[sniffer] Re: Spam no using CAPTCHA!
Hello Andrew, Wednesday, June 11, 2008, 11:48:55 AM, you wrote: > ... and it also means that OCR based spam filtering is succesful enough > for the spammers to adopt CAPTCHA-style text-obfuscation-in-images as an > evasion method. Possibly, but I wouldn't put too fine a point on it. It's very easy for spammers to adopt this new technique--- it may have happened just on a whim. They often try things at random just because they think it might work, or because they get an idea and start tinkering with it. In that context this is a kind of "random mutation" that may result in a kind of spam "more fit" for survival. Or it might not. Another reason for them to try this is that their current methods for "modulating" their images are getting old - and the artifacts associated with those methods are themselves fairly easy to detect-- so rather than invent a new way a quick easy choice is to coopt CAPTCHA and let somebody else do the work. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam no using CAPTCHA!
Fortunately, from what I've read, CAPTCHA is about worthless if effectiveness counts. Frustrating for humans and not much of a barrier to the bots. -- Original Message -- From: "Colbeck, Andrew" <[EMAIL PROTECTED]> Reply-To: "Message Sniffer Community" Date: Wed, 11 Jun 2008 08:48:55 -0700 >... and it also means that OCR based spam filtering is succesful enough >for the spammers to adopt CAPTCHA-style text-obfuscation-in-images as an >evasion method. > > >Andrew. > > >-Original Message- >From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On >Behalf Of Pete McNeil >Sent: Wednesday, June 11, 2008 8:18 AM >To: Message Sniffer Community >Subject: [sniffer] Re: Spam no using CAPTCHA! > > >Hello Daniel, > >Wednesday, June 11, 2008, 9:19:47 AM, you wrote: > >> Hi Everyone, > >> I just sent a spam sample to Message Sniffer, that was using CAPTCHA, >it >> said CIALIS in the CAPTCHA. I'm curios to see what Pete thinks of this >new >> tactic? > >On first look it is simply another way to use an obfuscated image to >deliver their message and should be handled the same way. Use of >CAPTCHA software to create this obfuscated image is an interesting >choice -- it means people making good OCR resistant CAPTCHA generators >are now unintentionally helping the blackhats defeat OCR based spam >filtering. > >_M > >-- >Pete McNeil >Chief Scientist, >Arm Research Labs, LLC. > > ># >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >Send administrative queries to <[EMAIL PROTECTED]> > > > ># >This message is sent to you because you are subscribed to > the mailing list . >To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >Send administrative queries to <[EMAIL PROTECTED]> > > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam no using CAPTCHA!
... and it also means that OCR based spam filtering is succesful enough for the spammers to adopt CAPTCHA-style text-obfuscation-in-images as an evasion method. Andrew. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, June 11, 2008 8:18 AM To: Message Sniffer Community Subject: [sniffer] Re: Spam no using CAPTCHA! Hello Daniel, Wednesday, June 11, 2008, 9:19:47 AM, you wrote: > Hi Everyone, > I just sent a spam sample to Message Sniffer, that was using CAPTCHA, it > said CIALIS in the CAPTCHA. I'm curios to see what Pete thinks of this new > tactic? On first look it is simply another way to use an obfuscated image to deliver their message and should be handled the same way. Use of CAPTCHA software to create this obfuscated image is an interesting choice -- it means people making good OCR resistant CAPTCHA generators are now unintentionally helping the blackhats defeat OCR based spam filtering. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam no using CAPTCHA!
