[sniffer] Re: Our IP got listed on GBUdb Truncate

2018-11-02 Thread Daniel Bayerdorffer 
Hi Pete,

Thank you for the information and advice on how to check our own messages for 
the problem. Since asking about this issue I've discovered another user got 
hacked. Their account sent out about 45,000 spam emails today. It seems pretty 
clear that was culprit.

I'm now in the process of forcing all our users to use a password manager and 
to use complex, unique passwords for everything.

Thanks Again,
Daniel


- Original Message -
From: "Pete McNeil" 
To: "Message Sniffer Community" 
Sent: Friday, November 2, 2018 2:21:45 PM
Subject: [sniffer] Re: Our IP got listed on GBUdb Truncate

On 11/2/18 11:52, Daniel Bayerdorffer wrote:
>
> Is there anyway for us to see what the offending email was that got us
> on the list? Or some other data point to help us clean up our system?

SNF doesn't leak message info -- With the exception of auto-sampling of
spam (truncated messages, and only if you have it enabled) we don't see
message content. What we do get are anonymous statistics and training data.

The good news is that you are running SNF, so you can scan your messages
and identify any content that might have triggered SNF.

Truncate is trained by counting good and bad events -- bad events are
when a message matches spam/malware patterns.

... so you can actually check with your own scanner.

Truncate is completely automated... so we can't change the list data. It
actually doesn't come from a database but rather by skimming the
telemetry for these events. In effect the reputation for any given IP
resides in each SNF instance around the globe and the truncate list
works by eves-dropping on the conversations between those nodes as they
"discuss" IP reputations.

If the IP is still listed and you send a note to support with the IP
requesting a trace then we can collect some events with timestamps. That
may help you track things down -- but since you're an SNF user you would
probably do better with your own scanner.

Hope this helps.

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to

[sniffer] Re: Our IP got listed on GBUdb Truncate

2018-11-02 Thread Pete McNeil 
On 11/2/18 11:52, Daniel Bayerdorffer wrote:
>
> Is there anyway for us to see what the offending email was that got us
> on the list? Or some other data point to help us clean up our system?

SNF doesn't leak message info -- With the exception of auto-sampling of
spam (truncated messages, and only if you have it enabled) we don't see
message content. What we do get are anonymous statistics and training data.

The good news is that you are running SNF, so you can scan your messages
and identify any content that might have triggered SNF.

Truncate is trained by counting good and bad events -- bad events are
when a message matches spam/malware patterns.

... so you can actually check with your own scanner.

Truncate is completely automated... so we can't change the list data. It
actually doesn't come from a database but rather by skimming the
telemetry for these events. In effect the reputation for any given IP
resides in each SNF instance around the globe and the truncate list
works by eves-dropping on the conversations between those nodes as they
"discuss" IP reputations.

If the IP is still listed and you send a note to support with the IP
requesting a trace then we can collect some events with timestamps. That
may help you track things down -- but since you're an SNF user you would
probably do better with your own scanner.

Hope this helps.

_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller 


#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to