nanog mailing list archives
Re: improved NANOG filtering
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 26 Oct 2015 17:15:01 -0400
If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.
And the first person who says “who has seen $URL” or similar in a message gets bounced, then bitches about “operational nature” of NANOG. I think it is probably not a great idea to add things like URI checkers to NANOG. We can bitch & moan about people supposed to modify it to hxxp or whatever, but reality is people like to copy/paste and this is not unreasonable on NANOG. Of course, if the rest of you feel differently, let the CC know, It is community driven, the community can decide - if you let your voices be heard. -- TTFN, patrick
On Oct 26, 2015, at 2:38 PM, Rob McEwen <rob () invaluement com> wrote: On 10/26/2015 12:06 PM, Job Snijders wrote:I expect some protection mechanisms will be implemented, rather sooner then later, to prevent this style of incident from happening again.Job, I can't tell for sure if you're a NANOG admin? Or if you're making educated guesses about what you think that NANOG will do? If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message. Here are 4 such lists: SURBL URIBL invaluement URI SpamHaus' DBL list (all very, very good!) My own invaluementURI list did particularly well on this set of (mostly hijacked) spammy domains, possibly listing ALL of them! I spot checked about 40 of them and couldn't find a single one that wasn't already listed on ivmURI at the time of the sending. But then I discovered that my sample set wasn't truly random. So I can't say for sure, but it looks like ivmURI had the highest hit rate, possibly by a wide margin. (I wish I had meticulously collected ALL of them and checked ALL of them at the time they were received!) Since then, more of these are now listed on the other URI/domain blacklists. (but that doesn't mean as much if they weren't listed at the time the spam was sent!) Nevertheless, going forward, I recommend checking these at multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam at the time of the sending... to get an idea of which blacklists are best for blocking this very sneaky series of spams. PS - I'd be happy to provide complementary access to invaluement data to NANOG, if so desired. -- Rob McEwen
Current thread:
- Fw: new message, (continued)
- Fw: new message Joe Freeman (Oct 26)
- Fw: new message Truman Boyes (Oct 26)
- Fw: new message Tomas Podermanski (Oct 26)
- Fw: new message Mark Kosters (Oct 26)
- Fw: new message Joe Abley (Oct 26)
- Fw: new message Owen DeLong (Oct 26)
- Fw: new message Jorge Amodio (Oct 26)
- Re: Fw: new message Gavin Henry (Oct 26)
- Re: Fw: new message Job Snijders (Oct 26)
- improved NANOG filtering Rob McEwen (Oct 26)
- Re: improved NANOG filtering Patrick W. Gilmore (Oct 26)
- Re: improved NANOG filtering Rob McEwen (Oct 26)
- Re: improved NANOG filtering Barry Shein (Oct 26)
- Re: improved NANOG filtering shawn wilson (Oct 27)
- Re: Fw: new message Job Snijders (Oct 26)
- Re: improved NANOG filtering Blake Dunlap (Oct 26)
- Re: Fw: new message Rich Kulawiec (Oct 26)
- Re: Fw: new message Jon Lewis (Oct 26)
- Re: Fw: new message Niels Bakker (Oct 26)