Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
Chuck, I sent a different message off list, but just in case you don't get that one - I've received a number of bounce notifications from your system (transient non-fatal delivery errors). There's a good chance that your rulebase is out of date if your update notifications are bouncing. Indicators here are in the "nominal" range for leakage for the past 24 hours. Hope this helps, _M On Friday, May 5, 2006, 7:14:00 PM, Chuck wrote: CS> It is not slowing down out here. CS> Chuck Schick CS> Warp 8, Inc. CS> (303)-421-5140 CS> www.warp8.com CS> -Original Message- CS> From: [EMAIL PROTECTED] CS> [mailto:[EMAIL PROTECTED] CS> On Behalf Of Pete McNeil CS> Sent: Friday, May 05, 2006 9:32 AM CS> To: Darin Cox CS> Subject: Re[2]: [sniffer] Lot of Drugs Spam getting through sniffer CS> On Friday, May 5, 2006, 11:02:00 AM, Darin wrote: DC>> Not just drugs, but some others too have been slipping through the DC>> past couple of days. We've reported a little under 40 in the past DC>> couple of days. CS> We saw a bit of a lull, then a rash of new campaigns bunched together with CS> some new obfuscation techniques. We're getting a handle on it now. Looks CS> like the burst started about 30 hours ago and is tailing off now. CS> Attached image - new arrival rates last 2 days. CS> This E-Mail came from the Message Sniffer mailing list. For CS> information and (un)subscription instructions go to CS> http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
Just when you think we won the battle, they move the targets and change the rules. This is why we need people like Pete and Darrell to help us fight this ever changing war. A big thanks. John T eServices For You "Seek, and ye shall find!" > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Friday, May 05, 2006 11:37 AM > To: John T (Lists) > Subject: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer > > On Friday, May 5, 2006, 1:08:14 PM, John wrote: > > JTL> Well, I am at the point that I could care less about geocities false > JTL> positives. If GeoCities is going to allow this much spam junk then I could > JTL> care less about allowing them. > > That's fine. > > There are probably a number of systems that feel that way. I only > meant to say that we've tried a "block-first" strategy w/ geocities > before and had to remove it. YMMV. > > You should also know (may remember) that the blackhats experimented a > while ago with using several other hosting sites, including msn, and > seeding them in round-robin fashion so that they all appeared in each > campaign. Since this experiment stopped abruptly I doubt that it has > been abandoned - rather, it was put on the shelf for a while. At the > time it was clearly effective for them. I think it likely they will do > that again (don't know when) since they are putting some new effort > into this path. I don't have any evidence of it yet. > > I discovered that on 20060503 the blackhats made some significant > changes to their use of geocities links and their transmission > patterns. I've re-tuned the F002 bot to compensate and it is currently > reviewing a handful of new geocities links every minute and adding > approximately 1.2 new rules per minute. > > I suspect that the lull we observed may have had something to do with > their "tooling up" for this set of campaigns. > > _M > > > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....
On Friday, May 5, 2006, 1:08:14 PM, John wrote: JTL> Well, I am at the point that I could care less about geocities false JTL> positives. If GeoCities is going to allow this much spam junk then I could JTL> care less about allowing them. That's fine. There are probably a number of systems that feel that way. I only meant to say that we've tried a "block-first" strategy w/ geocities before and had to remove it. YMMV. You should also know (may remember) that the blackhats experimented a while ago with using several other hosting sites, including msn, and seeding them in round-robin fashion so that they all appeared in each campaign. Since this experiment stopped abruptly I doubt that it has been abandoned - rather, it was put on the shelf for a while. At the time it was clearly effective for them. I think it likely they will do that again (don't know when) since they are putting some new effort into this path. I don't have any evidence of it yet. I discovered that on 20060503 the blackhats made some significant changes to their use of geocities links and their transmission patterns. I've re-tuned the F002 bot to compensate and it is currently reviewing a handful of new geocities links every minute and adding approximately 1.2 new rules per minute. I suspect that the lull we observed may have had something to do with their "tooling up" for this set of campaigns. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html