Senderbase losing effectiveness?

Unanswered Question
May 14th, 2007
User Badges:

It seems like Senderbase has lost a lot of effectiveness lately. I am wondering if anyone else is seeing this.

Here's what I see:

In the GUI I look at:
Monitor/Incoming Mail
Custom Report
IPs
Recipients Recieved
Past Hour or Past Day
Top 100

This report is important since it really shows what the Ironport CPU has been scanning.

My reports are consistently showing +90% of the IPs listed as being 100% spam positive. Many of these IPs have Senderbase scores over 4.0, even as high as 4.7.

Is anyone else seeing this problem? Have you found a workaround?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rayman_Jr Tue, 05/15/2007 - 09:06
User Badges:

+90% sounds as a very high number of messages reported as spam from good sources.

What are your spam / suspect spam tresholds ?

We rank messages as spam if score > 75 and suspected spam > 50

bfayne_ironport Tue, 05/15/2007 - 13:22
User Badges:

I am using the exact same thresholds.



+90% sounds as a very high number of messages reported as spam from good sources.

What are your spam / suspect spam tresholds ?

We rank messages as spam if score > 75 and suspected spam > 50
Rayman_Jr Tue, 05/15/2007 - 13:52
User Badges:

Interesting... From the last day Top 100 recipients received list I have only 6 senders with 100% of SPAM.

3 senders without SBRS and 3 with SBRS between 1 and 1.6

Rayman_Jr Tue, 05/15/2007 - 15:05
User Badges:

Correction to my previous post. That was status from Europe. We have another C600 in US and there are a lot of 100% spam sources with SBRS between +3.5 and +4.7

All these have high SBRS and traffic is 100% SPAM

65.111.26.16 crowflies16.forexpose.com
65.111.26.27 crowflies27.morselwork.com
64.192.28.32 teaching32.sedatewin.com
65.111.26.53 crowflies53.forexpose.com
65.111.26.66 crowflies66.readyholds.com
216.74.88.76 later76.soviettactic.com
216.74.88.140 later140.corsethow.com
65.111.26.143 crowflies143.ninehiccup.com
216.74.88.153 class153.geniusgot.com
200.75.0.27 correo4.gtdinternet.com
65.111.26.165 crowflies165.soundsoften.com
65.111.26.167 crowflies167.insolethe.com
216.74.88.169 class169.geniusgot.com
216.74.88.174 later174.signetbe.com
216.74.120.180 planet180.frescoeye.com
65.111.26.190 crowflies190.shipbrown.com
216.74.88.216 later216.beanbayou.com
216.74.88.219 later219.meagermyself.com
216.74.88.223 class223.savageera.com
65.111.26.238 crowflies238.yondernow.com
216.74.88.241 class241.savageera.com
216.74.88.128 later128.itbobble.com
66.96.245.98 baseball98.soakbrewed.com
66.96.255.157 rush157.dipwire.com
66.96.245.245 baseball245.familycrown.com

bfayne_ironport Tue, 05/15/2007 - 19:44
User Badges:

This is what I am seeing on one of my appliances, along with the SBRS scores. Very interesting. They seem to be a lot of the same hosts.


64.194.131.92 shutter92.nowstern.com 4.7
65.111.26.167 crowflies167.largesail.com 4.6
65.111.26.108 crowflies108.usedcrow.com 4.1
216.74.115.32 smtp32.oreinto.com 4.1
72.37.165.163 mx2.themazic.com 4.1
216.74.115.125 smtp125.fourship.com 4.1
216.74.115.240 smtp240.copperof.com 4.1
216.74.115.16 smtp16.oreinto.com 4.1
65.111.26.32 crowflies32.hotenormous.com 4.1
66.96.255.162 rush162.creekif.com 4.1
72.37.165.183 m9.topdeliverynow.com 4.1
216.74.115.85 smtp85.withwhen.com 4.1
66.96.245.15 baseball15.liquidfor.com 4.1
216.74.115.151 smtp151.fourship.com 4
216.74.115.165 smtp165.sixabout.com 4
216.74.115.219 smtp219.drinkor.com 4
65.111.26.143 crowflies143.usedcrow.com 4
216.74.115.70 smtp70.withwhen.com 4
216.74.115.93 smtp93.crosswhy.com 4
64.194.131.98 shutter98.lambbox.com 4
216.74.115.171 smtp171.hasglen.com 4
64.194.131.28 shutter28.fieldpin.com 4
216.74.115.179 smtp179.suqwoven.com 4
64.194.131.249 shutter249.orwoven.com 4
216.74.115.11 smtp11.losepile.com 4
216.74.115.102 smtp102.withwhen.com 4
216.74.115.172 smtp172.suqwoven.com 4
216.74.115.6 smtp6.offdress.com 4
216.74.115.181 smtp181.sixabout.com 4
216.83.208.55 rm55.netsolutioncenter.com 3.5
72.46.141.60 mx5i.melodyspaces.com 3.4
66.232.120.158 mail.shirtstus.com 3.4
66.197.184.104 omicron104.fallingtea.com 3.3
64.191.11.192 mail192.dipworn.com 3.2
66.197.184.154 omicron154.steamworn.com 3.2
64.191.11.140 mail140.offsalt.com 3.2
64.191.43.77 shield77.carwine.com 2.8
64.191.43.26 shield26.kitbelch.com 2.7
66.96.255.110 rush110.darkmow.com 2.7
70.102.167.244 244.ip.static.easyns1.com 2.5

