Re: [sniffer] New Spam Storm

[Matt]

Pete, Your memory fails you :)  I reported one just yesterday, however it was understandable.  The rule is below (slightly obfuscated for public consumption). MB> Final MB> RULE 349776-055: User Submission, 13 days, 3.1979660500 MB> NAME: Account and Password Information are attached!%+account_info(dot)zip MB> CODE: Account and Password Information are attached!%+account\_info\(dot)zip MB> No prior False Positive Reports. This was in a virus advisory sent out by McAfee.  It makes sense that sometimes these rules will hit discussions of spam and viruses. I rarely see FP's for the Malware group since the greeting card sites were removed or expired last year (former purveyors of spyware infected greeting cards), but they also don't hit very often on my system. I think like everything, including virus scanners themselves, there's always a chance of human error.  I get the impression that this group is almost exclusively if not exclusively manually encoded.  I'm fairly conservative when it comes to blocking on just one test, but if you aren't otherwise protected from the neo-Nazi propaganda, I wouldn't recommend against raising the weights on this result code so that it is blocked automatically, just not necessarily deleted. The point of where the rule should be classified is a bit unclear however.  Since this mailing was likely associated with the virus writer, then many consider it to be part of the virus, but virtually every zombie sent piece of spam has a similar degree of association.  This for now is a definitely a special case due to it's success in getting through systems early on, the lack of a legitimate payload link (all belong to uninvolved third-parties) and the volume seen.  It's scary what someone can do if they prepare properly for such a thing. Matt Pete McNeil wrote: On Tuesday, May 17, 2005, 2:57:44 PM, Jim wrote: JM> Thanks Pete, would you be able to provide the current false positive rates JM> for the return codes? This is not something that we are formally capturing at present, however anecdotally I can't recall the last time we had an FP submitted for the malware group. _M PS: We will eventually build some instrumentation to capture these statistics. We've done a few spot analyses and each time we have found very low volume, widely distributed results -- with each analysis showing peaks and valleys on different groups. As a result, the data we currently have about this is too "noisy" for any conclusive statements. This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================