Chuck,
The issue is not that Sniffer is lapsing, but that the spammers are
getting much better at what they do. When a spammer uses Geocities
links, hijacks real accounts on major providers to send spam through,
and changes their techniques every few hours, it makes it difficult for
Sniffer to proactively block them, and the delay between rulebase
updates means a delay in catching things that have been tagged. These
drug spams have also rendered tools like URIBL useless, and most here
can only rely on blacklists, but the volume is high enough, and the IP's
are clean enough that some still get through. Sniffer mostly relies on
pseudo-URIBL functionality, but it can detect such things given that
rules have been written.
The spammers are definitely exploiting many weaknesses, and it's a very
difficult issue. Personally I was only able to catch these by
programming a whole application than parses messages and analyzes
patterns, and I still have to add new patterns for this stuff as it
morphs. Pete would call what I do a neural-net, or process that works
on multiple levels to create a pattern. Sniffer wasn't designed to
operate like this, and that worked great for the most part until spam
blockers raised the bar high enough that the spammers have improved
their techniques. I don't expect for it to get any better, in fact I
expect that spammers will start hacking AUTH to send through legitimate
servers and exploiting things like free hosting sites in much greater
numbers than they are now. When Sniffer goes real-time, it will allow
it to keep up with the spammers, but for the moment, some of these guys
are leading the way.
Matt
Chuck Schick wrote:
Pete:
Thanks. I am just frustrated by the continued spam growth.
Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Friday, October 14, 2005 9:08 AM
To: Chuck Schick
Subject: Re: [sniffer] Large amounts of spam still getting through
On Friday, October 14, 2005, 10:59:05 AM, Chuck wrote:
CS> We are seeing a lot of the drug spam getting through. Anyway that
CS> sniffer could start catching these. And yes I am forwarding them
CS> all.
There are a number of new campaigns launched today with some heavy bandwidth
behind them. We have rules in place for most (if not all) of the new stuff,
however there is a delay before these rules might get to you - during that
window some of these will get through.
Over the past few months we have increased the rate at which we send out
updates - nearly cutting the time in half. Updates are now sent every 180
minutes or so. We are also working on the next version which will allow for
nearly instantaneous updates.
In the mean time we will continue to work on speeding things up as much as
we can.
Hope this helps,
_M
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