Bart_ironport Tue, 05/15/2007 - 20:34
User Badges:

The reverse DNS of the addresses listed in the previous post are interesting. Most of them have a very low TTL (1 or 2 minutes) and frequently change from one domain to another.

If you perform a reverse lookup on those addresses you'll see that they are in a different domain now. Usually keeping the same hostname.

For example 65.111.26.16 which you resolved to "crowflies16.forexpose.com" is listed in senderbase as "crowflies16.hiccupeast.com" and is currently resolving to "crowflies16.againwhite.com".

Looks fishy to me.. yet they have a sbrs of 4.1.

Rayman_Jr Wed, 05/16/2007 - 08:09
User Badges:

Yep, very well organized.

As an example here is history of one of the sources. Each time it tried to send SPAM messages to 10-18 recipients. The distribution list seems to be very accurate and there were only few LDAP rejections (those were old deleted user acocunts)

Thu May 10 15:20:36 2007 address 216.74.88.140 reverse dns host later140.corsethow.com verified yes
Sat May 12 06:50:09 2007 address 216.74.88.140 reverse dns host later140.tarponway.com verified yes
Sun May 13 09:31:00 2007 address 216.74.88.140 reverse dns host later140.deceitdugout.com verified yes
Mon May 14 20:07:46 2007 address 216.74.88.140 reverse dns host class140.geniusgot.com verified yes
Mon May 14 21:43:45 2007 address 216.74.88.140 reverse dns host class140.geniusgot.com verified yes
Wed May 16 01:42:57 2007 address 216.74.88.140 reverse dns host class140.choppytoo.com verified yes

tminchin_ironport Wed, 05/16/2007 - 12:10
User Badges:

We get a fair few targetted attacks from large bunches of IPs sending one or two spams an hour. I suspect they are targetted just to us as even if we submit samples to IPAS/BM the spams keep coming for hours (so we use content filters).

They also have very good distribution lists - so I suspect we have been trojanned in the past by something which has extracted our Exchange GAL (as they attempt addresses for staff who have left).

The slow spams from large botnets makes me wish we had grey listing capability.

dmayer_ironport Wed, 05/16/2007 - 17:34
User Badges:

IronPort customers - this is Dave Mayer, I am the product manager for IronPort anti-spam as well as SenderBase Reputation Filters. First off, great post! All of you are certainly on the ball when it comes to picking up on spam trends.

As you can see, the spammers are getting tougher and tougher to catch. The good news is that we have a huge team of world class engineers making sure we stay one step ahead of them. We have had a few reports of people saying that certain IPs are sending 100% spam but that their SBRS scores are not being lowered. When I follow up with these customers I ask them if their overall catch rate has decreased because of this trend. All of them have said "no". In fact, every month I do a poll (please shoot me a poll if you'd like to be included in it - the more people the better: [email protected]) that asks our customers whether the catch rate of IronPort has gone up, down or stayed the same from the previous 30 days. This month 87% of customers said that the overall catch rate has gone up or stayed the same from the previous month.

The reason that, even though there are more IPs that aren't being blocked but are sending spam hasn't translated into a lower catch rate overall, is that we've chosen to combat these IPs and the spam they send at the content level with IPAS. We've done this because it offered us a way to more quickly and accurately address this trend we've been seeing.

But, we also realize that the farther upstream you can block something, the better. This is especially true for performance sensitive customers. Short term, we have updates to SBRS that should meaningfully cut down the # of IPs that send spam for weeks but don't receive a negative score. This should be available in the next 2-3 weeks.

Our next major release of SBRS (timing TBD but most likely very late q3) will do more to address this trend.

We love hearing feedback like this from our customers. Please keep it coming by emailing me at [email protected] or posting to IronPortnation.com. Once the short term patch is rolled out I'll post again to this forum and so I can get feedback.

Dave

Actions

This Discussion