> If you really are a NANOG admin, I suggest adding some kind of URI filtering > for blocking the message based on the the domains/IPs found in the clickable > links in the body of the message.
And the first person who says “who has seen $URL” or similar in a message gets bounced, then bitches about “operational nature” of NANOG. I think it is probably not a great idea to add things like URI checkers to NANOG. We can bitch & moan about people supposed to modify it to hxxp or whatever, but reality is people like to copy/paste and this is not unreasonable on NANOG. Of course, if the rest of you feel differently, let the CC know, It is community driven, the community can decide - if you let your voices be heard. -- TTFN, patrick > On Oct 26, 2015, at 2:38 PM, Rob McEwen <r...@invaluement.com> wrote: > > On 10/26/2015 12:06 PM, Job Snijders wrote: >> I expect some protection mechanisms will be implemented, >> rather sooner then later, to prevent this style of incident from >> happening again. > > Job, > > I can't tell for sure if you're a NANOG admin? Or if you're making educated > guesses about what you think that NANOG will do? > > If you really are a NANOG admin, I suggest adding some kind of URI filtering > for blocking the message based on the the domains/IPs found in the clickable > links in the body of the message. > > Here are 4 such lists: > SURBL > URIBL > invaluement URI > SpamHaus' DBL list > > (all very, very good!) > > My own invaluementURI list did particularly well on this set of (mostly > hijacked) spammy domains, possibly listing ALL of them! I spot checked about > 40 of them and couldn't find a single one that wasn't already listed on > ivmURI at the time of the sending. But then I discovered that my sample set > wasn't truly random. So I can't say for sure, but it looks like ivmURI had > the highest hit rate, possibly by a wide margin. (I wish I had meticulously > collected ALL of them and checked ALL of them at the time they were > received!) Since then, more of these are now listed on the other URI/domain > blacklists. (but that doesn't mean as much if they weren't listed at the time > the spam was sent!) > > Nevertheless, going forward, I recommend checking these at multirbl.valli.org > (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam > at the time of the sending... to get an idea of which blacklists are best for > blocking this very sneaky series of spams. > > PS - I'd be happy to provide complementary access to invaluement data to > NANOG, if so desired. > > -- > Rob McEwen