Hello Daniel, Wednesday, June 11, 2008, 9:19:47 AM, you wrote: > Hi Everyone, > I just sent a spam sample to Message Sniffer, that was using CAPTCHA, it > said CIALIS in the CAPTCHA. I'm curios to see what Pete thinks of this new > tactic? On first look it is simply another way to use an obfuscated image to deliver their message and should be handled the same way. Use of CAPTCHA software to create this obfuscated image is an interesting choice -- it means people making good OCR resistant CAPTCHA generators are now unintentionally helping the blackhats defeat OCR based spam filtering. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Fortunately with Outlook Express we have the Ctrl-W function to initiate the forwarding process. Then we can just type in the first few characters of the address and hit Alt-S to send. Not as quick as a single button, but much quicker than Outlook without this toolbar. Takes me about 4 seconds per message. Darin. - Original Message - From: Bonno Bloksma To: Message Sniffer Community Sent: Wednesday, May 30, 2007 2:09 AM Subject: [sniffer] Re: Spam Hi, > I recommend "SpamSource", if you are an Outlook user. It's a little > toolbar applet that you can configure any recipient of the forwarded spam > and it will include all the original mail headers - just the way Sniffer, [] It is a wonderful tools! Thanks Andy Nobody pays us for our work of reporting not cached messages. The Sniffer staff should offer for free to our community this tools ;-) Hmmm, if they do I would love to have it for Outlook Express as well. It seems a great tool, especialy now that we see a lot of missed spam. It would be great if I had a tool to deploy on all staf PC's where we use Outlook Express mostly (ca. 90%). One other thing that would be nice if IMail webinterface had a way to forward spam with all information intact. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: Spam
Hi, They DO have a Beta for Outlook Express: http://www.daesoft.com/products.htm But I never got involved with that. Best Regards, Andy From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Bonno Bloksma Sent: Wednesday, May 30, 2007 2:10 AM To: Message Sniffer Community Subject: [sniffer] Re: Spam Hi, > I recommend "SpamSource", if you are an Outlook user. It's a little > toolbar applet that you can configure any recipient of the forwarded spam > and it will include all the original mail headers - just the way Sniffer, [] It is a wonderful tools! Thanks Andy Nobody pays us for our work of reporting not cached messages. The Sniffer staff should offer for free to our community this tools ;-) Hmmm, if they do I would love to have it for Outlook Express as well. It seems a great tool, especialy now that we see a lot of missed spam. It would be great if I had a tool to deploy on all staf PC's where we use Outlook Express mostly (ca. 90%). One other thing that would be nice if IMail webinterface had a way to forward spam with all information intact. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] / <http://www.tio.nl> www.tio.nl
[sniffer] Re: Spam
Hi, > I recommend "SpamSource", if you are an Outlook user. It's a little > toolbar applet that you can configure any recipient of the forwarded spam > and it will include all the original mail headers - just the way Sniffer, [] It is a wonderful tools! Thanks Andy Nobody pays us for our work of reporting not cached messages. The Sniffer staff should offer for free to our community this tools ;-) Hmmm, if they do I would love to have it for Outlook Express as well. It seems a great tool, especialy now that we see a lot of missed spam. It would be great if I had a tool to deploy on all staf PC's where we use Outlook Express mostly (ca. 90%). One other thing that would be nice if IMail webinterface had a way to forward spam with all information intact. Met vriendelijke groet, Bonno Bloksma hoofd systeembeheer tio hogeschool hotelmanagement en toerisme begijnenhof 8-12 / 5611 el eindhoven t 040 296 28 28 / f 040 237 35 20 [EMAIL PROTECTED] / www.tio.nl
[sniffer] Re: Spam
Well done Andy, cant wait for some spam to try it out on. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Wednesday, 30 May 2007 7:39 AM To: Message Sniffer Community Subject: [sniffer] Re: Spam I recommend "SpamSource", if you are an Outlook user. It's a little toolbar applet that you can configure any recipient of the forwarded spam and it will include all the original mail headers - just the way Sniffer, Spamcop etc. like it. All you do is press the button on the toolbar and the message will be forwarded, deleted from your inbox and not even appear in your "sent" folder (all configurable). Best Regards, Andy -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Moore Sent: Tuesday, May 29, 2007 4:54 PM To: Message Sniffer Community Subject: [sniffer] Re: Spam Long time in getting back to you about this but: >preferably to a spam collection pop3 box on your system I am happy to send it to a box called [EMAIL PROTECTED] password sort!23&1#6eh will you arange for your bot to collect ? When I send spam to [EMAIL PROTECTED] in the past I have been laborusly opening the header, coping header content, forwarding email, past header content to beginning of email and sending is there a quicker way. If I send spam to [EMAIL PROTECTED] how would I stop our system from re tagging the email as spam from me. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, 14 May 2007 9:27 PM To: Message Sniffer Community Subject: [sniffer] Re: Spam Hello David, Monday, May 14, 2007, 2:59:16 AM, you wrote: Do not send spam to the sniffer@ list. Submit un-captured spam to [EMAIL PROTECTED], or preferably to a spam collection pop3 box on your system that can be picked up by our bots. Thanks! _M # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PRO
[sniffer] Re: Spam
