If you have been seeing huge amounts of spam, slow message response, or your mail server struggling to keep up here is probably the explanation. Yesterday I showed about a 50% jump in email traffic.
-------------------------------------------------- From: "Pete McNeil" <[EMAIL PROTECTED]> Sent: Thursday, August 28, 2008 4:13 AM To: "Message Sniffer Community" <[EMAIL PROTECTED]> Subject: [sniffer] Stampede - amazing! | Hello Sniffer Folks, | | I had been wondering why the blackhats had been pushing so hard for | new bots these last few weeks. | | Then the other day I saw something very strange in the SNF telemetry. | A storm came in that seemed to stop all other traffic. For more than | an hour I really thought something was broken -- but I wasn't sure I'd | really seen it. | | Just a short time ago our SortMonster on duty (Mitchell "Skull") | called all-hands for a new spam storm. This was another of the new | penis spams. | | We coded the rules quickly and as they went out I saw it again: | | T rates fell to zero on many systems and close to that on all of the | others. This means that virtually all of the IPs were brand-new. At | the same time traffic spiked on all systems and capture rates went | off-scale high as the new rules tagged virtually every message. | | This is not an entirely new tactic by the blackhats-- I've talked | about it before. It is essentially a high-amplitude burst - where a | new campaign is pre-tested against all known filters and then launched | on a large number of new bots that are unknown to IP reputation | systems. | | What is new is the purity of these recent events. When we've seen them | before they were mixed in with a lot of other traffic from other bot | nets and even other campaigns from the same bot net. While there was | still a trickle of this activity, the purity of this burst was | astounding. | | This was a stampede where essentially all visible bots started running | in a single new direction. | | T rates have recovered now by and large -- so the new bots are already | largely recognized by GBUdb, but the wild swing in telemetry across | the network was amazing to watch -- as is the new telemetry showing | dramatically increased traffic and capture rates indicating a nearly | pure stream of spam from this new "herd". | | Theories, comments, and observations welcome. | | Thanks, | | _M | | -- | Pete McNeil | Chief Scientist, | Arm Research Labs, LLC. | | | ############################################################# | This message is sent to you because you are subscribed to | the mailing list <[EMAIL PROTECTED]>. | To unsubscribe, E-mail to: <[EMAIL PROTECTED]> | To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> | To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> | Send administrative queries to <[EMAIL PROTECTED]> | | --- | [This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us] | | --- [This E-mail scanned for viruses by Declude Virus on the server aea8.k12.ia.us] --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/info-tech@aea8.k12.ia.us/ ---------------------------------------------------------
