Please stop using this as an opportunity to spam your commercial anti-spam list.... ffs
On Mon, Oct 26, 2015 at 11:38 AM, Rob McEwen <r...@invaluement.com> wrote: > On 10/26/2015 12:06 PM, Job Snijders wrote: >> >> I expect some protection mechanisms will be implemented, >> rather sooner then later, to prevent this style of incident from >> happening again. > > > Job, > > I can't tell for sure if you're a NANOG admin? Or if you're making educated > guesses about what you think that NANOG will do? > > If you really are a NANOG admin, I suggest adding some kind of URI filtering > for blocking the message based on the the domains/IPs found in the clickable > links in the body of the message. > > Here are 4 such lists: > SURBL > URIBL > invaluement URI > SpamHaus' DBL list > > (all very, very good!) > > My own invaluementURI list did particularly well on this set of (mostly > hijacked) spammy domains, possibly listing ALL of them! I spot checked about > 40 of them and couldn't find a single one that wasn't already listed on > ivmURI at the time of the sending. But then I discovered that my sample set > wasn't truly random. So I can't say for sure, but it looks like ivmURI had > the highest hit rate, possibly by a wide margin. (I wish I had meticulously > collected ALL of them and checked ALL of them at the time they were > received!) Since then, more of these are now listed on the other URI/domain > blacklists. (but that doesn't mean as much if they weren't listed at the > time the spam was sent!) > > Nevertheless, going forward, I recommend checking these at > multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would > have blocked the spam at the time of the sending... to get an idea of which > blacklists are best for blocking this very sneaky series of spams. > > PS - I'd be happy to provide complementary access to invaluement data to > NANOG, if so desired. > > -- > Rob McEwen >