It is a wonderful tools! Thanks Andy Nobody pays us for our work of reporting not cached messages. The Sniffer staff should offer for free to our community this tools ;-) Alberto > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Andy Schmidt > Sent: 29 May 2007 23:39 > To: Message Sniffer Community > Subject: [sniffer] Re: Spam > > I recommend "SpamSource", if you are an Outlook user. It's a little > toolbar > applet that you can configure any recipient of the forwarded spam and it > will include all the original mail headers - just the way Sniffer, Spamcop > etc. like it. All you do is press the button on the toolbar and the > message > will be forwarded, deleted from your inbox and not even appear in your > "sent" folder (all configurable). > > Best Regards, > Andy > > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of David Moore > Sent: Tuesday, May 29, 2007 4:54 PM > To: Message Sniffer Community > Subject: [sniffer] Re: Spam > > Long time in getting back to you about this but: > > >preferably to a spam collection pop3 box on your system > > I am happy to send it to a box called [EMAIL PROTECTED] password > sort!23&1#6eh will you arange for your bot to collect ? > > When I send spam to [EMAIL PROTECTED] in the past I have been laborusly > opening the header, coping header content, forwarding email, past header > content to beginning of email and sending is there a quicker way. > > If I send spam to [EMAIL PROTECTED] how would I stop our system > from re tagging the email as spam from me. > > > Regards David Moore > [EMAIL PROTECTED] > > J.P. MCP, MCSE, MCSE + INTERNET, CNE. > www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC > sales > > Office Phone: (+612) 9453 1990 > Fax Phone: (+612) 9453 1880 > Mobile Phone: +614 18 282 648 > > POSTAL ADDRESS: > PO BOX 190 > BELROSE NSW 2085 > AUSTRALIA. > > - > > This email message is only intended for the addressee(s) and contains > information that may be confidential, legally privileged and/or copyright. > If you are not the intended recipient please notify the sender by reply > email and immediately delete this email. Use, disclosure or reproduction > of > this email, or taking any action in reliance on its contents by anyone > other > than the intended recipient(s) is strictly prohibited. No representation > is > made that this email or any attachments are free of viruses. Virus > scanning > is recommended and is the responsibility of the recipient. > > > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Pete McNeil > Sent: Monday, 14 May 2007 9:27 PM > To: Message Sniffer Community > Subject: [sniffer] Re: Spam > > Hello David, > > Monday, May 14, 2007, 2:59:16 AM, you wrote: > > Do not send spam to the sniffer@ list. > > Submit un-captured spam to [EMAIL PROTECTED], or preferably to a spam > collection pop3 box on your system that can be picked up by our bots. > > Thanks! > > _M > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the > DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the > INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
I recommend "SpamSource", if you are an Outlook user. It's a little toolbar applet that you can configure any recipient of the forwarded spam and it will include all the original mail headers - just the way Sniffer, Spamcop etc. like it. All you do is press the button on the toolbar and the message will be forwarded, deleted from your inbox and not even appear in your "sent" folder (all configurable). Best Regards, Andy -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Moore Sent: Tuesday, May 29, 2007 4:54 PM To: Message Sniffer Community Subject: [sniffer] Re: Spam Long time in getting back to you about this but: >preferably to a spam collection pop3 box on your system I am happy to send it to a box called [EMAIL PROTECTED] password sort!23&1#6eh will you arange for your bot to collect ? When I send spam to [EMAIL PROTECTED] in the past I have been laborusly opening the header, coping header content, forwarding email, past header content to beginning of email and sending is there a quicker way. If I send spam to [EMAIL PROTECTED] how would I stop our system from re tagging the email as spam from me. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, 14 May 2007 9:27 PM To: Message Sniffer Community Subject: [sniffer] Re: Spam Hello David, Monday, May 14, 2007, 2:59:16 AM, you wrote: Do not send spam to the sniffer@ list. Submit un-captured spam to [EMAIL PROTECTED], or preferably to a spam collection pop3 box on your system that can be picked up by our bots. Thanks! _M # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Long time in getting back to you about this but: >preferably to a spam collection pop3 box on your system I am happy to send it to a box called [EMAIL PROTECTED] password sort!23&1#6eh will you arange for your bot to collect ? When I send spam to [EMAIL PROTECTED] in the past I have been laborusly opening the header, coping header content, forwarding email, past header content to beginning of email and sending is there a quicker way. If I send spam to [EMAIL PROTECTED] how would I stop our system from re tagging the email as spam from me. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, 14 May 2007 9:27 PM To: Message Sniffer Community Subject: [sniffer] Re: Spam Hello David, Monday, May 14, 2007, 2:59:16 AM, you wrote: Do not send spam to the sniffer@ list. Submit un-captured spam to [EMAIL PROTECTED], or preferably to a spam collection pop3 box on your system that can be picked up by our bots. Thanks! _M # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Hello Alberto, Monday, May 14, 2007, 10:44:41 AM, you wrote: > Yes I agree also here we are having a real storm !!! > Alberto It's clear the blackhats are intent on putting their new engines to work. We've seen a number of campaigns this morning and over night that are extremely aggressive. Since about last week, these new engines came online and beginning about 4 days ago they have been aggressively pressed into service. It is clear that part of their new strategy is to use high amplitude bursts and pre-optimized messages to push as much spam as possible through the window before it closes. We can probably expect this to continue and expect to see spikes get past the system from time to time until the system learns more about the new engines so that it can better mitigate new (as yet unseen) campaigns. Here are a few graphs to illustrate the change in traffic patterns that goes along with these conjectures and observations. 