[sniffer] Re: Volume spike Mon 9AM EST
I'm seeing it, too. Darin. - Original Message - From: Peer-to-Peer (Support) suppor...@peertopeer.net To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 9:21 AM Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
I am getting a lot of complaints from my customers concerning the huge spikes too. DustyC -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Darin Cox Sent: Monday, May 10, 2010 9:51 AM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST I'm seeing it, too. Darin. - Original Message - From: Peer-to-Peer (Support) suppor...@peertopeer.net To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 9:21 AM Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 11:12 AM, NetEase Operations Manager wrote: I am getting a lot of complaints from my customers concerning the huge spikes too. Do you mean huge spikes in leakage? Hope not-- because we're not seeing that in our instrumentation. If anything is leaking please be sure to get it to us so we can filter it. We did see a few short spikes for new campaigns that have a lot of bandwidth behind them but those are well captured now and were captured very quickly. We would love to get our eyes on anything new that we're not already seeing. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
I'm not seeing any spike in inbound connections or accepted message counts. Actually, it's lower than Friday's volume and about the same as Thursday. Andrew. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 6:21 AM To: Message Sniffer Community Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
That is the case here as well. I should have clarified that in my earlier post. Sniffer is doing its job. Unfortunately I am running through two levels of spam filtering systems and a ton is getting through still. DustyC -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 11:12 AM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST Just for clarification: Sniffer is working extremely well. No issues there. We're simply seeing a high volume of incoming connections / messages (from botNets) and wanted to verify that we weren't alone. :) --Paul R. -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com]on Behalf Of Peer-to-Peer (Support) Sent: Monday, May 10, 2010 9:21 AM To: Message Sniffer Community Subject: [sniffer] Volume spike Mon 9AM EST Just checking to see if anyone else is seeing a massive spike in volume. Something started occurring around 9AM EST. Not yet sure what's happening. Wondering if this is global attack or simply local on our system? Anyone seeing unusual activity - high volume? --Paul R. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. Darin. - Original Message - From: Pete McNeil madscient...@armresearch.com To: Message Sniffer Community sniffer@sortmonster.com Sent: Monday, May 10, 2010 11:46 AM Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 11:12 AM, NetEase Operations Manager wrote: I am getting a lot of complaints from my customers concerning the huge spikes too. Do you mean huge spikes in leakage? Hope not-- because we're not seeing that in our instrumentation. If anything is leaking please be sure to get it to us so we can filter it. We did see a few short spikes for new campaigns that have a lot of bandwidth behind them but those are well captured now and were captured very quickly. We would love to get our eyes on anything new that we're not already seeing. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 12:23 PM, Darin Cox wrote: Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. I checked on telemetry and found a mixed bag -- some systems were up quite a bit-- others were nominal. We have seen a few new storms come though too... but other than that a reasonably normal Monday. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Sniffer is doing its job well, but I am nearly overwhelmed by the load - to the point where I might have to turn sniffer off to reduce my processing footprint. I've already commented out INVURIBL. My customers don't like lag at all. That being said, I wonder how I can better protect myself from botnets. Do you think that if I parsed the sniffer / declude logs and harvested IPs that sent me X pieces of mail rating a ridiculous score of X and then adding them to an internal RBL or blacklist would make a difference? Or are these botnets too varied and well managed for that to make a difference? Looking in my SmarterMail connects and blocks, I see that it is fairly proficient at not getting caught by my e-mail harvesting block settings. Hmmm. -- Michael Cummins -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, May 10, 2010 1:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 12:23 PM, Darin Cox wrote: Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. I checked on telemetry and found a mixed bag -- some systems were up quite a bit-- others were nominal. We have seen a few new storms come though too... but other than that a reasonably normal Monday. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 2:15 PM, Michael Cummins wrote: Sniffer is doing its job well, but I am nearly overwhelmed by the load - to the point where I might have to turn sniffer off to reduce my processing footprint. I've already commented out INVURIBL. My customers don't like lag at all. That being said, I wonder how I can better protect myself from botnets. Do you think that if I parsed the sniffer / declude logs and harvested IPs that sent me X pieces of mail rating a ridiculous score of X and then adding them to an internal RBL or blacklist would make a difference? We do that in real-time with most eWall installations. SNF hits are added to the black-list for 1 hour in some cases... works pretty well. Also (new) Have you looked at truncate.gbudb.net ? IPs consistently in truncate on GBUdb nodes across the 'Net (not just your system) are listed. (returns 127.0.0.2) Or are these botnets too varied and well managed for that to make a difference? RD shows that it works -- but must be done quickly to be effective. Best, _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Is there a way we could get a SNIFFER feature like that implemented as an internal DECLUDE test? Barring that, perhaps get it to write a text file of current IPs to block? -- Michael Cummins -Original Message- From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, May 10, 2010 1:15 PM To: Message Sniffer Community Subject: [sniffer] Re: Volume spike Mon 9AM EST On 5/10/2010 12:23 PM, Darin Cox wrote: Hi Pete, No. Not leakage. Sniffer et al are doing their job well. Just a large spike in incoming spam volume. It settled down for us by about 11am. I checked on telemetry and found a mixed bag -- some systems were up quite a bit-- others were nominal. We have seen a few new storms come though too... but other than that a reasonably normal Monday. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 2:37 PM, Michael Cummins wrote: Is there a way we could get a SNIFFER feature like that implemented as an internal DECLUDE test? SNFIPREP and SNFIP tests give you some direct access to GBUdb -- of course at that point you've already accepted the message for scanning even if you decide not to do anything else with it. Barring that, perhaps get it to write a text file of current IPs to block? I have been thinking about a feature to produce some zone files (or IP lists) from SNF data but haven't settled on the feature set.. and also haven't had any other call for it so it's been low on the dev list. Are there many folks on the list who would/could use an IP list generating function in the SNF engine? If so what might that look like -- that is, how would you like to tune it and what special features might it have to be most useful? truncate.gbudb.net is available now and has the advantage of seeing IPs that your system may not have yet encountered. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
Are there many folks on the list who would/could use an IP list generating function in the SNF engine? If so what might that look like -- that is, how would you like to tune it and what special features might it have to be most useful? If you do generate it, I'd be happy to sync up with you so you can have a copy of all my ugly IPs. Is there a way we could implement it in a SmarterMail / Declude config that would reduce processing footprint? Would using the file as a simple IP blacklist.txt in Declude prevent other checks? Do David and Linda read this list as well? -- Michael Cummins # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: Volume spike Mon 9AM EST
On 5/10/2010 3:04 PM, Michael Cummins wrote: Are there many folks on the list who would/could use an IP list generating function in the SNF engine? If so what might that look like -- that is, how would you like to tune it and what special features might it have to be most useful? If you do generate it, I'd be happy to sync up with you so you can have a copy of all my ugly IPs. GBUdb data is already shared between SNF nodes. GBUdb is a collaborative IP reputation system. Is there a way we could implement it in a SmarterMail / Declude config that would reduce processing footprint? SNF already uses GBUdb to eliminate content scanning when the IP reputation is in the truncate range. If it is not in the truncate range there is a possibility that there would be false positives. The easiest way to reduce processing loads is to reject connections based on truncate.gbudb.net. I suppose it is also possible to skip other tests in Declude based on weights generated by SNFIP and/or SNFIPREP. Would using the file as a simple IP blacklist.txt in Declude prevent other checks? I don't know. Do David and Linda read this list as well? I don't think so. _M -- Chief Scientist ARM Research Labs, LLC www.armresearch.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com