malware warning

• Previous message (by thread): malware warning
• Next message (by thread): malware warning
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oh, just dont bother. The battle is over and we lost it, because
good people are too soft.

The only interesting action I ever saw was:
"Shutting down email spam factory"; where some network was depeered
from internet completly. Well done.
(Somehow I cannot find post about that anymore).

The only sane action I see is go virtual. I mean, create overlay
virtual network, make VPN PoPs and put services there.
Looks kinda over kill maybe, but at least, we get back the control.


---------- Original message ----------

From: Bryan Fields <Bryan at bryanfields.net>
To: nanog at nanog.org
Subject: Re: malware warning
Date: Fri, 21 Jul 2023 22:49:18 -0400

On 7/18/23 9:14 PM, Randy Bush wrote:
> i did not think i was special, and assumed everybody is getting them.
> but i figured that if i kept one or three people from falling for the
> trap it was worth the pollution.

I've done quite a bit of looking into this, tying to prevent it.  It's not
being pulled from the archives.

The basic premise of it:

1. send email only to direct posters to the list, never through the list.
2. subscribe using a gmail account as a normal member for harvesting
3. scrape the new posts and use email in from: header to send spam to
4. wait some $TIME after the post and send the spam
5. The spam will never be able to be linked to the subscribed account

I've been able to track these "ingestion" accounts and kill them when found,
but it's impossible to do it without false positives.  VERP is used for the
list emails, but short of a bounce, that doesn't really help.

About the only supported option that would mitigate this is wrapping all posts
through the list as from the list.  This still would expose the email
addresses in the email, and we could rewrite them, but it breaks more than it
fixes.

I've seen proposals where all messages get wrapped and each individual email
address found in the message is re-written to a unique address via a mail
forwarding domain, but i can't see this working with such a diverse list.
This also would break after some time.  This is also not something supported
off the shelf in most mailman or other MLMs.

I'd love to kill this spam, but the openness of the email discussion list
format makes it hard to do.  If anyone has ideas on how we can kill this I'd
love to shut it down.

-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

• Previous message (by thread): malware warning
• Next message (by thread): malware warning
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]