30 Day New Message / Leakage Rate: * General uptick in new traffic coincided with observations of new message structure patterns (indicating new bot software) about 8 days ago. * Increasingly "spikey" pattern beginning about 4 days ago coincided with observations of heavy bandwidth utilization upon the launch of new campaigns -- Use of high-amplitude spikes to increase delivery before the "window" closes. 48 Hour New Message / Leakage Rate: * Roughly 28 hours ago we saw a new family of campaigns leveraging a new "stuffing" corpus. The new campaign was triggered on Mothers Day -- probably to take advantage of folks having other things to do - instead of a more typical pattern of launching new campaigns early on Mondays. The campaign evolved and expanded continuously throughout a very busy 10 hour period. At the moment this family of campaigns appears to be contained, though we do continue to see new variations and train the system to recognize them and some predictable variants. * Today there has already been at least 2 new campaigns launched with extremely high bandwidth. Hope this info is useful. Thanks! _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.<><># This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Yes I agree also here we are having a real storm !!! Alberto > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Chuck Schick > Sent: 14 May 2007 16:46 > To: Message Sniffer Community > Subject: [sniffer] Re: Spam > > Pete: > > It appears that you guys have it corraled for now. The rate of leakage > has > dropped again. > > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Pete McNeil > Sent: Sunday, May 13, 2007 3:51 PM > To: Message Sniffer Community > Subject: [sniffer] Re: Spam > > Hello Chuck, > > We are working on a sequence of very aggressive campaigns that started > today. They started about 8 hours ago and haven't stopped. We are catching > up though. > > Looks like the blackhats decided to start the week early. > > _M > > Sunday, May 13, 2007, 1:05:45 PM, you wrote: > > > We are seeing a lot of spam getting through. running updates but does > > not seem to be stopping it. > > > Chuck Schick > > Warp 8, Inc. > > (303)-421-5140 > > www.warp8.com > > > > # > > This message is sent to you because you are subscribed to > > the mailing list . > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to > > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch > > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send > > administrative queries to <[EMAIL PROTECTED]> > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Pete: It appears that you guys have it corraled for now. The rate of leakage has dropped again. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Sunday, May 13, 2007 3:51 PM To: Message Sniffer Community Subject: [sniffer] Re: Spam Hello Chuck, We are working on a sequence of very aggressive campaigns that started today. They started about 8 hours ago and haven't stopped. We are catching up though. Looks like the blackhats decided to start the week early. _M Sunday, May 13, 2007, 1:05:45 PM, you wrote: > We are seeing a lot of spam getting through. running updates but does > not seem to be stopping it. > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send > administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Hello David, > I have been getting these emails all day and reporting them to > [EMAIL PROTECTED] why are they still gett through I have seen about 30 of > them to my email address alone. I am looking into this -- I'm not sure why it was missed. We have been processing several thousand new spam per hour. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Hello David, Monday, May 14, 2007, 2:59:16 AM, you wrote: Do not send spam to the sniffer@ list. Submit un-captured spam to [EMAIL PROTECTED], or preferably to a spam collection pop3 box on your system that can be picked up by our bots. Thanks! _M # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
DIGI FOX Inc Good afternoon, Can we try and make you interested in a home based job that may pay up to AUD2500-3500 per month? No envelope filling nonsense, no start up charges, this is a straightforward offer. You don.t have to give up your present career; it will only take a small part of your time. All you need to have to start running your business with our company are reliable E-mail access and a bank account. And your willingness to earn, of course. The job is transaction handling. You will receive the transfers our customers/resellers send directly to you and forward it to us or our agents via one of chosen money transfer agencies. The job is pretty simple and you won't need any special knowledge to start, though we do require that you are able to act on a very short notice. We only pay such a decent commission because we keep our customers happy with our swiftness. And if you are looking for career there.s a chance of becoming a part of our team in the future (based on your performance), team in which you will be truly respected and honestly rewarded - just think about this! We hope to hear from you soon. Please email back [EMAIL PROTECTED] and we will be glad to provide more information. Thank you! I have been getting these emails all day and reporting them to [EMAIL PROTECTED] why are they still gett through I have seen about 30 of them to my email address alone. Regards David Moore [EMAIL PROTECTED] J.P. MCP, MCSE, MCSE + INTERNET, CNE. www.adsldirect.com.au for ADSL and Internet www.romtech.com.au for PC sales Office Phone: (+612) 9453 1990 Fax Phone: (+612) 9453 1880 Mobile Phone: +614 18 282 648 POSTAL ADDRESS: PO BOX 190 BELROSE NSW 2085 AUSTRALIA. - This email message is only intended for the addressee(s) and contains information that may be confidential, legally privileged and/or copyright. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email, or taking any action in reliance on its contents by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Monday, 14 May 2007 7:54 AM To: Message Sniffer Community Subject: [sniffer] Re: Spam Hello Rick, About that time they started serveral new campaigns using what appears to be a new version of message obfuscating bot software along with several new sources for "stuffing". Volumes and leakage have been up since then. Today's activity is a new, much stronger burst of the same activity (it appears). Hope this helps, _M Sunday, May 13, 2007, 5:47:48 PM, you wrote: > We are seeing the same thing. Started about a week and a half ago. > Rick Hogue > 502-649-3431 Cell > > "Is your association working on the web?" > http://www.samprogram.com > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On > Behalf Of Chuck Schick > Sent: Sunday, May 13, 2007 1:06 PM > To: Message Sniffer Community > Subject: [sniffer] Spam > We are seeing a lot of spam getting through. running updates but does > not seem to be stopping it. > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send > administrative queries to <[EMAIL PROTECTED]> > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to > the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch > to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send > administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you becaus
[sniffer] Re: Spam
Hello Rick, About that time they started serveral new campaigns using what appears to be a new version of message obfuscating bot software along with several new sources for "stuffing". Volumes and leakage have been up since then. Today's activity is a new, much stronger burst of the same activity (it appears). Hope this helps, _M Sunday, May 13, 2007, 5:47:48 PM, you wrote: > We are seeing the same thing. Started about a week and a half ago. > Rick Hogue > 502-649-3431 Cell > > "Is your association working on the web?" > http://www.samprogram.com > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Chuck Schick > Sent: Sunday, May 13, 2007 1:06 PM > To: Message Sniffer Community > Subject: [sniffer] Spam > We are seeing a lot of spam getting through. running updates but does not > seem to be stopping it. > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the > DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the > INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
Hello Chuck, We are working on a sequence of very aggressive campaigns that started today. They started about 8 hours ago and haven't stopped. We are catching up though. Looks like the blackhats decided to start the week early. _M Sunday, May 13, 2007, 1:05:45 PM, you wrote: > We are seeing a lot of spam getting through. running updates but does not > seem to be stopping it. > Chuck Schick > Warp 8, Inc. > (303)-421-5140 > www.warp8.com > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC.<># This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam
We are seeing the same thing. Started about a week and a half ago. Rick Hogue 502-649-3431 Cell "Is your association working on the web?" http://www.samprogram.com -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Schick Sent: Sunday, May 13, 2007 1:06 PM To: Message Sniffer Community Subject: [sniffer] Spam We are seeing a lot of spam getting through. running updates but does not seem to be stopping it. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Spam Storm
I think it's something else. Most message are different in content, and are not 100% spam. I guess your POP bot has been retrieving them from my system (I've reported them all). There is an aggressive new image spam campaign that started about 30 hours ago. This one has a continuously variable message structure and is stuffed with "bible salad". We've got a pretty good handle on it now, but the campaign is backed by significant bandwidth (our primary spam pre-filter is at 2x nominal throughput due primarily to this one campaign) and I'm sure there are a few mutations we're not capturing from time to time. -- Jorge Asch Revilla CONEXION DCR www.conexion.co.cr 800-CONEXION
[sniffer] Re: Spam Storm
Hello Jorge, Tuesday, May 8, 2007, 1:30:24 PM, you wrote: > Has anybody notices any new spam storms out there? Since yesterday, about 10 times the normal spam get's through (normally 2-3 messages a day, now it's like 2-3 messages per hour). Sniffer returns 0 (clean) for all of them, while they don't even get a high enough score with SpamAssasin (less than 4.0) to get tagged. There is an aggressive new image spam campaign that started about 30 hours ago. This one has a continuously variable message structure and is stuffed with "bible salad". We've got a pretty good handle on it now, but the campaign is backed by significant bandwidth (our primary spam pre-filter is at 2x nominal throughput due primarily to this one campaign) and I'm sure there are a few mutations we're not capturing from time to time. Is this the campaign you are seeing or are is it something else? Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Storm?
Hello K, Monday, March 19, 2007, 8:24:18 PM, you wrote: > At 06:19 PM 3/19/2007 -0400, Computer House Support wrote: >>Is it me, or is there an unbelievable spam storm going on this >>afternoon?? > We got a fairly heavy burst this afternoon originating from an APNIC > 210.x.x.x block. Today's curve was a bit unusual-- there was a consistently heavy, consistently evolving set of spam campaigns released in a more disbursed pattern. It did keep us all busier than usual. I'm not sure what to make of it yet -- but you can see that it is different than the recent patterns. I'm sure it hit different systems in different ways. Images attached. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. snapshot20070319-48hr.png Description: PNG image snapshot20070319-30day.png Description: PNG image # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Storm?
At 06:19 PM 3/19/2007 -0400, Computer House Support wrote: >Is it me, or is there an unbelievable spam storm going on this >afternoon?? We got a fairly heavy burst this afternoon originating from an APNIC 210.x.x.x block. -- Kirk Mitchell-General Manager[EMAIL PROTECTED] Keystone Connect Unlock Your World Altoona, PA 814-941-5000 http://www.keyconn.net # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Storm?
