[185503] in North American Network Operators' Group
Re: The spam is real
daemon@ATHENA.MIT.EDU (Rob McEwen)
Mon Oct 26 19:12:31 2015
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Rob McEwen <rob@invaluement.com>
Date: Mon, 26 Oct 2015 18:03:39 -0400
In-Reply-To: <562E7E37.9060603@gmail.com>
Errors-To: nanog-bounces@nanog.org
On 10/26/2015 3:25 PM, William Allen Simpson wrote:
> What's the exploit that corrupted the sites?
> ...
> All the sites that I checked (without the added suffix) seem
> legit. But maybe they are spammer sites? How do we know?
>
Most involve wordpress vulnerabilities that a spammer exploited, where
the spammer then installed their spammy content on someone else's
otherwise legit website. (other vulnerabilities happen too.)
NOTE: Anyone using wordpress need to be vigilante about keeping it
updated (and associated plugins updated)!
That makes these particularly hard to blacklist because they always
involve SOME amount of "collateral damage" (though often a small and
well-justified amount) AND the same algorithms that help URI/domain
blacklists to not have FPs, likewise often (and often mistakenly)
prevent many of these from getting blacklisted... which explains why
many of these were not on very many URI or domain blacklists.
--
Rob McEwen
