RE: [sniffer] Spam keeps getting through...
Pete, I have an additional question. What do you do with spam in foreign languages, like dutch? Do you create rules for those as well? Lots of dutch messages are not blocked by sniffer. Regards, Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: dinsdag 11 oktober 2005 10:47 To: sniffer@SortMonster.com Subject: Re: [sniffer] Spam keeps getting through... Can we just forward them regularly or do we need to change anything about how the headers display when we forward them? Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam keeps getting through...
It is helpful to get the full headers, however it is simpler and more reliable in most cases to simply forward the message. _M On Tuesday, October 11, 2005, 4:46:48 AM, Kevin wrote: KR Can we just forward them regularly or do we need to change anything KR about how the headers display when we forward them? KR Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] KR --- KR [This E-mail was scanned for viruses.] KR This E-Mail came from the Message Sniffer mailing list. For information and KR (un)subscription instructions go to KR http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam keeps getting through...
We attempt to create reliable rules no matter what language we see, however it is more difficult to do that in foreign languages. We are working on upgrades to our internal systems and procedures to address this. None the less there are usually things within these messages that we can tag and if we can identify them then we do create rules for those items. _M On Tuesday, October 11, 2005, 6:21:58 AM, Michiel wrote: MP Pete, MP I have an additional question. What do you do with spam in foreign MP languages, like dutch? Do you create rules for those as well? Lots of dutch MP messages are not blocked by sniffer. MP Regards, MP Michiel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: dinsdag 11 oktober 2005 10:47 To: sniffer@SortMonster.com Subject: Re: [sniffer] Spam keeps getting through... Can we just forward them regularly or do we need to change anything about how the headers display when we forward them? Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html MP This E-Mail came from the Message Sniffer mailing list. For information and MP (un)subscription instructions go to MP http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam keeps getting through...
Sorry - I was talking about false positives. I assume we need to send false positives to the false@ address. Can my users send you these messages directly? Or do they need to forward them to me first (as the registered user)? And if they do need to forward false positives to me first, is it OK to simply forward them on to you? It says on your site to create a new email from scratch and send the false positive email as an attachment. Does that mean I should right-click on the message, Save As... an .eml file, and then attach that .eml file to the message I'm sending to you? And is this true for spam as well - do they need to forward them to me and then me to you? Just making sure I'm doing this right. Thanks Pete McNeil wrote: It is helpful to get the full headers, however it is simpler and more reliable in most cases to simply forward the message. _M On Tuesday, October 11, 2005, 4:46:48 AM, Kevin wrote: KR Can we just forward them regularly or do we need to change anything KR about how the headers display when we forward them? KR Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] KR --- KR [This E-mail was scanned for viruses.] KR This E-Mail came from the Message Sniffer mailing list. For information and KR (un)subscription instructions go to KR http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam keeps getting through...
I believe Pete is moving to a POP account approach. You would set up a POP account for spam and another for false positives, and send them the login info to it. Then have your users forward messages to the POP accounts as attachments (that's the hardest part, which is why we still have them sent to us, to make sure the original headers are in it). Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: sniffer@SortMonster.com Sent: Tuesday, October 11, 2005 7:44 AM Subject: Re: [sniffer] Spam keeps getting through... Sorry - I was talking about false positives. I assume we need to send false positives to the false@ address. Can my users send you these messages directly? Or do they need to forward them to me first (as the registered user)? And if they do need to forward false positives to me first, is it OK to simply forward them on to you? It says on your site to create a new email from scratch and send the false positive email as an attachment. Does that mean I should right-click on the message, Save As... an .eml file, and then attach that .eml file to the message I'm sending to you? And is this true for spam as well - do they need to forward them to me and then me to you? Just making sure I'm doing this right. Thanks Pete McNeil wrote: It is helpful to get the full headers, however it is simpler and more reliable in most cases to simply forward the message. _M On Tuesday, October 11, 2005, 4:46:48 AM, Kevin wrote: KR Can we just forward them regularly or do we need to change anything KR about how the headers display when we forward them? KR Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] KR --- KR [This E-mail was scanned for viruses.] KR This E-Mail came from the Message Sniffer mailing list. For information and KR (un)subscription instructions go to KR http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam keeps getting through...