Seems like a normal day to me. Not much getting though but I checked the server logs and they are average sized for the day. At 04:19 PM 3/19/2007, you wrote: Is it me, or is there an unbelievable spam storm going on this afternoon?? # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> Thanks, Greg CoffeyNet/AllureTech v 307-473-2323 1546 E. Burlington cell 307-259-7962 Casper, WY 82601 fax 307-237-3709 # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Storm?
... Not in my neck of the network. Andrew. > -Original Message- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of Computer House Support > Sent: Monday, March 19, 2007 3:19 PM > To: Message Sniffer Community > Subject: [sniffer] Re: SPAM Storm? > > Is it me, or is there an unbelievable spam storm going on > this afternoon?? > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Storm?
Is it me, or is there an unbelievable spam storm going on this afternoon?? # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Sorry about the OT here, but I feel compelled to add just a little follow up on the topic of pre-scanning and Alligate. Alligate is IMO definitely the way to go. As Paul pointed out, greylisting everything (i.e. ORF) has drawbacks and I wouldn't use a solution that greylisted everything. I worked with Brian Milburn of Alligate for months to help him create a method of providing selective greylisting so that most legitimate E-mail is not greylisted. I also helped him create a method of storing triplicates for use with greylisting that only track base domains and not the full sender and recipient, thus substantially reducing what needs to be greylisted if it does trigger selective greylisting. I received nothing in return except for a very capable product that benefited my system greatly. Brian is also a lot like Pete and R. Scott Perry. Setting things up optimally is not going to be an out of the box type of experience. I have both offered some free assistance in private and public to those that are dealing with Alligate, and Brian can also provide some support for new setups. There is of course a limit to my time for things like this. I have also occasionally consulted on such things at the request of others. So while it can be a hard nut to crack, especially if one is not familiar with the architecture or concepts of a pre-scanning gateway, there is help out there, and it is definitely worth while. I formerly used ORF for tarpitting and address validation, but going to Alligate for this was the best move that I have made since picking up Declude and Sniffer. Note that Alligate Gateway is not a replacement for Sniffer, Declude or any other deep scanning solution, it is merely a tool for handling validation and some blocking of the most obvious and easiest to detect spam, primarily with passive means of blocking (greylisting and tarpitting), and without needing to throw a lot of CPU at it. I handle over 1 million connections per day and Alligate averages about 5% CPU at peak times. Only 7% of the connections result in delivery of a message to my deep-scanning layer using a configuration that is not aggressive. There is only one zombie spammer at present that will survive greylisting. Matt Dave Marchette wrote: I agree with the pre-scanning concept. IMgate, ORF and Alligate are all good, but it just depends upon your level of comfort with each type of environment these run in. Each takes several days of fine tuning and log babysitting (even though the vendors tell you it is plug and play- it's not). We've tested all three and prefer Alligate (thanks Matt!) but any way you look at it, if you are running even moderate volume then pre-scanning is the next step in the evolution of protection. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Monday, October 23, 2006 7:28 AM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems We also use ORF by VamSoft on IIS to pre-process. We do not use the grey listing. We tried it, and it is great at eliminating spam, but it can delay mail for hours, which is a problems for most email users. Instead of grey listing, we have found ORF's tar-pitting very effective. We set some tests at the ORF level, but don't block on them (because there is no "weighting"). We also have some spam trap email addresses. Fail a test or hit a spam trap and we tar-pit. Instead of sending us 100 spams a minute they can only send one per minute. We can pick up x-records with Declude and not have to re-run the tests on the iMail server, still using Declude to score the messages based on the prior tests. ORF even has a built-in interface for sniffer. It is simpler and preferable to process everything on the iMail server, but when you want to off-load processing to stretch your iMail / Declude investment, this arrangement can do the trick. Paul Fuhrmeister [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Monday, October 23, 2006 5:15 AM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PRO
[sniffer] Re: SPAM Problems
I agree with the pre-scanning concept. IMgate, ORF and Alligate are all good, but it just depends upon your level of comfort with each type of environment these run in. Each takes several days of fine tuning and log babysitting (even though the vendors tell you it is plug and play- it's not). We've tested all three and prefer Alligate (thanks Matt!) but any way you look at it, if you are running even moderate volume then pre-scanning is the next step in the evolution of protection. -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Monday, October 23, 2006 7:28 AM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems We also use ORF by VamSoft on IIS to pre-process. We do not use the grey listing. We tried it, and it is great at eliminating spam, but it can delay mail for hours, which is a problems for most email users. Instead of grey listing, we have found ORF's tar-pitting very effective. We set some tests at the ORF level, but don't block on them (because there is no "weighting"). We also have some