[185497] in North American Network Operators' Group
Re: improved NANOG filtering
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Oct 26 18:50:56 2015
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <562E7331.7040700@invaluement.com>
Date: Mon, 26 Oct 2015 17:15:01 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> If you really are a NANOG admin, I suggest adding some kind of URI =
filtering for blocking the message based on the the domains/IPs found in =
the clickable links in the body of the message.
And the first person who says =93who has seen $URL=94 or similar in a =
message gets bounced, then bitches about =93operational nature=94 of =
NANOG.
I think it is probably not a great idea to add things like URI checkers =
to NANOG. We can bitch & moan about people supposed to modify it to hxxp =
or whatever, but reality is people like to copy/paste and this is not =
unreasonable on NANOG.
Of course, if the rest of you feel differently, let the CC know, It is =
community driven, the community can decide - if you let your voices be =
heard.
--=20
TTFN,
patrick
> On Oct 26, 2015, at 2:38 PM, Rob McEwen <rob@invaluement.com> wrote:
>=20
> On 10/26/2015 12:06 PM, Job Snijders wrote:
>> I expect some protection mechanisms will be implemented,
>> rather sooner then later, to prevent this style of incident from
>> happening again.
>=20
> Job,
>=20
> I can't tell for sure if you're a NANOG admin? Or if you're making =
educated guesses about what you think that NANOG will do?
>=20
> If you really are a NANOG admin, I suggest adding some kind of URI =
filtering for blocking the message based on the the domains/IPs found in =
the clickable links in the body of the message.
>=20
> Here are 4 such lists:
> SURBL
> URIBL
> invaluement URI
> SpamHaus' DBL list
>=20
> (all very, very good!)
>=20
> My own invaluementURI list did particularly well on this set of =
(mostly hijacked) spammy domains, possibly listing ALL of them! I spot =
checked about 40 of them and couldn't find a single one that wasn't =
already listed on ivmURI at the time of the sending. But then I =
discovered that my sample set wasn't truly random. So I can't say for =
sure, but it looks like ivmURI had the highest hit rate, possibly by a =
wide margin. (I wish I had meticulously collected ALL of them and =
checked ALL of them at the time they were received!) Since then, more of =
these are now listed on the other URI/domain blacklists. (but that =
doesn't mean as much if they weren't listed at the time the spam was =
sent!)
>=20
> Nevertheless, going forward, I recommend checking these at =
multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) =
would have blocked the spam at the time of the sending... to get an idea =
of which blacklists are best for blocking this very sneaky series of =
spams.
>=20
> PS - I'd be happy to provide complementary access to invaluement data =
to NANOG, if so desired.
>=20
> --=20
> Rob McEwen
