On Tuesday, January 4, 2005, 6:13:24 PM, Matt wrote: M> I've noted that dictionary attack type spam is generally of this M> variety, and while you are probably blocking a great deal of this, the M> sheer volume makes it look like you aren't doing that well against it.
M> I've also noted that the domains that they use are frequently changed, M> thus escaping both SURBL and Sniffer for periods of time. I am under M> the impression that these spammers have taken to using multiple domains M> at once and segmenting the domains that they attack with them so that if M> one domain gets listed in SURBL (or Sniffer for a select group), then it M> won't affect their entire campaign. Some of these campaigns are so high M> in volume that there is no way that the domains could otherwise escape M> being listed for more than 15 minutes. <snip/> M> I believe that Pete's plans for incremental updates will help to address M> such issues by making Sniffer even more real-time than it already is. These are interesting comments... yeah - when one of these new campaigns gets started, if there is a hole you can get pounded by hundreds of messages before the hole is closed - making it seem like the dam has broken. One thing we are doing about these campaigns is coding not only URI, but text segments, abstract patterns, and increasingly I've spent time creating compound message structure rules --- so that when they swap out text, images, uri and other variable components the message can still be captured. I know from my monitoring that I've made a dent in this stuff this way - but there is definitely a lot of it and more work needs to be done to find and respond w/ message structure rules. As for near real-time incremental updates, that is planned, but it is definitely off in the future. Hopefully before mid-year though. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
