Re[2]: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres.
On Tuesday, January 17, 2006, 8:45:45 AM, Matt wrote: M> Pete, M> I reviewed my Hold range going back to Monday morning and I wasn't able M> to find anything out of the ordinary. I also searched my logs from my M> URIBL tool that queries SURBL among other things, and I wasn't able to M> find any hits for those domains that you pointed out. I guess that I M> wasn't affected. That's good. It was very short lived on our system... only this morning it appears - and we there (on that minute) to see it. I wasn't sure at the time how bad the problem was, and with things like .earthlink.net and .w3.org being tagged it looked serious - better safe than sorry. M> As far as promoting such domains to Sniffer through automated means M> goes, I believe that this helps substantiate the need for adding extra M> qualifications. For instance, the chances of a 2 letter dot-com domain M> being a legitimately taggable spam domain are almost zero. To a lesser M> extent the same is true as you add on more characters. Also, it would M> be very helpful for such situations and false positives in general if M> you were to track long-standing domains that appear in ham and don't add M> these automatically by cross checking these blacklists. There are many M> different ways to accomplish this. I have found over time that foreign M> free E-mail services can get picked up by Sniffer, and because these M> services are frequently forged and legitimate traffic is low enough that M> people don't often either notice/report false positives, that these M> rules stay high in strength and live a very long time. You can in fact M> prevent this from happening to a large extent with further validation. M> SURBL is subject to false positives on such things, but they expire such M> rules using different techniques that prevent them from being long-term M> issues, but these cross-checked false positives can have a life of their M> own on Sniffer sometimes. We have very few foreign customers - that is changing - but in the mean time that sets up a couple of dynamics. 1 - nobody reports it as a false positive because there are very few (if any) people in our system that use the service, 2 - most of the messages coming from those services to our US customers are, in fact, spam sent by abusing those networks. In these cases, until someone reports a false positive against one of these rules we really don't have any practical way of tipping the balance. We can't be personally familiar with every system everywhere so often we must go with the evidence we have, and in these cases that is most frequently a lot of spam and no other indications. With regard to tracking long-standing "good" domains, we're working on mechanisms in v3 that gather statistics on "friendly" message features so that we can be alerted any time something like this comes through. Real-time "feature" reputation mechanisms will help to steer more accurate and more aggressive automated tools that we can leverage to capture more spam/malware very quickly and to prevent creating rules that appear "friendly" without more aggressive research. As for promoting domains or other message features by automatic means, the criteria are always under review, we generally manually review the same messages after the bots (this is how we noticed w3.org, declude, earthling, et al...) and the criteria are pretty strong. For example, not only must a message be presented to us through a harvested address (in most cases) but after that it must hit more than one black list - and then if the bot finds something useful and it also matches SURBL then it will be added... All that by way of saying: though the rule might reference SURBL in it's name, that's really more for research purposes than a anything else. It was definitely much harder for the rule to get into our system than that-- The only way these rules get in there are by satisfying a battery of constraints. Any bad rule that lasts any time in our system is there because it wasn't reported which generally means there were no meaningful false positives out there -- especially if the rule strength is high... http://www.sortmonster.com/MessageSniffer/Performance/RuleStrengths.jsp Above 2.0 there are 100s of messages per day being tagged by a rule as measured by only about 150 systems that send in logs. Each one of those is an opportunity to trigger a false positive report. It seems unlikely (theoretically) that this could go on for very long without somebody noticing and reporting a false positive. Still, at this level a rule must have been sourced through a harvested address (clean spamtrap) in order to survive in the core after an FP report. That said, once an FP report arrives on such a rule if it is anywhere near the "gray area" I research it pretty thoroughly before making the local/global adjustment decision. (Recall that even if we keep the rule in the core, every system is able to block a rule or mitigate it with white rules).
Re[2]: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres.
On Tuesday, January 17, 2006, 8:10:44 AM, Darrell wrote: Dsic> Pete, Dsic> I just checked real quick hitting several DNS servers (mine and others) and Dsic> I am not seeing this - are you still seeing this now? Nope... it was short lived. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres.
Pete, I reviewed my Hold range going back to Monday morning and I wasn't able to find anything out of the ordinary. I also searched my logs from my URIBL tool that queries SURBL among other things, and I wasn't able to find any hits for those domains that you pointed out. I guess that I wasn't affected. As far as promoting such domains to Sniffer through automated means goes, I believe that this helps substantiate the need for adding extra qualifications. For instance, the chances of a 2 letter dot-com domain being a legitimately taggable spam domain are almost zero. To a lesser extent the same is true as you add on more characters. Also, it would be very helpful for such situations and false positives in general if you were to track long-standing domains that appear in ham and don't add these automatically by cross checking these blacklists. There are many different ways to accomplish this. I have found over time that foreign free E-mail services can get picked up by Sniffer, and because these services are frequently forged and legitimate traffic is low enough that people don't often either notice/report false positives, that these rules stay high in strength and live a very long time. You can in fact prevent this from happening to a large extent with further validation. SURBL is subject to false positives on such things, but they expire such rules using different techniques that prevent them from being long-term issues, but these cross-checked false positives can have a life of their own on Sniffer sometimes. Thanks, Matt Pete McNeil wrote: On Tuesday, January 17, 2006, 7:21:11 AM, Matt wrote: M> Pete, M> w3.org would be a huge problem because Outlook will insert this in the M> XML headers of any HTML generated E-mail. M> If you could give us an idea of when this started and possibly ended, M> that would help in the process of review. Indications are that the rule was in our system for only a couple of hours this morning before we caught what was going on. Many folks won't have ever seen the rule... though it may still be in surbl. In fact, all of these rules that we know of followed very much the same profile. Two of us were working in the rulebase at the time due to heavy outscatter from a fake ph.d campaign and several new variants of chatty_watches, chatty_drugs, and druglist. We're continuing to look for any rules that might have entered our system this way and we haven't found any new ones since about the time I wrote my first post on it. I'm about to run through false positives to see what might have been reported and remove those. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[2]: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres.
