improved NANOG filtering
rob at invaluement.com
Mon Oct 26 18:38:41 UTC 2015
On 10/26/2015 12:06 PM, Job Snijders wrote:
> I expect some protection mechanisms will be implemented,
> rather sooner then later, to prevent this style of incident from
> happening again.
I can't tell for sure if you're a NANOG admin? Or if you're making
educated guesses about what you think that NANOG will do?
If you really are a NANOG admin, I suggest adding some kind of URI
filtering for blocking the message based on the the domains/IPs found in
the clickable links in the body of the message.
Here are 4 such lists:
SpamHaus' DBL list
(all very, very good!)
My own invaluementURI list did particularly well on this set of (mostly
hijacked) spammy domains, possibly listing ALL of them! I spot checked
about 40 of them and couldn't find a single one that wasn't already
listed on ivmURI at the time of the sending. But then I discovered that
my sample set wasn't truly random. So I can't say for sure, but it looks
like ivmURI had the highest hit rate, possibly by a wide margin. (I wish
I had meticulously collected ALL of them and checked ALL of them at the
time they were received!) Since then, more of these are now listed on
the other URI/domain blacklists. (but that doesn't mean as much if they
weren't listed at the time the spam was sent!)
Nevertheless, going forward, I recommend checking these at
multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s)
would have blocked the spam at the time of the sending... to get an idea
of which blacklists are best for blocking this very sneaky series of spams.
PS - I'd be happy to provide complementary access to invaluement data to
NANOG, if so desired.
More information about the NANOG