Hello Paul, A relatively easy and reliable way to recognize one of these "storms" is whenever your new SNF engine starts "throwing Bs and Cs"- That is - you can check the second.stat or minute.stat file for Black and Caution hits:
<rates> <c .. m> <b .. m> </rates> On most systems Caution and Black events are relatively rare, but during a "storm" these numbers tend to be high. It is conceivable that you could detect these conditions by checking the stat files and adjust your system's settings during a storm. _M Friday, January 4, 2008, 5:38:38 PM, you wrote: > We saw the same thing this morning between 7:00 AM (GMT-0500) and about 8:30 > AM. Big chunks were getting through (spam detection rate dropped to about > 65-70% (from its normal 97-99%). Sniffer updates seemed to start quelling > the attack after about an hour of getting pummeled. > Because of the relatively short lifespan of these types of attacks you need > to: > 1) be aware of attack quickly > - e.g. w/in 10-15 mins of seeing average detection rates drop below a > certain threshold (maybe 85%?)) and > 2) be able to determine if there is an easy way to ID the leaked messages > (common source IP(s), From domains (SPF check would help), subject lines, > etc) > 3) then be able to create a temporary rule to help block messages > - must be viable until SNF has an updated ruleset to start clearing out > the attack > - I don't think declude (what I use w/SNF) has rule expirations (but > would be a nice feature) > Paul --- >> -----Original Message----- >> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On >> Behalf Of Alberto Santoni >> Sent: Friday, January 04, 2008 4:56 PM >> To: Message Sniffer Community >> Subject: [sniffer] I got a strong attack today >> >> Hello >> >> I got a strong attack today, over thousand messages at the same time!! >> The usual technique: >> Impersonate the victim and send to non valid users of one domain of >> mine!! >> Changing IP for each message.... UNBELIEVABLE!! >> >> The only solution was, to stop all the services and move all the spool >> files in a temp directory. >> >> I won't use the "nobody" alias because at least the iMail Access >> Control >> can stop some bad IPs. >> >> My config is: >> Imail 9.23 >> Mxguard 3.1 >> Message Sniffer >> InvURIBL 3.7 >> >> Two questions: >> >> 1) There is a way or tool to recycle back good messages from the temp >> directory into the queue? >> 2) How can I reduce or block(!) this kind of attacks? >> >> With my best regards >> Alberto >> >> >> >> >> >> >> ############################################################# >> This message is sent to you because you are subscribed to >> the mailing list <[email protected]>. >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >> To switch to the DIGEST mode, E-mail to <sniffer- >> [EMAIL PROTECTED]> >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >> Send administrative queries to <[EMAIL PROTECTED]> >> > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[email protected]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
