On 7/23/2010 9:19 PM, Matt wrote:
I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day.
Better sources are always good -- the sooner we see it the faster we can code solutions.
As it turns out all of the samples provided had current rules in place based on our standard vectors... so we are capturing these. My guess is that you're right and the timing of these attacks is important.
That said, I was able to find some structural vectors for the first group -- I've set up some abstracts based on those vectors and I'm waiting to see what the capture rates will be... If this approach is successful we should be able to preemptively defeat some of next few campaigns. Then I will apply the same types of mechanisms to the other groups and see if we can generate some internal methodologies to evolve structural abstracts for these as we see new variants based on the successful models we've generated.
_M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
