[Mimedefang] Scary... Filtering on the outbound.

John Scully jscullylg3 at lifegiver.net
Fri Feb 18 10:31:14 EST 2005 

We watch number of recipients and number of messages - the spammer worms 
seem to be sending no more than five recipients per message now.

We also keep track of the blocking history of the sending IP if inbound or 
real user if outbound, and scale the time we block up for repeat senders as 
well as becoming more sensitive.

Like this:

If a user who we have not blocked in the last 30 days starts sending high 
spam score messages they could send a fair number before we block them, and 
the initial block might be for 15 minutes (we are still playing with this 
figure).  After they are unblocked they start again, we erspond faster and 
block for one hour.  After the third block in one day we are hitting them on 
the FIRST message...so nothing is going out.

But it is self-healing - they wait an hour and send a normal message it goes 
right out.

We are also working on improving the message we send to the infected user 
when they are our email user - let them know it is likely a worm, include 
links to free scanners etc.
----- Original Message ----- 
From: "Les Mikesell" <les at futuresource.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Friday, February 18, 2005 12:55 AM
Subject: Re: [Mimedefang] Scary... Filtering on the outbound.


>
> On Thu, 2005-02-17 at 21:47, John Scully wrote:
>
>> A sub could send a few emails scoring anything (could be a personal
>> porn-o-gram to someone :) but the higher the number of messages the lower
>> the average score can be to trigger blocking.  Rate of transmission also
>> weights the decision - sending 100 in a few minutes is treated like 
>> sending
>> 1,000 over a longer time.
>
> Are you looking at the number of recipient addresses or the number
> of messages for this test?  Or does the current crop of spam-worms
> generally send a message per recipient?
>
> -- 
>  Les Mikesell
>   les at futuresource.com
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
> 



This message scanned for viruses by Lifegiver.net
For more information on our filtered email and dial up internet service please visit http://www.lifegiver.net

More information about the MIMEDefang mailing list