On Tuesday, January 17, 2006, 7:21:11 AM, Matt wrote: M> Pete, M> w3.org would be a huge problem because Outlook will insert this in the M> XML headers of any HTML generated E-mail. M> If you could give us an idea of when this started and possibly ended, M> that would help in the process of review. Indications are that the rule was in our system for only a couple of hours this morning before we caught what was going on. Many folks won't have ever seen the rule... though it may still be in surbl. In fact, all of these rules that we know of followed very much the same profile. Two of us were working in the rulebase at the time due to heavy outscatter from a fake ph.d campaign and several new variants of chatty_watches, chatty_drugs, and druglist. We're continuing to look for any rules that might have entered our system this way and we haven't found any new ones since about the time I wrote my first post on it. I'm about to run through false positives to see what might have been reported and remove those. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres.
Pete, I just checked real quick hitting several DNS servers (mine and others) and I am not seeing this - are you still seeing this now? C:\>nslookup 2.0.0.127.multi.surbl.org Server: nscache5.bflony.adelphia.net Address: 68.168.224.180 Non-authoritative answer: Name:2.0.0.127.multi.surbl.org Address: 127.0.0.126 C:\>nslookup declude.com.multi.surbl.org Server: nscache5.bflony.adelphia.net Address: 68.168.224.180 *** nscache5.bflony.adelphia.net can't find declude.com.multi.surbl.org: Non-exi stent domain C:\>nslookup w3.org.multi.surbl.org Server: nscache5.bflony.adelphia.net Address: 68.168.224.180 *** nscache5.bflony.adelphia.net can't find w3.org.multi.surbl.org: Non-existent domain Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: "Matt" <[EMAIL PROTECTED]> To: Sent: Tuesday, January 17, 2006 7:21 AM Subject: Re: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres. Pete, w3.org would be a huge problem because Outlook will insert this in the XML headers of any HTML generated E-mail. If you could give us an idea of when this started and possibly ended, that would help in the process of review. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers. As a result, many of these were tagged by our bots due to spam arriving at our system with those domains and IPs. Most IPs and domains for these services are coded with "nokens" in our system to prevent this kind of thing, but a few slipped through. We are aggressively hunting any more that might have arrived. You may want to temporarily reduce the weight of the experimental IP and experimental ad-hoc rule groups until we have identified and removed the bad rules we don't know about yet. Please also do your best to report any false positives that you do identify so that we can remove any bad rules. I don't expect that there will be too many, but I do want to clear them out quickly if they are there. Please also, if you haven't already, review the false positive procedures: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html Pay special attention to the rule-panic procedure and feature in case you are one of the services hit by these bad entries. An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org It's not clear yet how large the problem is, but I'm sure it will be resolved soon. Hope this helps, Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Watch out... SURBL & SORBS full of large ISPs and Antispamprovidres.
Pete, w3.org would be a huge problem because Outlook will insert this in the XML headers of any HTML generated E-mail. If you could give us an idea of when this started and possibly ended, that would help in the process of review. Thanks, Matt Pete McNeil wrote: Hello Sniffer Folks, Watch out for false positives. This morning along with the current spam storm we discovered that SURBL and SORBs are listing a large number of ISP domains and anti-spam service/software providers. As a result, many of these were tagged by our bots due to spam arriving at our system with those domains and IPs. Most IPs and domains for these services are coded with "nokens" in our system to prevent this kind of thing, but a few slipped through. We are aggressively hunting any more that might have arrived. You may want to temporarily reduce the weight of the experimental IP and experimental ad-hoc rule groups until we have identified and removed the bad rules we don't know about yet. Please also do your best to report any false positives that you do identify so that we can remove any bad rules. I don't expect that there will be too many, but I do want to clear them out quickly if they are there. Please also, if you haven't already, review the false positive procedures: http://www.sortmonster.com/MessageSniffer/Help/FalsePositivesHelp.html Pay special attention to the rule-panic procedure and feature in case you are one of the services hit by these bad entries. An example of some that we've found in SURBL for example are declude.com, usinternet.com, and w3.org It's not clear yet how large the problem is, but I'm sure it will be resolved soon. Hope this helps, Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
