improved NANOG filtering

Blake Dunlap ikiris at
Mon Oct 26 21:29:38 UTC 2015

Please stop using this as an opportunity to spam your commercial
anti-spam list.... ffs

On Mon, Oct 26, 2015 at 11:38 AM, Rob McEwen <rob at> wrote:
> On 10/26/2015 12:06 PM, Job Snijders wrote:
>> I expect some protection mechanisms will be implemented,
>> rather sooner then later, to prevent this style of incident from
>> happening again.
> Job,
> I can't tell for sure if you're a NANOG admin? Or if you're making educated
> guesses about what you think that NANOG will do?
> If you really are a NANOG admin, I suggest adding some kind of URI filtering
> for blocking the message based on the the domains/IPs found in the clickable
> links in the body of the message.
> Here are 4 such lists:
> invaluement URI
> SpamHaus' DBL list
> (all very, very good!)
> My own invaluementURI list did particularly well on this set of (mostly
> hijacked) spammy domains, possibly listing ALL of them! I spot checked about
> 40 of them and couldn't find a single one that wasn't already listed on
> ivmURI at the time of the sending. But then I discovered that my sample set
> wasn't truly random. So I can't say for sure, but it looks like ivmURI had
> the highest hit rate, possibly by a wide margin. (I wish I had meticulously
> collected ALL of them and checked ALL of them at the time they were
> received!) Since then, more of these are now listed on the other URI/domain
> blacklists. (but that doesn't mean as much if they weren't listed at the
> time the spam was sent!)
> Nevertheless, going forward, I recommend checking these at
> (or mxtoolbox) to see *which* domain blacklist(s) would
> have blocked the spam at the time of the sending... to get an idea of which
> blacklists are best for blocking this very sneaky series of spams.
> PS - I'd be happy to provide complementary access to invaluement data to
> NANOG, if so desired.
> --
> Rob McEwen

More information about the NANOG mailing list