I will answer this later in the thread. _M On Tuesday, October 11, 2005, 7:44:01 AM, Kevin wrote: KR Sorry - I was talking about false positives. I assume we need to send KR false positives to the false@ address. KR Can my users send you these messages directly? KR Or do they need to forward them to me first (as the registered user)? KR And if they do need to forward false positives to me first, is it OK to KR simply forward them on to you? KR It says on your site to create a new email from scratch and send the KR false positive email as an attachment. Does that mean I should KR right-click on the message, Save As... an .eml file, and then attach KR that .eml file to the message I'm sending to you? KR And is this true for spam as well - do they need to forward them to me KR and then me to you? KR Just making sure I'm doing this right. KR Thanks KR Pete McNeil wrote: It is helpful to get the full headers, however it is simpler and more reliable in most cases to simply forward the message. _M On Tuesday, October 11, 2005, 4:46:48 AM, Kevin wrote: KR Can we just forward them regularly or do we need to change anything KR about how the headers display when we forward them? KR Pete McNeil wrote: On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] KR --- KR [This E-mail was scanned for viruses.] KR This E-Mail came from the Message Sniffer mailing list. For information and KR (un)subscription instructions go to KR http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html --- [This E-mail was scanned for viruses.] KR --- KR [This E-mail was scanned for viruses.] KR This E-Mail came from the Message Sniffer mailing list. For KR information and (un)subscription instructions go to KR http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Spam keeps getting through...
Sniffer is not catching a wave of spam (drug offers) this has been going on for over a week and I have been forwarding examples. Is there anything that can be done? Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam keeps getting through...
On Monday, October 10, 2005, 5:44:21 PM, Chuck wrote: CS Sniffer is not catching a wave of spam (drug offers) this has been going on CS for over a week and I have been forwarding examples. Is there anything that CS can be done? I strongly suspect you are talking about the druglist spam and it's variants. We've been head to head with these folks since they started the campaign - that is, we make adjustments and then they adjust around them within a few hours. We are working on ways to close the gap, though there will always be some unavoidable delay. Though this appears to be one campaign, there are several new domains every hour or so and several new variations on their obfuscation techniques nearly as often. We continue to add rules for all of these variations around the clock - including some predictive heuristics which are actually working for quite a bit of the traffic. They have been building up to this for a while and we've been tracking their development process through previous versions of this campaign (across quite a few weeks now). When they launched the most recent burst, it had the highest zombie bandwidth we've seen (for this campaign) behind it and it included a blended approach of all of the obfuscation techniques they have used in the past including blended rowspan and br obfuscation using float-left style codes, multi-point injection obfuscation of key words and subjects, and a slew of interesting and clearly automated randomization mechanisms... plus a variety of innovative combinations not seen previously. In short, they've got some serious resources behind this one. The current ruleset appears to have the current variants in check. Please continue to send any samples that get through since it's always possible we haven't seen them all in our existing traps (we're not quite omniscient yet ;-) Also, if you have any interesting observations please feel free to drop me a note at our support@ address and I will add it to our thinking. Sorry for the leakage, we are working on it. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam keeps getting through...
On Monday, October 10, 2005, 5:44:21 PM, Chuck wrote: CS Sniffer is not catching a wave of spam (drug offers) this has been going on CS for over a week and I have been forwarding examples. Is there anything that CS can be done? Short additional follow up... Attached please find a graph of the trap arrival rates showing the current state of the front-end filters on our spamtraps... According to this instrumentation and my recent observations of our trap processing queues we have a good rule-set for the druglist campaign at the moment. That rulebase may not be completely deployed to everyone yet, but it is constantly being pushed out. The peaks on this graph today strongly coincide with bursts of new variants of the druglist campaign. If you look closely you can just spot an up-tic on the end indicating a new variant beginning, though we have already coded for it's basics. The big spikes at approximately 20, 10, and 8 hours ago represent the most recent bursts with new variants... so we're about due for another round with them that some of you may already be seeing. Hope this helps, _M getchart.jsp.png Description: PNG image
Re: [sniffer] Spam keeps getting through...
