[MBF] Re: Thoughts on how to deal with the current SPAM campaigns
Hello everyone. I wanted to chime in here. We (MBF) actually have a utility for implementing exactly what Scott is proposing if anyone is interested in trying it. We call it The Gauntlet. Also, the following link has some additional information about how a program such as this works: http://www.lifeatwarp9.com/2012/06/gauntlet-a-solution-to-pre-tested-spam/. Please let me know if you have any questions about it. Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3605 x7016 MBF From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Scott Fosseen - Prairie Lakes AEA Sent: Thursday, October 30, 2014 1:11 PM To: community@mailsbestfriend.com Subject: [MBF] Thoughts on how to deal with the current SPAM campaigns Here is a thought I have that may be effective on these zero-day SPAM campaigns. It does have a big drawback, but the users may be OK with it if it stops the SPAM. Here is my idea. I am going to say this is from my standpoint of using SmarterMail. The basic idea is to process each message through declude twice. Any message that declude did not whitelist or delete would be sent to a hold queue folder and after a set amount of time declude would rescan the message. The first time through declude the message would process and drop out of declude only if whitelisted, or deleted. The message would also be counted by reputation tests such as barracuda. Once the message is processed it would be put in a hold queue where it would set for a set amount of time (Say 30 min). The delay would give a chance for tests to identify SPAM campaigns. After the Queue delay has passed Declude will process the message again and take the normal action to the message when complete. Thoughts? SPAM Tests
[MBF] Re: increasingly useless
We just employed MBF to help update our system and fight this storm. After Linda’s changes, we have seen a dramatic decrease in what is getting through. Free plug for them, because it sure helped us out. Thank you, Chris King Webmaster - St. Louis Network80, LLC http://www.network80.com/ http://www.network80.com/ From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Carl Wagar Sent: Thursday, October 30, 2014 6:32 PM To: community@mailsbestfriend.com Subject: [MBF] Re: increasingly useless Yes, that must be it, lag time on the high volume and short campaigns. I also wonder though if they are infecting a zillion pc’s and have zombies broadcasts from all over the place. It’s a security problem, not just a spamming one. Ok, will look to see if I can upgrade, and amalgamate with my own changes. Carl J. Carl Wagar EntreNet Communications Inc www.entrenet.com www.thehostingservice.com 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada Email: jcwa...@entrenet.com, skype: jcwagar Tel: +1 613-737-7327, Fax: +1 613-737-5801 Cel: +1 613-818-8898 From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Scott Fosseen - Prairie Lakes AEA Sent: Thursday, October 30, 2014 12:51 PM To: community@mailsbestfriend.com Subject: [MBF] Re: increasingly useless I would not say useless, It is just these new SPAM campaigns are high volume and short. By the time I have people give me a message to research Sniffer and the other tests are blocking that campaign, but a lot get through before they are detected. I will say that my system was rather out of date as far as the versions of Declude, Sniffer, Filters, and such. A couple of days ago I got some help and we updated everything in Declude and Smartermail. After the update I will say that some spam still gets through, but it is a lot better than it was. From: Carl Wagar mailto:jcwa...@entrenet.com Sent: Thursday, October 30, 2014 11:41 AM To: community@mailsbestfriend.com Subject: [MBF] increasingly useless Has anyone found that in the last two months that there are an awful lot of spams getting through the filters – that sniffer is not detecting and none of the black lists are flagging it. It’s all subtle health conditions or newsy political issues etc that contain a bogus sender names that are similar to the subject and isn’t getting filtered. Or if it is, it is only mid-level ‘subject’ weights instead of ‘hold’ weights. It just seems that the spammers are at a whole new level. I am daily having to manually add new keywords and phrases to my spam and scam filters. It’s not that the level of spam has increased but that a certain segment of spam is completely undetected and if I didn’t keep ahead of it, the perception would be that the filters are degrading badly. Is there a place we can forward these to help someone or anyone improve things? Comments? Thanks. Carl J. Carl Wagar EntreNet Communications Inc www.entrenet.com www.thehostingservice.com 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada Email: jcwa...@entrenet.com, skype: jcwagar Tel: +1 613-737-7327, Fax: +1 613-737-5801 Cel: +1 613-818-8898
[MBF] Re: Thoughts on how to deal with the current SPAM campaigns
What's your email address these days Linda? I am interested. J. Carl Wagar EntreNet Communications Inc http://www.entrenet.com www.entrenet.com http://www.thehostingservice.com www.thehostingservice.com 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada Email: mailto:jcwa...@entrenet.com jcwa...@entrenet.com, skype: jcwagar Tel: +1 613-737-7327, Fax: +1 613-737-5801 Cel: +1 613-818-8898 From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Linda Pagillo Sent: Thursday, October 30, 2014 3:18 PM To: community@mailsbestfriend.com Subject: [MBF] Re: Thoughts on how to deal with the current SPAM campaigns Hello everyone. I wanted to chime in here. We (MBF) actually have a utility for implementing exactly what Scott is proposing if anyone is interested in trying it. We call it The Gauntlet. Also, the following link has some additional information about how a program such as this works: http://www.lifeatwarp9.com/2012/06/gauntlet-a-solution-to-pre-tested-spam/. Please let me know if you have any questions about it. Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com mailto:linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com http://www.mailsbestfriend.com Office: 703.988.3605 x7016 From: community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On Behalf Of Scott Fosseen - Prairie Lakes AEA Sent: Thursday, October 30, 2014 1:11 PM To: community@mailsbestfriend.com mailto:community@mailsbestfriend.com Subject: [MBF] Thoughts on how to deal with the current SPAM campaigns Here is a thought I have that may be effective on these zero-day SPAM campaigns. It does have a big drawback, but the users may be OK with it if it stops the SPAM. Here is my idea. I am going to say this is from my standpoint of using SmarterMail. The basic idea is to process each message through declude twice. Any message that declude did not whitelist or delete would be sent to a hold queue folder and after a set amount of time declude would rescan the message. The first time through declude the message would process and drop out of declude only if whitelisted, or deleted. The message would also be counted by reputation tests such as barracuda. Once the message is processed it would be put in a hold queue where it would set for a set amount of time (Say 30 min). The delay would give a chance for tests to identify SPAM campaigns. After the Queue delay has passed Declude will process the message again and take the normal action to the message when complete. Thoughts?