spam trap email addresses. Fail a test or hit a spam trap and we tar-pit. Instead of sending us 100 spams a minute they can only send one per minute. We can pick up x-records with Declude and not have to re-run the tests on the iMail server, still using Declude to score the messages based on the prior tests. ORF even has a built-in interface for sniffer. It is simpler and preferable to process everything on the iMail server, but when you want to off-load processing to stretch your iMail / Declude investment, this arrangement can do the trick. Paul Fuhrmeister [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Monday, October 23, 2006 5:15 AM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Hello Filippo, Monday, October 23, 2006, 8:51:34 AM, you wrote: > Hello Pete, witch file (Global.cfg, Virus.cfg) have the AVAFTERJM option? I'm using Declude 2.06.16 with IMail Server 8.05 That should be in virus.cfg _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
We also use ORF by VamSoft on IIS to pre-process. We do not use the grey listing. We tried it, and it is great at eliminating spam, but it can delay mail for hours, which is a problems for most email users. Instead of grey listing, we have found ORF's tar-pitting very effective. We set some tests at the ORF level, but don't block on them (because there is no "weighting"). We also have some spam trap email addresses. Fail a test or hit a spam trap and we tar-pit. Instead of sending us 100 spams a minute they can only send one per minute. We can pick up x-records with Declude and not have to re-run the tests on the iMail server, still using Declude to score the messages based on the prior tests. ORF even has a built-in interface for sniffer. It is simpler and preferable to process everything on the iMail server, but when you want to off-load processing to stretch your iMail / Declude investment, this arrangement can do the trick. Paul Fuhrmeister [EMAIL PROTECTED] -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of David Waller Sent: Monday, October 23, 2006 5:15 AM To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Dodd, >From what I can tell it's a propriety format although I've not done any research to validate this. Greylisting expiration is user controlled. Rejection time for unknown senders is specified in seconds and recordlife time in hours. Both appear to be unlimited. See www.vamsoft.com for further info. Hope this helps. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: 23 October 2006 13:10 To: Message Sniffer Community Subject: [sniffer] Re: SPAM Problems David, What sort of database does OFR use adn do you know if the expiration of address's can be edited? thanks dodd - Original Message - From: "David Waller" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Monday, October 23, 2006 6:14 AM Subject: [sniffer] Re: SPAM Problems > Filippo, > > We had a similar problem. Due to the huge volumes of spam we found our > mail > server becoming less able to deal with email. Imail/Declude/Sniffer is > expensive in processor terms when processing email and we found the best > was > to pre-process mail filtering using Greylisting (we used Vamsoft in IIS > SMTP > but others exist). This has dramatically reduced the load on our server > and > seems to stop the bulk of spammers and mail harvesters > > Hope this helps. > > David > > -Original Message- > From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf > Of Filippo Palmili > Sent: 23 October 2006 10:18 > To: Message Sniffer Community > Subject: [sniffer] SPAM Problems > > Hello Pete, since friday our mail server is overwhelmed by a very lot of > spam messages. Because of this the spool of my IMail Server gets full and > it > actually get stuck. > > Do you have any hint that can help me to fix this problem? > > Filippo Palmili > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the > DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the > INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Hello Pete, witch file (Global.cfg, Virus.cfg) have the AVAFTERJM option? I'm using Declude 2.06.16 with IMail Server 8.05 Filippo At 14:45 23/10/2006, you wrote: Hello Filippo, Monday, October 23, 2006, 5:18:02 AM, you wrote: > Hello Pete, since friday our mail server is overwhelmed by a very lot of spam > messages. Because of this the spool of my IMail Server gets full and > it actually get stuck. > Do you have any hint that can help me to fix this problem? There are a number of tricks to tuning IMail/Declude setups (I'm guessing from other posts that this is what you have). Using the AVAFTERJM option in Declude reduces system loads by only scanning messages for viruses after they have passed all of the spam tests. Since spam can easily be 90% of traffic these days this one option can save quite a bit of CPU for other tests. You will have to be careful to scan anything you release from quarantine for viruses however. Through enlightened experimentation I have determined that low numbers in queue manager provide much better throughput. I have an IMail server that I use to process inbound spam and to test SNF. This single p4/2.4G CPU consistently handles 10 messages per second on average. By pushing this box to the edge (frequently) I have learned a few things about tuning it. My queue manger settings are: Listening Threads: 4 Retry Threads: 5 Delivery Threads: 8 Your mileage may vary!! -- The reason small numbers may be better than large ones is that your CPU(s) can really only process a handfull (about 2 per CPU on average) of threads concurrently. Any additional threads must wait and the OS must schedule them and resolve resource conflicts etc... That amounts to extra work. Keeping the number of threads small reduces overhead and allows the threads that are running to get more done. One of our early boxes (now defunct) used Declude/Imail/SNF on NT4 - it was purposefully underpowered. On that box we discovered that running a local copy of Bind as a resolver and making 127.0.0.1 our primary DNS server improved performance quite a bit. Along these lines, be sure that long-running DNS queries are removed--- that is, if you have a DNS based test that takes a while to return then you're probably better off without it. