Re: [sniffer] Is there a way to open a trouble ticket with Sniffer?
On Tuesday, May 17, 2005, 6:37:12 PM, Chuck wrote: CS> Can't seem to get a response on a major problem we are having. Responded off list. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Is there a way to open a trouble ticket with Sniffer?
Can't seem to get a response on a major problem we are having. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Spam Storm
On Tuesday, May 17, 2005, 3:27:13 PM, Matt wrote: M> Pete, M> Your memory fails you :) I reported one just yesterday, M> however it was understandable. The rule is below (slightly M> obfuscated for public consumption). MB>> Final MB>> RULE 349776-055: User Submission, 13 days, 3.1979660500 MB>> NAME: Account and Password Information are MB>> attached!%+account_info(dot)zip MB>> CODE: Account and Password Information are MB>> attached!%+account\_info\(dot)zip MB>> No prior False Positive Reports. I stand corrected :-) (I think I subconsciously omitted it because in the end we decided to keep the rule and white-rule the list that contained the traffic.) You are correct that presently all malware group rules are coded manually. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New Spam Storm
While this has contributed to a recent doubling in incoming spam for us, it only accounts for part of the increase we've seen. I have no idea what the rest of the cause in the recent doubling in spam volume is, but it's been going on for a week now. We saw something similar last fall in mid October. Spam volume for us tripled over the course of a day and slowly dwindled over the next two weeks to double previous levels. It didn't seem to be directly tied to any particular virus outbreak, but could have been a delayed result of zombies. It held there until the beginning of January, at which point it fell back to our previous levels...and as mentioned, last week it rose again. Darin. - Original Message - From: Andy Schmidt To: sniffer@SortMonster.com Sent: Tuesday, May 17, 2005 1:41 PM Subject: RE: [sniffer] New Spam Storm Yes, these messages were caused by Sunday's Sober.O and Sober.P remote update of previously infected PCs, causing them to send out millions of neo-nazi mail. The next update (likely a new spam-wave) is scheduled in 10 days. Some public mailboxes got as many as 50,000 emails in 48 hours to a single account. SURBL will catch many of them for a while - big problem are returns to faked senders that are not as easily blocked. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: Tuesday, May 17, 2005 01:27 PMTo: sniffer@SortMonster.comSubject: [sniffer] New Spam Storm Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] New Spam Storm
Pete, Your memory fails you :) I reported one just yesterday, however it was understandable. The rule is below (slightly obfuscated for public consumption). MB> Final MB> RULE 349776-055: User Submission, 13 days, 3.1979660500 MB> NAME: Account and Password Information are attached!%+account_info(dot)zip MB> CODE: Account and Password Information are attached!%+account\_info\(dot)zip MB> No prior False Positive Reports. This was in a virus advisory sent out by McAfee. It makes sense that sometimes these rules will hit discussions of spam and viruses. I rarely see FP's for the Malware group since the greeting card sites were removed or expired last year (former purveyors of spyware infected greeting cards), but they also don't hit very often on my system. I think like everything, including virus scanners themselves, there's always a chance of human error. I get the impression that this group is almost exclusively if not exclusively manually encoded. I'm fairly conservative when it comes to blocking on just one test, but if you aren't otherwise protected from the neo-Nazi propaganda, I wouldn't recommend against raising the weights on this result code so that it is blocked automatically, just not necessarily deleted. The point of where the rule should be classified is a bit unclear however. Since this mailing was likely associated with the virus writer, then many consider it to be part of the virus, but virtually every zombie sent piece of spam has a similar degree of association. This for now is a definitely a special case due to it's success in getting through systems early on, the lack of a legitimate payload link (all belong to uninvolved third-parties) and the volume seen. It's scary what someone can do if they prepare properly for such a thing. Matt Pete McNeil wrote: On Tuesday, May 17, 2005, 2:57:44 PM, Jim wrote: JM> Thanks Pete, would you be able to provide the current false positive rates JM> for the return codes? This is not something that we are formally capturing at present, however anecdotally I can't recall the last time we had an FP submitted for the malware group. _M PS: We will eventually build some instrumentation to capture these statistics. We've done a few spot analyses and each time we have found very low volume, widely distributed results -- with each analysis showing peaks and valleys on different groups. As a result, the data we currently have about this is too "noisy" for any conclusive statements. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re[4]: [sniffer] New Spam Storm
On Tuesday, May 17, 2005, 2:57:44 PM, Jim wrote: JM> Thanks Pete, would you be able to provide the current false positive rates JM> for the return codes? This is not something that we are formally capturing at present, however anecdotally I can't recall the last time we had an FP submitted for the malware group. _M PS: We will eventually build some instrumentation to capture these statistics. We've done a few spot analyses and each time we have found very low volume, widely distributed results -- with each analysis showing peaks and valleys on different groups. As a result, the data we currently have about this is too "noisy" for any conclusive statements. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: Re[2]: [sniffer] New Spam Storm
