My server (!) got the porno Messenger service message as well... A LOT of them stacked up. Some research dug up the fact that this is a new form of spam that can be defeated by disabling the messenger service. Under some circumstances disabling the netbios service might also be feasible.
But don't do anything until you've RTFM and are confident you know what you're doing ;D --Matt Robertson-- MSB Designs, Inc. http://mysecretbase.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kevin (Linkbrokers Support) Sent: Monday, October 14, 2002 6:10 AM To: [EMAIL PROTECTED] Subject: DSN:Re: [Declude.JunkMail] Spam Mail Statistics Group: As a new person to this Junk mail War on Spam. I'm concerned. I have a topic viewpoint I would like to propose to the group, and get some feed back. How may networks are being attacked? Is this criminal? Or am I just crazy? Here is why I ask this question! Last week our network, a full DS3 was hijacked for about 8 hours. I was sleeping on the JOB, "during my 24/7 job.", from 11:00 PM to 6:15:am We did discover the the source file. And are able to avoid this in the future. ( I hope) But then, another attack over the weekend using Popup messenger service window on all my servers. Yes. I shut down and disabled that service. But how was that executed? ( Could use help here ) But, what was interesting. Was, the message was a porno message. With a 800 number. ? WOW - On the [IMail Forum] September Spam Statistics. Prone was highest in content. This started me to wonder. I'm curious, could a well distributed junkmail server without filters, that abruptly removes 90% of that delivered junkmail be subject to pissed off mail spammers. And if you really pissed them off, how far are they willing to go? For some reason my network is now being hammed from incoming request. Sharp spikes and long periods of use, with abnormal usage up and down . I'm just wondering. I know from working with the criminal mind, that one need to think like one to catch one. Has anyone ever had or knows anyone who may have a similar opinion or thought on this topic? Anyone willing to hypothesis? Kevin ----- Original Message ----- From: "eddie pang" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 14, 2002 6:46 AM Subject: RE: [Declude.JunkMail] Spam Mail Statistics > EXCELLENT!!!!!! :) > > Many thanks :) Atleast now I aint going in blind, although I still dont > know what to do, but thats another issue :) > > Cheers! > eddie. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Smart Business > Lists > Sent: Monday, October 14, 2002 12:24 AM > To: eddie pang > Subject: Re: [Declude.JunkMail] Spam Mail Statistics > > > eddie, > > Monday, October 14, 2002 you wrote: > EP> New user to JunkMail here.. > > Welcome to the war. > > EP> I know that declude has a spam trap. Is there data available on > EP> this to determine how effective each test is? > > Scott posts his monthly spam stats to the IMAIL forum - see > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > search for "Spam Statistics" or for September see > http://www.mail-archive.com/[email protected]/msg58649.html > > I think a lot of others keep stats on test results but I don't > think I've seen them widely posted. There are 3rd party programs > to help you monitor tests and results. See > http://www.declude.com/tools/index.html > > EP> I am very interested in expanding our definitions from the current > EP> defaults, but before i can do that, i kinda would like to see how > EP> the each test compares at a bigger sampling.. Or is everyone going > EP> on different pathways... > > My experience indicates that communities are sufficiently > different to require research and subsequent changes. The > September and August report from Scott referenced above will > certainly give you a larger picture. > > The problem is not so much trapping messages as that is easy but > not trapping legitimate (and wanted) messages that fail tests. > There are a good many blacklists of IP's and addresses posted all > over the web and there are contributors both here and on the IMAIL > list that post such lists. But for the most part where I have > tried these in the past I just end up having to weed out more > false spam messages. > > EP> Also, how can i create a spam trap, > > discussed at > http://www.mail-archive.com/[email protected]/msg02642.html > and try a google on the phrase "create a spam trap" > > EP> to evaluate how effective each test is to properly setup each > EP> weights e.g. Is there a test that is 100% effective in > EP> identifying spam like helobogus > > There is really nothing that 100% of spam fails and 100% of > non-spam doesn't fail as far as I know. > > I fail on the single tests: ORDB, MAILFROM, PERCENT, SNIFFER, and > one IP blacklist. All other tests have to accumulate to a fail > weight. > > EP> recommend on how new users should approach to building a better > EP> and efficient definitions... > > It depends a bit on what you want to do. You can take a wholesale > approach and delete or mark many messages and try to figure out a > way to move the responsibility downstream to the user - or not. > > Or you can take a more granular approach and try to refine your > system so that you are more and more effective on trapping spam > and reducing false positives. > > In the former case it doesn't matter too much what you do. > > In the latter though you have to develop a review strategy for > your spam control system. It is not something you can do just once > and forget because things change. > > 1) develop a review strategy > a) LOG action and then review declude logs > b) HOLD action and then review with a program like spam review > (you have to add lines to the header to indicate tests > failed and weights) > c) combination of a and b > > 2) develop your own weighting system > a) some have several levels with different action > b) I use pass/HOLD but I review HOLD > > 3) the Plus and Minus weights with filters is very good and allows > really good tweaking > > 4) develop actions you can manage > It is not possible for very high volume systems to hold and > review messages as an example. > > I think it is better to start simpler and then gradually add > complexity as you understand what is happening. > > Another very good tool for us was Sniffer - see > http://www.sortmonster.com/MessageSniffer/ > helped reduce our false positives to about 1% from 4% > > EP> Is there a tool available that will read the junkmail logs and > EP> break down each test as to their effectiveness? > > http://www.declude.com/tools/index.html > lots of good things reported about spam review. > > HTH > > Terry Fritts > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
