded base64 segment and file attachment (badly coded base64 might not be decoded... raw base64 will contain many of these letters in mixed case and therefore increase the probability of matching them all). Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Bad Rule - 828931
David Drop the q/d files back into the \spool\proc directory. Declude will reprocess them. If you put them in just the \spool, queue manager will send them out in the next queue run, bypassing Declude. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Tuesday, February 07, 2006 7:15 PM To: Pete McNeil Subject: Re[4]: [sniffer] Bad Rule - 828931 Hello Pete, Tuesday, February 7, 2006, 8:11:50 PM, you wrote: DS Not sure, can anyone think of a way to cross check this? What if I DS put all the released messages back through sniffer? PM That would be good -- new rules were added to correctly capture the PM bad stuff. I almost suggested something more complex. That said...anyone know specifics of reprocessing messages through Declude on Imail? I know that in 1.x Declude would drop some kind of marker so that q/d's copied into spool would not be reprocessed but I don't remember what it was and don't know if it works same in 3.x. Posted question on Declude JM list but no answer so far. -- Best regards, Davidmailto:[EMAIL PROTECTED] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Left over tmp*.tmp files in spool
Running Imail Declude Currently the Sniffer update notice comes to my address. I have rule established that copies the message to my inbox and forwards it on to the program alias (snifferupdate@) which kicks off the process. For each notice there is a tmp*.tmp file left in the spool. Is this normal? Is it the result of my forwarding action? Can I add a delete line at the end of the cmd file to get rid of it? Thanks, John C This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Left over tmp*.tmp files in spool
Thanks. Trying del %1. Will know after next update. If that doesn't work, will try del d:\spool\tmp*.tmp. Haven't seen Imail prefix file names with tmp, but have seen *.tmp's John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, November 15, 2005 1:22 PM To: John Carter Subject: Re: [sniffer] Left over tmp*.tmp files in spool On Tuesday, November 15, 2005, 2:06:41 PM, John wrote: JC Running Imail Declude JC Currently the Sniffer update notice comes to my address. I have JC rule established that copies the message to my inbox and forwards it JC on to the program alias (snifferupdate@) which kicks off the process. JC For each notice there is a tmp*.tmp file left in the spool. Is this normal? JC Is it the result of my forwarding action? Can I add a delete line at JC the end of the cmd file to get rid of it? IMail creates a .tmp file when calling a program alias and passes that file to the program as a parameter. I have had luck placing the following line at the end of the update script: del %1 Some have reported that this didn't work and that simply deleting all .tmp files from the spool as in 'del \imail\spool\*.tmp' seems to work. I feel like that's a bit of a sledge hammer and might delete something unintended, but nonetheless folks have reported good results. Another option is to remove all old .tmp files from your spool periodically (nighly) along with orphaned messages etc using a utility like delold. AFAIK, the update scripts presented on our site do not make use of the .tmp file so it's safe to delete it. Hope this helps, Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Declude and Sniffer
To other Declude users with Sniffer: I currently tag subject lines at 10 and delete at 20. Sniffer results are scored at 9. No two tests currently result in more than 18 and therefore it takes three failed tests to delete. I am considering moving Sniffer to 10. This would tag the subjects based on Sniffer alone, but still required three failed tests to delete. Question: Do any of you tag subject lines based on Sniffer alone? My main problem is that some of my users delete based on the tagged subject line. Thanks, John This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Declude and Sniffer
Thanks to everyone (and any to follow later). This has been helpful. Jonathan, could you give me at least one example of coding Declude for a particular Sniffer category? I have seen and understand the various Core Rule Group Result Codes, but am not sure how to separate those out for evaluation. Am I missing something at the Sortmonster or Declude web sites? Thanks again, John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Wednesday, July 20, 2005 9:38 AM To: Sniffer Subject: Re: [sniffer] Declude and Sniffer on 7/20/05 9:44 AM, Jonathan Schoemann wrote: Question: Do any of you tag subject lines based on Sniffer alone? My main problem is that some of my users delete based on the tagged subject line. I weight each category in Sniffer differently. Some messages are deleted by Sniffer alone, some messages have the subject line altered by Sniffer alone and at least one category in Sniffer does nothing visible (other than add some weight to the message). This web page will show you how I weight (RSW column) the various categories. I change the subject at weight 30, delete at 40. http://12.4.184.4/mdlp/ Greg This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Declude and Sniffer
Thanks, that helps a lot. Didn't understand the replace nonzero with the weight number in the Global file. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of System Administrator Sent: Wednesday, July 20, 2005 10:27 AM To: Sniffer Subject: Re: [sniffer] Declude and Sniffer on 7/20/05 11:06 AM, John Carter wrote: I have seen and understand the various Core Rule Group Result Codes, but am not sure how to separate those out for evaluation. In your global.cfg add lines like the sniffer-scams line below test name - category -- weight SNIFFER-SCAMS external 053 c:\Sniffer\sniffer2.exe xnk05x5vmipeaof7 60 0 SNIFFER-PORN external 054 c:\Sniffer\sniffer2.exe xnk05x5vmipeaof7 101 0 Add the new tests name to your declude junkmail file(s) also. Greg This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[2]: [sniffer] Declude and Sniffer
My bad. Trying to multi-task isn't working today. :-) John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, July 20, 2005 11:13 AM To: John Carter Subject: Re[2]: [sniffer] Declude and Sniffer On Wednesday, July 20, 2005, 12:05:29 PM, John wrote: JC Thanks, that helps a lot. Didn't understand the replace nonzero JC with the weight number in the Global file. Minor correction... Actually -- you replace nonzero with the result code. You adjust the weights at the end of the line as usual. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
