Hey! New message, please read <http://talky.vn/been.php?qw> Nicolas Viers - Univ. Limoges
Anything to be done about all these? On 25 October 2015 at 01:36, Nicolas Viers - Univ. Limoges <jdenoy@jdlabs.fr> wrote:
Hey!
New message, please read <http://talky.vn/been.php?qw>
Nicolas Viers - Univ. Limoges
-- Kind Regards, Gavin Henry. http://www.surevoip.co.uk OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp://subkeys.pgp.net or http://www.suretecgroup.com/0x8CFBA8E6.gpg
On Mon, Oct 26, 2015 at 01:54:01PM +0000, Gavin Henry wrote:
Anything to be done about all these?
Yes, it appears that even though the sender was blocked 30 hours ago or so in mailman itself, there was still tons of pre-existing garbage in the mailqueus which was flushed out over the last 30 hours. Clearly we failed in purging that garbage from the queue in a timely manner. Going forward, I expect some protection mechanisms will be implemented, rather sooner then later, to prevent this style of incident from happening again. Kind regards, Job
On 10/26/2015 12:06 PM, Job Snijders wrote:
I expect some protection mechanisms will be implemented, rather sooner then later, to prevent this style of incident from happening again.
Job, I can't tell for sure if you're a NANOG admin? Or if you're making educated guesses about what you think that NANOG will do? If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message. Here are 4 such lists: SURBL URIBL invaluement URI SpamHaus' DBL list (all very, very good!) My own invaluementURI list did particularly well on this set of (mostly hijacked) spammy domains, possibly listing ALL of them! I spot checked about 40 of them and couldn't find a single one that wasn't already listed on ivmURI at the time of the sending. But then I discovered that my sample set wasn't truly random. So I can't say for sure, but it looks like ivmURI had the highest hit rate, possibly by a wide margin. (I wish I had meticulously collected ALL of them and checked ALL of them at the time they were received!) Since then, more of these are now listed on the other URI/domain blacklists. (but that doesn't mean as much if they weren't listed at the time the spam was sent!) Nevertheless, going forward, I recommend checking these at multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam at the time of the sending... to get an idea of which blacklists are best for blocking this very sneaky series of spams. PS - I'd be happy to provide complementary access to invaluement data to NANOG, if so desired. -- Rob McEwen
If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.
And the first person who says “who has seen $URL” or similar in a message gets bounced, then bitches about “operational nature” of NANOG. I think it is probably not a great idea to add things like URI checkers to NANOG. We can bitch & moan about people supposed to modify it to hxxp or whatever, but reality is people like to copy/paste and this is not unreasonable on NANOG. Of course, if the rest of you feel differently, let the CC know, It is community driven, the community can decide - if you let your voices be heard. -- TTFN, patrick
On Oct 26, 2015, at 2:38 PM, Rob McEwen <rob@invaluement.com> wrote:
On 10/26/2015 12:06 PM, Job Snijders wrote:
I expect some protection mechanisms will be implemented, rather sooner then later, to prevent this style of incident from happening again.
Job,
I can't tell for sure if you're a NANOG admin? Or if you're making educated guesses about what you think that NANOG will do?
If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.
Here are 4 such lists: SURBL URIBL invaluement URI SpamHaus' DBL list
(all very, very good!)
My own invaluementURI list did particularly well on this set of (mostly hijacked) spammy domains, possibly listing ALL of them! I spot checked about 40 of them and couldn't find a single one that wasn't already listed on ivmURI at the time of the sending. But then I discovered that my sample set wasn't truly random. So I can't say for sure, but it looks like ivmURI had the highest hit rate, possibly by a wide margin. (I wish I had meticulously collected ALL of them and checked ALL of them at the time they were received!) Since then, more of these are now listed on the other URI/domain blacklists. (but that doesn't mean as much if they weren't listed at the time the spam was sent!)
Nevertheless, going forward, I recommend checking these at multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam at the time of the sending... to get an idea of which blacklists are best for blocking this very sneaky series of spams.
PS - I'd be happy to provide complementary access to invaluement data to NANOG, if so desired.
-- Rob McEwen
On 10/26/2015 5:15 PM, Patrick W. Gilmore wrote:
And the first person who says “who has seen $URL” or similar in a message gets bounced, then bitches about “operational nature” of NANOG.
I think it is probably not a great idea to add things like URI checkers to NANOG. We can bitch & moan about people supposed to modify it to hxxp or whatever, but reality is people like to copy/paste and this is not unreasonable on NANOG.
