[sniffer] Re: Stampede - amazing!
Not the same as you're describing below, but I can confirm we were slammed with NDR's last night. Classic joe-job (i.e. millions of messages sent out to unknown users using your return address). --Paul -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Thursday, August 28, 2008 5:13 AM To: Message Sniffer Community Subject: [sniffer] Stampede - amazing! Hello Sniffer Folks, I had been wondering why the blackhats had been pushing so hard for new bots these last few weeks. Then the other day I saw something very strange in the SNF telemetry. A storm came in that seemed to stop all other traffic. For more than an hour I really thought something was broken -- but I wasn't sure I'd really seen it. Just a short time ago our SortMonster on duty (Mitchell "Skull") called all-hands for a new spam storm. This was another of the new penis spams. We coded the rules quickly and as they went out I saw it again: T rates fell to zero on many systems and close to that on all of the others. This means that virtually all of the IPs were brand-new. At the same time traffic spiked on all systems and capture rates went off-scale high as the new rules tagged virtually every message. This is not an entirely new tactic by the blackhats-- I've talked about it before. It is essentially a high-amplitude burst - where a new campaign is pre-tested against all known filters and then launched on a large number of new bots that are unknown to IP reputation systems. What is new is the purity of these recent events. When we've seen them before they were mixed in with a lot of other traffic from other bot nets and even other campaigns from the same bot net. While there was still a trickle of this activity, the purity of this burst was astounding. This was a stampede where essentially all visible bots started running in a single new direction. T rates have recovered now by and large -- so the new bots are already largely recognized by GBUdb, but the wild swing in telemetry across the network was amazing to watch -- as is the new telemetry showing dramatically increased traffic and capture rates indicating a nearly pure stream of spam from this new "herd". Theories, comments, and observations welcome. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Stampede - amazing!
I've nothing of value to add, I just want to say thanks for posting things like this. It is very interesting to get these "behind the scenes" views of what the spammers are doing. It also gives me a valid explanation to give to my bosses when they complain that they're "suddenly getting all kinds of spam". Dan Horne TAIS Director of Operations www.taisweb.net [EMAIL PROTECTED] 828.252.TAIS (8247) > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of > Pete McNeil > Sent: Thursday, August 28, 2008 5:13 AM > To: Message Sniffer Community > Subject: [sniffer] Stampede - amazing! > > Hello Sniffer Folks, > > I had been wondering why the blackhats had been pushing so hard for > new bots these last few weeks. > > Then the other day I saw something very strange in the SNF telemetry. > A storm came in that seemed to stop all other traffic. For more than > an hour I really thought something was broken -- but I wasn't sure I'd > really seen it. > > Just a short time ago our SortMonster on duty (Mitchell "Skull") > called all-hands for a new spam storm. This was another of the new > penis spams. > > We coded the rules quickly and as they went out I saw it again: > > T rates fell to zero on many systems and close to that on all of the > others. This means that virtually all of the IPs were brand-new. At > the same time traffic spiked on all systems and capture rates went > off-scale high as the new rules tagged virtually every message. > > This is not an entirely new tactic by the blackhats-- I've talked > about it before. It is essentially a high-amplitude burst - where a > new campaign is pre-tested against all known filters and then launched > on a large number of new bots that are unknown to IP reputation > systems. > > What is new is the purity of these recent events. When we've seen them > before they were mixed in with a lot of other traffic from other bot > nets and even other campaigns from the same bot net. While there was > still a trickle of this activity, the purity of this burst was > astounding. > > This was a stampede where essentially all visible bots started running > in a single new direction. > > T rates have recovered now by and large -- so the new bots are already > largely recognized by GBUdb, but the wild swing in telemetry across > the network was amazing to watch -- as is the new telemetry showing > dramatically increased traffic and capture rates indicating a nearly > pure stream of spam from this new "herd". > > Theories, comments, and observations welcome. > > Thanks, > > _M > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Stampede - amazing!
Hello Sniffer Folks, I had been wondering why the blackhats had been pushing so hard for new bots these last few weeks. Then the other day I saw something very strange in the SNF telemetry. A storm came in that seemed to stop all other traffic. For more than an hour I really thought something was broken -- but I wasn't sure I'd really seen it. Just a short time ago our SortMonster on duty (Mitchell "Skull") called all-hands for a new spam storm. This was another of the new penis spams. We coded the rules quickly and as they went out I saw it again: T rates fell to zero on many systems and close to that on all of the others. This means that virtually all of the IPs were brand-new. At the same time traffic spiked on all systems and capture rates went off-scale high as the new rules tagged virtually every message. This is not an entirely new tactic by the blackhats-- I've talked about it before. It is essentially a high-amplitude burst - where a new campaign is pre-tested against all known filters and then launched on a large number of new bots that are unknown to IP reputation systems. What is new is the purity of these recent events. When we've seen them before they were mixed in with a lot of other traffic from other bot nets and even other campaigns from the same bot net. While there was still a trickle of this activity, the purity of this burst was astounding. This was a stampede where essentially all visible bots started running in a single new direction. T rates have recovered now by and large -- so the new bots are already largely recognized by GBUdb, but the wild swing in telemetry across the network was amazing to watch -- as is the new telemetry showing dramatically increased traffic and capture rates indicating a nearly pure stream of spam from this new "herd". Theories, comments, and observations welcome. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>