On Monday, October 10, 2005, 5:44:21 PM, Chuck wrote: CS> Sniffer is not catching a wave of spam (drug offers) this has been going on CS> for over a week and I have been forwarding examples. Is there anything that CS> can be done?
I strongly suspect you are talking about the "druglist" spam and it's variants. We've been head to head with these folks since they started the campaign - that is, we make adjustments and then they adjust around them within a few hours. We are working on ways to close the gap, though there will always be some unavoidable delay. Though this appears to be one campaign, there are several new domains every hour or so and several new variations on their obfuscation techniques nearly as often. We continue to add rules for all of these variations around the clock - including some predictive heuristics which are actually working for quite a bit of the traffic. They have been building up to this for a while and we've been tracking their development process through previous versions of this campaign (across quite a few weeks now). When they launched the most recent burst, it had the highest zombie bandwidth we've seen (for this campaign) behind it and it included a blended approach of all of the obfuscation techniques they have used in the past including blended rowspan and <br> obfuscation using float-left style codes, multi-point injection obfuscation of key words and subjects, and a slew of interesting and clearly automated randomization mechanisms... plus a variety of innovative combinations not seen previously. In short, they've got some serious resources behind this one. The current ruleset appears to have the current variants in check. Please continue to send any samples that get through since it's always possible we haven't seen them all in our existing traps (we're not quite omniscient yet ;-) Also, if you have any interesting observations please feel free to drop me a note at our support@ address and I will add it to our thinking. Sorry for the leakage, we are working on it. Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
