improved NANOG filtering

• Previous message (by thread): improved NANOG filtering
• Next message (by thread): improved NANOG filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.

And the first person who says “who has seen $URL” or similar in a message gets bounced, then bitches about “operational nature” of NANOG.

I think it is probably not a great idea to add things like URI checkers to NANOG. We can bitch & moan about people supposed to modify it to hxxp or whatever, but reality is people like to copy/paste and this is not unreasonable on NANOG.

Of course, if the rest of you feel differently, let the CC know, It is community driven, the community can decide - if you let your voices be heard.

-- 
TTFN,
patrick

> On Oct 26, 2015, at 2:38 PM, Rob McEwen <rob at invaluement.com> wrote:
> 
> On 10/26/2015 12:06 PM, Job Snijders wrote:
>> I expect some protection mechanisms will be implemented,
>> rather sooner then later, to prevent this style of incident from
>> happening again.
> 
> Job,
> 
> I can't tell for sure if you're a NANOG admin? Or if you're making educated guesses about what you think that NANOG will do?
> 
> If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.
> 
> Here are 4 such lists:
> SURBL
> URIBL
> invaluement URI
> SpamHaus' DBL list
> 
> (all very, very good!)
> 
> My own invaluementURI list did particularly well on this set of (mostly hijacked) spammy domains, possibly listing ALL of them! I spot checked about 40 of them and couldn't find a single one that wasn't already listed on ivmURI at the time of the sending. But then I discovered that my sample set wasn't truly random. So I can't say for sure, but it looks like ivmURI had the highest hit rate, possibly by a wide margin. (I wish I had meticulously collected ALL of them and checked ALL of them at the time they were received!) Since then, more of these are now listed on the other URI/domain blacklists. (but that doesn't mean as much if they weren't listed at the time the spam was sent!)
> 
> Nevertheless, going forward, I recommend checking these at multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam at the time of the sending... to get an idea of which blacklists are best for blocking this very sneaky series of spams.
> 
> PS - I'd be happy to provide complementary access to invaluement data to NANOG, if so desired.
> 
> -- 
> Rob McEwen

• Previous message (by thread): improved NANOG filtering
• Next message (by thread): improved NANOG filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]