Hello greg, Wednesday, July 18, 2007, 3:38:44 PM, you wrote:
> Not sure what is up but I'm seeing lots of messages getting through > to my primary folder since yesterday. Lots of .pdf > attachments - Just checked and 10/11 were spam messages in my inbox. There have been several mutations of the pdf spam in the past 15 hours especially. One of the earlier variations took some time to figure out because the blackhats began inserting extra invisible characters into the message that confuse text editors and pattern matching engines-- we have since created rules that compensate (as of about 0230E) Moments ago we saw a new version that we were able to predict jsut before it went live--- For a period just longer than 2 hours we saw 4x our normal traffic (all blocked) as new bots were launched to emit the new version. At the moment we seem to have the current versions of pdf spam under control and telemetry indicates that these rules are fully deployed as of this time. Please understand, however, this is an ongoing process. We will no doubt see more variations that bypass all/most filters for some period of time -- that is, after all, the goal of the blackhats. The ones behind the pdf spam are perhaps the most well funded, dedicated, and sophisticated of the bunch. There is no doubt that they test each version against most filtering systems before publishing them to their bot nets with a heavy emphasis on new bots that are not yet known to blocking lists. This strategy virtually guarantees that a useful fraction of their content will get through before it becomes blocked. We will continue to develop predictive rule sets and rapid-response mechanisms to thwart these efforts wherever possible and to minimize the leakage in any case. Thanks for your patience and understanding! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
