Welcome to MSDN Blogs Sign in | Join | Help

Terry Zink's Anti-malware Blog

Protecting your mail from the scum of the internet

Browse by Tags

All Tags » Reputation   (RSS)
Keeping track of botnets
A couple of months ago, I posted a one-day snapshot of how much spam we see from individual botnets.  I’ve been keeping track since July 29 on the biggest ones that have names, and only for IPs that get past our RBLs.  At the time of my first Read More...
How to reclaim your sender reputation, part 10 - Results
Results Forefront Online (ie, us) has come a long way in reclaiming its outbound reputation. The question now is this – has it worked? I will report on some anecdotal evidence. The Good To determine whether or not we have gotten better, I prefer to check Read More...
How to reclaim your sender reputation, part 9 – disabling offenders
Continuing on in my 9 part series , the process of mitigating an outbound spam problem occurs in a two-fold manner. Usually they are mutually exclusive, but one can lead to the other. Cutting off mail only for the offending email address This is the default Read More...
Are we seeing more spam from Gmail, Hotmail and Yahoo?
Last week, I commented on the the Gmail/Hotmail/Yahoo username and password leak.  The question we now ask is whether or not we are seeing an increased amount of spam from those services.  The folks from All Spammed Up recently posted that various Read More...
How to reclaim your sender reputation, part 8 – More pattern analysis
Islands Islands are named that way because their appearance looks like an island – a time zone infraction in which the middle sticks out above the others. Another term for this pattern is the head-and-shoulders pattern. Islands are the most ambiguous Read More...
How to reclaim your sender reputation, part 7 – Pattern analysis
Mountains A mountain pattern is when each subsequent monitoring of an outbound spam problem is worse than the previous time. It looks like you are climbing a mountain. Once a threshold is crossed, an alert is generated. Mountains generate the most obvious Read More...
How to reclaim your sender reputation, part 6 – Noise reduction
Pattern Detection and Noise Reduction The amount of noise inherent in outbound spam detection is high. End users will routinely mark messages as spam that aren’t actually spam. An example of this would be company billing reports; these are not spam but Read More...
How to reclaim your sender reputation, part 5 - Monitoring
Monitoring FOSE has implemented a lot of different mechanisms to mitigate the spam problem. These include, but are not limited to, the following: Routing all mail from non-customer domains that is marked as spam through the NDR pool. Changing (1) and Read More...
How to reclaim your sender reputation, part 4 – More options
Option 3 - Keep track of the mail disposition and cut off the entire organization This was one of the original ideas proposed to solving the outbound spam problem.  The idea is to filter the mail and write the disposition (spam vs non-spam) to an Read More...
How to reclaim your sender reputation, part 3 - Options
Options Since outbound spam was poisoning our reputation, we decided that there were two angles we had to approach: Disable customers from using our outbound service when we detected they were spamming. Neutralize the effects of their spam so that other Read More...
How to reclaim your sender reputation, part 2 – The Damage
This is the second part of a paper that I presented at Virus Bulletin.  Check out their web page here . Outbound Mail The basic assumption for outbound mail is that the people sending it are sending legitimate content. The problem is that this is Read More...
How to reclaim your sender reputation - Introduction
The following document is part of a paper that I presented at Virus Bulletin in Sept, 2009, in Geneva.  It outlines the process that my team has iterated over to clamp down on the problem of outbound spam. How To Reclaim Your Sender Reputation Background Read More...
Don’t shoot the messenger
When doing IP reputation, generally speaking when you do an IP check, you usually do it on the connecting IP.  The assumption is that the IP sending the mail directly is the one responsible for the IP reputation.  There are exceptions, of course, Read More...
Facebook spam
One of our spam analysts saw the following spam today: http://www.facebook.com/notes.php?id=xxxxxxxxxxxxx AldLif tedHisCh in AndNarro wedHisE yes."Th eZenshi aVa r iationS ays,' AFr iendWho Cannot BeRe lie dUponI sWo rseTh an AnEnemy. '" Flo Read More...
Distribution of botnets
Today, out of curiosity, I decided to take a look at which botnets were sending us spam and then doing a breakdown of highest offending botnets. This is a simple snapshot and not necessarily representative of our entire network.  Since we block so Read More...
More Posts Next page »
Page view tracker