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Hello Filippo, Monday, October 23, 2006, 5:18:02 AM, you wrote: > Hello Pete, since friday our mail server is overwhelmed by a very lot of spam > messages. Because of this the spool of my IMail Server gets full and > it actually get stuck. > Do you have any hint that can help me to fix this problem? There are a number of tricks to tuning IMail/Declude setups (I'm guessing from other posts that this is what you have). Using the AVAFTERJM option in Declude reduces system loads by only scanning messages for viruses after they have passed all of the spam tests. Since spam can easily be 90% of traffic these days this one option can save quite a bit of CPU for other tests. You will have to be careful to scan anything you release from quarantine for viruses however. Through enlightened experimentation I have determined that low numbers in queue manager provide much better throughput. I have an IMail server that I use to process inbound spam and to test SNF. This single p4/2.4G CPU consistently handles 10 messages per second on average. By pushing this box to the edge (frequently) I have learned a few things about tuning it. My queue manger settings are: Listening Threads: 4 Retry Threads: 5 Delivery Threads: 8 Your mileage may vary!! -- The reason small numbers may be better than large ones is that your CPU(s) can really only process a handfull (about 2 per CPU on average) of threads concurrently. Any additional threads must wait and the OS must schedule them and resolve resource conflicts etc... That amounts to extra work. Keeping the number of threads small reduces overhead and allows the threads that are running to get more done. One of our early boxes (now defunct) used Declude/Imail/SNF on NT4 - it was purposefully underpowered. On that box we discovered that running a local copy of Bind as a resolver and making 127.0.0.1 our primary DNS server improved performance quite a bit. Along these lines, be sure that long-running DNS queries are removed--- that is, if you have a DNS based test that takes a while to return then you're probably better off without it. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
David, What sort of database does OFR use adn do you know if the expiration of address's can be edited? thanks dodd - Original Message - From: "David Waller" <[EMAIL PROTECTED]> To: "Message Sniffer Community" Sent: Monday, October 23, 2006 6:14 AM Subject: [sniffer] Re: SPAM Problems Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: 23 October 2006 10:18 To: Message Sniffer Community Subject: [sniffer] SPAM Problems Hello Pete, since friday our mail server is overwhelmed by a very lot of spam messages. Because of this the spool of my IMail Server gets full and it actually get stuck. Do you have any hint that can help me to fix this problem? Filippo Palmili # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Filippo, We had a similar problem. Due to the huge volumes of spam we found our mail server becoming less able to deal with email. Imail/Declude/Sniffer is expensive in processor terms when processing email and we found the best was to pre-process mail filtering using Greylisting (we used Vamsoft in IIS SMTP but others exist). This has dramatically reduced the load on our server and seems to stop the bulk of spammers and mail harvesters Hope this helps. David -Original Message- From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili Sent: 23 October 2006 10:18 To: Message Sniffer Community Subject: [sniffer] SPAM Problems Hello Pete, since friday our mail server is overwhelmed by a very lot of spam messages. Because of this the spool of my IMail Server gets full and it actually get stuck. Do you have any hint that can help me to fix this problem? Filippo Palmili # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]> # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: SPAM Problems
Ciao Filippo Can you see any pattern of mailfrom, mailto or IP-Address what causes all this messages in your spool folder? Telneting to your MX show that you're using Imail 8.05 and I assume in conjunction with Declude and Sniffer. It turn's also out that both logos.net and logos.it are not open for nobody-aliases and so all xour incomming messages must be for real existing recipients. How much messages does this server handle under normal cirmustances and how much messages are now in the spool folder? What about CPU-usage and other loads on this server? Can you publish some message headers from a tipical message? Sniffer very probably will identify and catch most of this messages. The question is, if the wheigting system is configured in a way that this messages are catched as spam and does not finish in the recipients mailboxes. As sayd Sniffer very probably will catch the messages but it's one of the latest segments in the filter-chain. So the problem causing all this messages in your spool folder very probably is located another place. Markus Alto Adige Italy > -Original Message- > From: Message Sniffer Community > [mailto:[EMAIL PROTECTED] On Behalf Of Filippo Palmili > Sent: Monday, October 23, 2006 11:18 AM > To: Message Sniffer Community > Subject: [sniffer] SPAM Problems > > > Hello Pete, since friday our mail server is overwhelmed by a > very lot of spam messages. Because of this the spool of my > IMail Server gets full and it actually get stuck. > > Do you have any hint that can help me to fix this problem? > > Filippo Palmili > > > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To > switch to the DIGEST mode, E-mail to > <[EMAIL PROTECTED]> To switch to the INDEX mode, > E-mail to <[EMAIL PROTECTED]> Send administrative > queries to <[EMAIL PROTECTED]> > > # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
