Hello! Important message, please read <http://globalreagents.com/not.php?04> Scott Berkman
On Thu, Oct 08, 2015 at 02:37:15PM -0700, Scott Berkman via NANOG wrote:
Hello!
Important message, please read <hxxp://globalreagentsXXX.com/not.php?04>
smells compromised, moderation flag has been enabled. don't click that link, sorry. Kind regards, Job (for the communications committee)
On 10/8/2015 16:53, Job Snijders wrote:
On Thu, Oct 08, 2015 at 02:37:15PM -0700, Scott Berkman via NANOG wrote:
Hello!
Important message, please read <hxxp://globalreagentsXXX.com/not.php?04>
smells compromised, moderation flag has been enabled. don't click that link, sorry.
Every indication that it as you think, or worse. It it being propagated (by|to) NANOG and Outages (that I know of). It has been going on for some time. As is my habit, I have tried to get help in shutting it down, but as you might expect, there is zero interest at the administration level in the problem. Eventually some low-clue person will get burned bad and depending on how big the splash is some interest may arise. -- sed quis custodiet ipsos custodes? (Juvenal)
A lot of web sites have been infected by criminal spammers in the past couple of years. More recently, massive amounts of legitimate web sites run by non-spammers which used older versions of WordPress (in particular)... have had their web sites hacked into by criminal spammers. The WordPress exploit is epidemic. Since most of these sites are legitimate, they are difficult to blacklist because blacklisting them does cause some amount of collateral damage (though usually a very acceptable and targeted amount of collateral damage--given the circumstances). The problem here is that the SAME algorithms which help the better domain-based anti-spam blacklists to NOT have false positives--OFTEN--also prevent THESE sites from getting blacklisted--even when the infection is active. Those are arguably False Negatives, especially in the more extreme cases when much spam is spewing, with relatively little legit mail containing these domains! Plus, feeling sorry for the site owner's "collateral damage" is like thinking that it is unfair that someone with a highly contagious disease, who got it from irresponsible behavior (dirty needle, etc), wasn't allowed allowed to walk in a crowded public area. When a web site is hosting such malicious content, the web site owner SHOULD lose some privileges until such time that they've cleaned up their mess. Because of this situation, some changes were made to the invaluementURI domain blacklist (ivmURI) about 1 or 2 years ago... to enable it to better surgically target THESE types of exploited domains, yet with a reasonable balance that (hopefully) wouldn't trigger too many FPs. So far, that has been highly successful and I see evidence that other such lists (surbl, uribl, and SpamHaus's DBL list) have made some improvements in this area too. For example, ivmURI had THIS particular domain blacklisted for over a week now (with nobody else listing it!)... and I seem to recall two such messages slipping through just weeks ago ago where the domain in one was only on SpamHaus' DBL list, and the other was only listed on ivmURI. (or was that the SA list where I saw those 2 messages?) even as I type this, ivmURI seems to be the only blacklist which has "globalreagents DOT com" blacklisted, fwiw -- Rob McEwen
participants (6)
-
chris
-
Job Snijders
-
Larry Sheldon
-
Rob McEwen
-
Scott Berkman
-
symack