On the ones that I see get through, (image spams,) I usually see a Sniffer triggered update within 60 minutes after that and then that stops them.
John T eServices For You "Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) > -----Original Message----- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of > Pete McNeil > Sent: Tuesday, December 12, 2006 9:43 AM > To: Message Sniffer Community > Subject: [sniffer] Re: Stock spam > > Hello Herb, > > Tuesday, December 12, 2006, 12:32:09 PM, you wrote: > > > We were seeing lots of unmarked pump and dump stock spam a week or so > > ago but now almost non is getting thru. Sniffer is catching most of it > > and some other declude and rbl tests are as well. > > It's interesting to see such mixed results posted. It makes me wonder > what the differences are between the systems reporting high catch > rates (which we also see, once a campaign has been analyzed) and low > catch rates. > > Also -- are the poor catch rates reported on text based stock-push > spams or image based? > > Text based stock-push leakage is not likely because we generally catch > these very fast and there are a range of rules in place to capture new > campaigns even before we've seen them - so if you have this kind of > leakage and it persists then start looking for problems with your > system (errors, rulebase updates working, etc...) > > Image based stock-push is a problem, as is all image spam, but we do > generally get these handled pretty fast. If you haven't already - > recognize that since about mid September the black hats have > significantly shifted toward image spam, have increased their volumes > by between 4x and 20x (depending on who you talk to), and have > increased the rate at which new campaigns are launched by at least 5x. > > If you are seeing image spam leakage check your weighting system (if > you have one) and be sure that SNF rule groups 60 and 61 are rated > highly enough to hold a message on their own. Previously we had always > advised that SNF plus at least one other test should be required to > hold a message simply for philosophical reasons: no single test should > hold a message in order to improve accuracy. Unfortunately the recent > changes in blackhat behavior are such that SNF is often the only test > to fire on image spams so it has become necessary to abandon that > tactic in order to minimize leakage. > > Hope this helps, > > _M > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > ##################################################### > ######## > This message is sent to you because you are subscribed to > the mailing list <sniffer@sortmonster.com>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>