[184579] in North American Network Operators' Group
Re: Fw: important message
daemon@ATHENA.MIT.EDU (Rob McEwen)
Thu Oct  8 21:41:19 2015
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Rob McEwen <rob@invaluement.com>
Date: Thu, 8 Oct 2015 21:41:13 -0400
In-Reply-To: <CAKnNFz_d8UFw-Y8LinbdSJndGhSWuoz=m4aoU8wV4kiaYZaZOg@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
A lot of web sites have been infected by criminal spammers in the past 
couple of years. More recently, massive amounts of legitimate web sites 
run by non-spammers which used older versions of WordPress (in 
particular)... have had their web sites hacked into by criminal 
spammers. The WordPress exploit is epidemic. Since most of these sites 
are legitimate, they are difficult to blacklist because blacklisting 
them does cause some amount of collateral damage (though usually a very 
acceptable and targeted amount of collateral damage--given the 
circumstances). The problem here is that the SAME algorithms which help 
the better domain-based anti-spam blacklists to NOT have false 
positives--OFTEN--also prevent THESE sites from getting 
blacklisted--even when the infection is active. Those are arguably False 
Negatives, especially in the more extreme cases when much spam is 
spewing, with relatively little legit mail containing these domains!
Plus, feeling sorry for the site owner's "collateral damage" is like 
thinking that it is unfair that someone with a highly contagious 
disease, who got it from irresponsible behavior (dirty needle, etc), 
wasn't allowed allowed to walk in a crowded public area. When a web site 
is hosting such malicious content, the web site owner SHOULD lose some 
privileges until such time that they've cleaned up their mess.
Because of this situation, some changes were made to the invaluementURI 
domain blacklist (ivmURI) about 1 or 2 years ago... to enable it to 
better surgically target THESE types of exploited domains, yet with a 
reasonable balance that (hopefully) wouldn't trigger too many FPs. So 
far, that has been highly successful and I see evidence that other such 
lists (surbl, uribl, and SpamHaus's DBL list) have made some 
improvements in this area too.
For example, ivmURI had THIS particular domain blacklisted for over a 
week now (with nobody else listing it!)... and I seem to recall two such 
messages slipping through just weeks ago ago where the domain in one was 
only on SpamHaus' DBL list, and the other was only listed on ivmURI. (or 
was that the SA list where I saw those 2 messages?)
even as I type this, ivmURI seems to be the only blacklist which has 
"globalreagents DOT com" blacklisted, fwiw
-- 
Rob McEwen