On 5/10/2010 2:15 PM, Michael Cummins wrote:
Sniffer is doing its job well, but I am nearly overwhelmed by the load - to
the point where I might have to turn sniffer off to reduce my processing
footprint. I've already commented out INVURIBL.
My customers don't like lag at all.
That being said, I wonder how I can better protect myself from botnets. Do
you think that if I parsed the sniffer / declude logs and harvested IPs that
sent me X pieces of mail rating a ridiculous score of X and then adding them
to an internal RBL or blacklist would make a difference?
We do that in real-time with most eWall installations.
SNF hits are added to the black-list for 1 hour in some cases... works
pretty well.
Also (new) Have you looked at truncate.gbudb.net ?
IPs consistently in truncate on GBUdb nodes across the 'Net (not just
your system) are listed. (returns 127.0.0.2)
Or are these botnets too varied and well managed for that to make a
difference?
R&D shows that it works -- but must be done quickly to be effective.
Best,
_M
--
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