[MBF] Re: Thoughts on how to deal with the current SPAM campaigns
True but the complaints were very few and were only in the beginning of our testing, we have improved the Gauntlet filter to target messages that look like pre-tested spam, to reduce delaying good email. Yes it does delay some good mail but the overall trade-off has been worth it. We have been running the proto-type on 2 servers with over 1000 domains for 30 days + and only had a handful of complaints when we started. Also remember whitelisted email in SM or Declude is not delayed by the Gauntlet. As we know Greylisting also delays messages, and is not a solution for everyone, but it certainly is a solution for many mail admins. Bottom line is the delay and targeting of messages for the Gauntlet can be controlled. David we have improved the filter so it only delays suspect messages and not all messages On 10/31/2014 12:25 AM, Linda Pagillo wrote: Thanks for the kind words, Mike. Yes, unfortunately, that is the only complaint we have had about the Gauntlet... the delay. Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com Office: 703.988.3605 x7016 MBF *From:*community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] *On Behalf Of *Michael Cummins *Sent:* Thursday, October 30, 2014 10:18 PM *To:* community@mailsbestfriend.com *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM campaigns Linda and David are great. Worth every penny, always. I'd be interested in The Gauntlet, but my customers wouldn't tolerate that kind of delay at all. Sadly. - Michael Cummins *From:*community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] *On Behalf Of *Linda Pagillo *Sent:* Thursday, October 30, 2014 11:05 PM *To:* community@mailsbestfriend.com mailto:community@mailsbestfriend.com *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM campaigns Carl, my email address is linda.pagi...@mailsbestfriend.com mailto:linda.pagi...@mailsbestfriend.com. Thanks for the kind words, Chris! Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com mailto:linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com http://www.mailsbestfriend.com Office: 703.988.3605 x7016 MBF *From:*community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] *On Behalf Of *Carl Wagar *Sent:* Thursday, October 30, 2014 6:49 PM *To:* community@mailsbestfriend.com mailto:community@mailsbestfriend.com *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM campaigns What's your email address these days Linda? I am interested... J. Carl Wagar EntreNet Communications Inc www.entrenet.com http://www.entrenet.com www.thehostingservice.com http://www.thehostingservice.com 24 Swain Ave, Ottawa, ON, K1G 4T1, Canada Email: jcwa...@entrenet.com mailto:jcwa...@entrenet.com, skype: jcwagar Tel: +1 613-737-7327, Fax: +1 613-737-5801 Cel: +1 613-818-8898 *From:*community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] *On Behalf Of *Linda Pagillo *Sent:* Thursday, October 30, 2014 3:18 PM *To:* community@mailsbestfriend.com mailto:community@mailsbestfriend.com *Subject:* [MBF] Re: Thoughts on how to deal with the current SPAM campaigns Hello everyone. I wanted to chime in here. We (MBF) actually have a utility for implementing exactly what Scott is proposing if anyone is interested in trying it. We call it The Gauntlet. Also, the following link has some additional information about how a program such as this works: http://www.lifeatwarp9.com/2012/06/gauntlet-a-solution-to-pre-tested-spam/. Please let me know if you have any questions about it. Linda Pagillo Mail's Best Friend Email: linda.pagi...@mailsbestfriend.com mailto:linda.pagi...@mailsbestfriend.com Web: www.mailsbestfriend.com http://www.mailsbestfriend.com Office: 703.988.3605 x7016 MBF *From:*community@mailsbestfriend.com mailto:community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] *On Behalf Of *Scott Fosseen - Prairie Lakes AEA *Sent:* Thursday, October 30, 2014 1:11 PM *To:* community@mailsbestfriend.com mailto:community@mailsbestfriend.com *Subject:* [MBF] Thoughts on how to deal with the current SPAM campaigns Here is a thought I have that may be effective on these zero-day SPAM campaigns. It does have a big drawback, but the users may be OK with it if it stops the SPAM. Here is my idea. I am going to say this is from my standpoint of using SmarterMail. The basic idea is to process each message through declude twice. Any message that declude did not whitelist or delete would be sent to a hold queue folder and after a set amount of time declude would rescan the message. The first time through declude the message would process and drop out of declude only if whitelisted, or deleted. The message would also be counted by reputation