just to make sure, can we now send several spams as attachements in one email ans what adress to use i have 3 that got thru my own mailbox in less than 3 hours they did not even get tagged, only failed sorbs and sorbs_dul - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Chuck Schick sniffer@SortMonster.com Sent: Monday, October 10, 2005 11:08 PM Subject: Re: [sniffer] Spam keeps getting through... On Monday, October 10, 2005, 5:44:21 PM, Chuck wrote: CS Sniffer is not catching a wave of spam (drug offers) this has been going on CS for over a week and I have been forwarding examples. Is there anything that CS can be done? Short additional follow up... Attached please find a graph of the trap arrival rates showing the current state of the front-end filters on our spamtraps... According to this instrumentation and my recent observations of our trap processing queues we have a good rule-set for the druglist campaign at the moment. That rulebase may not be completely deployed to everyone yet, but it is constantly being pushed out. The peaks on this graph today strongly coincide with bursts of new variants of the druglist campaign. If you look closely you can just spot an up-tic on the end indicating a new variant beginning, though we have already coded for it's basics. The big spikes at approximately 20, 10, and 8 hours ago represent the most recent bursts with new variants... so we're about due for another round with them that some of you may already be seeing. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam keeps getting through...
Spam should be sent one at a time... if you send them in groups then it is likely one or more will get removed by a new rule and the others will never be seen. Sending them one at a time also helps us to clarify details about the message and reduce any possible errors... our rule-techs are trained to skip anything they lose confidence in (including me!)... so if we have a batch of messages as attachments and it gets confusing, we skip ahead rather than creating errors. Thanks, _M On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul S - Original Message - S From: Pete McNeil [EMAIL PROTECTED] S To: Chuck Schick sniffer@SortMonster.com S Sent: Monday, October 10, 2005 11:08 PM S Subject: Re: [sniffer] Spam keeps getting through... On Monday, October 10, 2005, 5:44:21 PM, Chuck wrote: CS Sniffer is not catching a wave of spam (drug offers) this has been going on CS for over a week and I have been forwarding examples. Is there anything that CS can be done? Short additional follow up... Attached please find a graph of the trap arrival rates showing the current state of the front-end filters on our spamtraps... According to this instrumentation and my recent observations of our trap processing queues we have a good rule-set for the druglist campaign at the moment. That rulebase may not be completely deployed to everyone yet, but it is constantly being pushed out. The peaks on this graph today strongly coincide with bursts of new variants of the druglist campaign. If you look closely you can just spot an up-tic on the end indicating a new variant beginning, though we have already coded for it's basics. The big spikes at approximately 20, 10, and 8 hours ago represent the most recent bursts with new variants... so we're about due for another round with them that some of you may already be seeing. Hope this helps, _M S This E-Mail came from the Message Sniffer mailing list. For information and S (un)subscription instructions go to S http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Spam keeps getting through...
On Monday, October 10, 2005, 7:55:51 PM, Serge wrote: S just to make sure, can we now send several spams as attachements in one S email S ans what adress to use S i have 3 that got thru my own mailbox in less than 3 hours S they did not even get tagged, only failed sorbs and sorbs_dul oops. missed a step. Please send (redirect/forward) spam that gets through one at a time to [EMAIL PROTECTED] Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Spam keeps getting through...
On Oct 10, 2005, at 3:56 PM, Pete McNeil wrote: Though this appears to be one campaign, there are several new domains every hour or so and several new variations on their obfuscation techniques nearly as often. We continue to add rules for all of these variations around the clock - including some predictive heuristics which are actually working for quite a bit of the traffic. Can't there be a rule written that matches the exact size of the included .gif? I've seen these (if we're talking about the same ones) and the attached gif file is always the same. Just an idea. Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