Thanks Pete, would you be able to provide the current false positive rates for the return codes? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, May 17, 2005 11:54 AM Subject: Re[2]: [sniffer] New Spam Storm On Tuesday, May 17, 2005, 1:44:30 PM, Jim wrote: JM> Pete, JM> Is there a possibility of setting up another return code for JM> situations such as this such as a blacklist rulecode that only has JM> rules for messages such as these that should be blacklisted JM> immediately. I wouldn't mind setting certain high priority rules JM> to block immediately. A couple of things --- When we first saw this we didn't know it was a virus, so we were blocking the messages as normal spam. Once we did know it was malware we coded it to the malware group. No filters are perfect (even ours ;-) but I believe the code you are looking for is our malware result code: 55 That's as close as I can come to this requests without doing something new and therefore less reliable. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] New Spam Storm
On Tuesday, May 17, 2005, 1:44:30 PM, Jim wrote: JM> Pete, JM> Is there a possibility of setting up another return code for JM> situations such as this such as a blacklist rulecode that only has JM> rules for messages such as these that should be blacklisted JM> immediately. I wouldn't mind setting certain high priority rules JM> to block immediately. A couple of things --- When we first saw this we didn't know it was a virus, so we were blocking the messages as normal spam. Once we did know it was malware we coded it to the malware group. No filters are perfect (even ours ;-) but I believe the code you are looking for is our malware result code: 55 That's as close as I can come to this requests without doing something new and therefore less reliable. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New Spam Storm
Pete, Is there a possibility of setting up another return code for situations such as this such as a blacklist rulecode that only has rules for messages such as these that should be blacklisted immediately. I wouldn't mind setting certain high priority rules to block immediately. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED] - Original Message - From: Andy Schmidt To: sniffer@SortMonster.com Sent: Tuesday, May 17, 2005 10:41 AM Subject: RE: [sniffer] New Spam Storm Yes, these messages were caused by Sunday's Sober.O and Sober.P remote update of previously infected PCs, causing them to send out millions of neo-nazi mail. The next update (likely a new spam-wave) is scheduled in 10 days. Some public mailboxes got as many as 50,000 emails in 48 hours to a single account. SURBL will catch many of them for a while - big problem are returns to faked senders that are not as easily blocked. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: Tuesday, May 17, 2005 01:27 PMTo: sniffer@SortMonster.comSubject: [sniffer] New Spam Storm Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] New Spam Storm
I think that is it, do the links in the messages go to the virus rather than the normal attachment method to avoid the virus scanners? Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] - Original Message - From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Jim Matuska" Sent: Tuesday, May 17, 2005 10:38 AM Subject: Re: [sniffer] New Spam Storm On Tuesday, May 17, 2005, 1:27:25 PM, Jim wrote: JM> Is anyone else seeing a huge amount of spam increase over JM> the last couple days. Most is being caught by sniffer but the JM> overall number of messages especial foreign language spam messages JM> seems to be very high. You are probably seeing the "German sober" virus - which sends out a huge volume of spam pointing at various sites --- mostly concerned with WW2. That one has proved to be quite prolific. Not only that - but outscatter from it and complaints about it with copies of the message are also quite high right now. Think this is it? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New Spam Storm
Yes, these messages were caused by Sunday's Sober.O and Sober.P remote update of previously infected PCs, causing them to send out millions of neo-nazi mail. The next update (likely a new spam-wave) is scheduled in 10 days. Some public mailboxes got as many as 50,000 emails in 48 hours to a single account. SURBL will catch many of them for a while - big problem are returns to faked senders that are not as easily blocked. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim MatuskaSent: Tuesday, May 17, 2005 01:27 PMTo: sniffer@SortMonster.comSubject: [sniffer] New Spam Storm Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]
Re: [sniffer] New Spam Storm
Same here, lots of German Spam Herb Jim Matuska wrote: Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr. Computer Tech2, CCNA Nez Perce Tribe Information Systems [EMAIL PROTECTED] -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Direct This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way.
Re: [sniffer] New Spam Storm
On Tuesday, May 17, 2005, 1:27:25 PM, Jim wrote: JM> Is anyone else seeing a huge amount of spam increase over JM> the last couple days. Most is being caught by sniffer but the JM> overall number of messages especial foreign language spam messages JM> seems to be very high. You are probably seeing the "German sober" virus - which sends out a huge volume of spam pointing at various sites --- mostly concerned with WW2. That one has proved to be quite prolific. Not only that - but outscatter from it and complaints about it with copies of the message are also quite high right now. Think this is it? _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] New Spam Storm
Is anyone else seeing a huge amount of spam increase over the last couple days. Most is being caught by sniffer but the overall number of messages especial foreign language spam messages seems to be very high. Jim Matuska Jr.Computer Tech2, CCNANez Perce TribeInformation Systems[EMAIL PROTECTED]