That is a good point. Personally, I think whole spam samples should be linked to a pastebin post. and individual references to a spammer's domain or ip should have a space inserted before each dot. What can be frustrating when this isn't done ... is that discussions about spam can intermittently get filtered on the client side, sometimes by active participants in a thread... and inconsistently. which is frustrating... and which is why everyone OUGHT to use such tactics when providing spam samples or when discussing spammy IPs or domains. But you're correct. Filtering on the server side of lists is not as simple as it sounds due to the risk of mistakenly blocking legit messages in a discussion about spam. Still, it may not be as problematic as you think to deploy such measures. When the sender gets a rejection notice, they often figure out what happened and resend with the spam obfuscated, fwiw. If someone complains, tell them that they should have known to obfuscate the spam (or spammy domain or IP), or post the spam sample to pastebin As least, that is my suggestion. But I know there isn't an easy answer to this. -- Rob McEwen
What's needed is 20 (pick a number) trusted volunteer admins with the mailman password whose only capacity is to (make a list: put the list into moderation mode, disable an acct). Obviously it would be nice if the software could help with this (limited privileges, logging) but it could be done just on trust with a small group. Another list to announce between them ("got it!") would be useful also. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
AFAIK (IDK how either) this hasn't been a big issue in the past few years. Is it really worth worrying about? I notified the MARC admin and it was removed there within a few hours too - a dozen easily tracked messages in a few hours and a few hours after that, it's done (or more like, filteres). Not sure how much actually happens on the backend to keep this list as clean as it appears. But if everyone on that end of things decided to grab a beer at the same time and we have to suffer a little for a badly timed cold one every few years, I'm good with the status quo. On Oct 26, 2015 10:58 PM, "Barry Shein" <bzs@world.std.com> wrote:
What's needed is 20 (pick a number) trusted volunteer admins with the mailman password whose only capacity is to (make a list: put the list into moderation mode, disable an acct).
Obviously it would be nice if the software could help with this (limited privileges, logging) but it could be done just on trust with a small group.
Another list to announce between them ("got it!") would be useful also.
-- -Barry Shein
The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Please stop using this as an opportunity to spam your commercial anti-spam list.... ffs On Mon, Oct 26, 2015 at 11:38 AM, Rob McEwen <rob@invaluement.com> wrote:
On 10/26/2015 12:06 PM, Job Snijders wrote:
I expect some protection mechanisms will be implemented, rather sooner then later, to prevent this style of incident from happening again.
Job,
I can't tell for sure if you're a NANOG admin? Or if you're making educated guesses about what you think that NANOG will do?
If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.
Here are 4 such lists: SURBL URIBL invaluement URI SpamHaus' DBL list
(all very, very good!)
My own invaluementURI list did particularly well on this set of (mostly hijacked) spammy domains, possibly listing ALL of them! I spot checked about 40 of them and couldn't find a single one that wasn't already listed on ivmURI at the time of the sending. But then I discovered that my sample set wasn't truly random. So I can't say for sure, but it looks like ivmURI had the highest hit rate, possibly by a wide margin. (I wish I had meticulously collected ALL of them and checked ALL of them at the time they were received!) Since then, more of these are now listed on the other URI/domain blacklists. (but that doesn't mean as much if they weren't listed at the time the spam was sent!)
Nevertheless, going forward, I recommend checking these at multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam at the time of the sending... to get an idea of which blacklists are best for blocking this very sneaky series of spams.
PS - I'd be happy to provide complementary access to invaluement data to NANOG, if so desired.
-- Rob McEwen
Several points. 1. It wasn't just NANOG. A number of other mailing lists were targeted. Whether or not all these attacks were launched by the same entity is unknown and probably unknowable. 2. The admins@nanog.org address appears to be unresponsive. Is there actually anyone reading that? If so, who? And why aren't replies being issued in a timely manner? 3. Mailman includes an "emergency moderation" switch for just such occasions as this. When activated, it holds all incoming mailing list traffic for human attention, i.e., nothing goes out unless manually approved. It would have been a good idea to throw that switch as soon as this started, in order to minimize the consequences. 4. As noted, if outbound traffic is already in the MTA queue, then it should be halted and manually cleaned out. This is often annoying and tedious, but it's better than letting it flush. 5. The admins should probably reach out to the keepers of the most-often utilized MX's for NANOG message delivery, as no doubt the onslaught of spam caused degradation of their idea of the sending system's/domain's spam/non-spam traffic mix. (I say that knowing that some or possibly most of those will be impossible to contact: it seems that many people running mail servers failed the first hour of the first day of Email Administration 101 and do not read their postmaster mail and act on it.) 6. There are additional pro-active and reactive steps that can be taken to forestall future such incidents or at least to mitigate them. I've reached out (again) offering to bring my expertise to bear on the problem. None of these steps will be panaceas. None of them will give guarantees. But in combination they should at least help decrease the pain. ---rsk
participants (9)
-
Barry Shein -
Blake Dunlap -
Gavin Henry -
Job Snijders -
Nicolas Viers - Univ. Limoges -
Patrick W. Gilmore -
Rich Kulawiec -
Rob McEwen -
shawn wilson