new message

Aaron_C_de_Bruyn2 · October 25, 2015, 1:36am

Hey!

New message, please read <http://talky.vn/been.php?qw>

Nicolas Viers - Univ. Limoges

Gavin_Henry · October 26, 2015, 1:54pm

Anything to be done about all these?

Job_Snijders3 · October 26, 2015, 4:06pm

Yes, it appears that even though the sender was blocked 30 hours ago or
so in mailman itself, there was still tons of pre-existing garbage in
the mailqueus which was flushed out over the last 30 hours. Clearly we
failed in purging that garbage from the queue in a timely manner.

Going forward, I expect some protection mechanisms will be implemented,
rather sooner then later, to prevent this style of incident from
happening again.

Kind regards,

Job

Rob_McEwen · October 26, 2015, 6:38pm

Job,

I can't tell for sure if you're a NANOG admin? Or if you're making educated guesses about what you think that NANOG will do?

If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.

Here are 4 such lists:
SURBL
URIBL
invaluement URI
SpamHaus' DBL list

(all very, very good!)

My own invaluementURI list did particularly well on this set of (mostly hijacked) spammy domains, possibly listing ALL of them! I spot checked about 40 of them and couldn't find a single one that wasn't already listed on ivmURI at the time of the sending. But then I discovered that my sample set wasn't truly random. So I can't say for sure, but it looks like ivmURI had the highest hit rate, possibly by a wide margin. (I wish I had meticulously collected ALL of them and checked ALL of them at the time they were received!) Since then, more of these are now listed on the other URI/domain blacklists. (but that doesn't mean as much if they weren't listed at the time the spam was sent!)

Nevertheless, going forward, I recommend checking these at multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would have blocked the spam at the time of the sending... to get an idea of which blacklists are best for blocking this very sneaky series of spams.

PS - I'd be happy to provide complementary access to invaluement data to NANOG, if so desired.

Rich_Kulawiec · October 26, 2015, 7:12pm

Several points.

1. It wasn't just NANOG. A number of other mailing lists were
targeted. Whether or not all these attacks were launched by the
same entity is unknown and probably unknowable.

2. The admins@nanog.org address appears to be unresponsive. Is
there actually anyone reading that? If so, who? And why aren't
replies being issued in a timely manner?

3. Mailman includes an "emergency moderation" switch for just such
occasions as this. When activated, it holds all incoming mailing list
traffic for human attention, i.e., nothing goes out unless manually
approved. It would have been a good idea to throw that switch as soon
as this started, in order to minimize the consequences.

4. As noted, if outbound traffic is already in the MTA queue, then
it should be halted and manually cleaned out. This is often annoying
and tedious, but it's better than letting it flush.

5. The admins should probably reach out to the keepers of the most-often
utilized MX's for NANOG message delivery, as no doubt the onslaught of
spam caused degradation of their idea of the sending system's/domain's
spam/non-spam traffic mix. (I say that knowing that some or possibly
most of those will be impossible to contact: it seems that many people
running mail servers failed the first hour of the first day of Email
Administration 101 and do not read their postmaster mail and act on it.)

6. There are additional pro-active and reactive steps that can be taken
to forestall future such incidents or at least to mitigate them. I've
reached out (again) offering to bring my expertise to bear on the problem.
None of these steps will be panaceas. None of them will give guarantees.
But in combination they should at least help decrease the pain.

---rsk

ianai · October 26, 2015, 9:15pm

If you really are a NANOG admin, I suggest adding some kind of URI filtering for blocking the message based on the the domains/IPs found in the clickable links in the body of the message.

And the first person who says “who has seen $URL” or similar in a message gets bounced, then bitches about “operational nature” of NANOG.

I think it is probably not a great idea to add things like URI checkers to NANOG. We can bitch & moan about people supposed to modify it to hxxp or whatever, but reality is people like to copy/paste and this is not unreasonable on NANOG.

Of course, if the rest of you feel differently, let the CC know, It is community driven, the community can decide - if you let your voices be heard.

Blake_Dunlap1 · October 26, 2015, 9:29pm

Please stop using this as an opportunity to spam your commercial
anti-spam list.... ffs

Rob_McEwen · October 26, 2015, 11:37pm

That is a good point. Personally, I think whole spam samples should be linked to a pastebin post. and individual references to a spammer's domain or ip should have a space inserted before each dot. What can be frustrating when this isn't done ... is that discussions about spam can intermittently get filtered on the client side, sometimes by active participants in a thread... and inconsistently. which is frustrating... and which is why everyone OUGHT to use such tactics when providing spam samples or when discussing spammy IPs or domains.

But you're correct. Filtering on the server side of lists is not as simple as it sounds due to the risk of mistakenly blocking legit messages in a discussion about spam.

Still, it may not be as problematic as you think to deploy such measures. When the sender gets a rejection notice, they often figure out what happened and resend with the spam obfuscated, fwiw. If someone complains, tell them that they should have known to obfuscate the spam (or spammy domain or IP), or post the spam sample to pastebin

As least, that is my suggestion. But I know there isn't an easy answer to this.

Barry_Shein1 · October 27, 2015, 2:56am

What's needed is 20 (pick a number) trusted volunteer admins with the
mailman password whose only capacity is to (make a list: put the list
into moderation mode, disable an acct).

Obviously it would be nice if the software could help with this
(limited privileges, logging) but it could be done just on trust with
a small group.

Another list to announce between them ("got it!") would be useful
also.

Shawn_Wilson · October 27, 2015, 7:25am

AFAIK (IDK how either) this hasn't been a big issue in the past few years.
Is it really worth worrying about? I notified the MARC admin and it was
removed there within a few hours too - a dozen easily tracked messages in a
few hours and a few hours after that, it's done (or more like, filteres).

Not sure how much actually happens on the backend to keep this list as
clean as it appears. But if everyone on that end of things decided to grab
a beer at the same time and we have to suffer a little for a badly timed
cold one every few years, I'm good with the status quo.