The spam is real

Can we please get a filter for messages with the subject "Fw: new message"

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

I have this in my $HOME/.procmailrc:

* ^List-ID:.*>
* ^Subject: Fw: new message

355 pieces since I put this rule (only two or so missed).


I did the same with Gmail. Has the words - and
matching subject.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

I have to hand it to EdgeWave (with whom I have a very tumultuous love/hate relationship) for catching this flood from the very first message.


​So far I've dealt with it via Gmail's 'mute conversation' setting somewhat

Unfortunately, the 'mute conversation' feature only works for threads that
are in the inbox. I filter all lists into their own subfolders, reserving
the inbox for real people.

So the 'mute conversation' feature is useless for most conversations that I
actually want to mute.


Gmail was smart enough to put those addressed directly to me
into the spam folder -- and let those via nanog through. It's
been trained well!

Let's look at this as an opportunity. We have a relatively
small set of websites that have been corrupted with additional
links (presumably unknown to the owner), that then redirect
one or more times.

What's the exploit that corrupted the sites?

Have the site owners been contacted?

All the sites that I checked (without the added suffix) seem
legit. But maybe they are spammer sites? How do we know?

Most involve wordpress vulnerabilities that a spammer exploited, where the spammer then installed their spammy content on someone else's otherwise legit website. (other vulnerabilities happen too.)

NOTE: Anyone using wordpress need to be vigilante about keeping it updated (and associated plugins updated)!

That makes these particularly hard to blacklist because they always involve SOME amount of "collateral damage" (though often a small and well-justified amount) AND the same algorithms that help URI/domain blacklists to not have FPs, likewise often (and often mistakenly) prevent many of these from getting blacklisted... which explains why many of these were not on very many URI or domain blacklists.

There's also probably a large number of people gnashing their teeth that all of these compromised sites have been so readily identified by a very basic spam scam. A massive waste of opportunity for real black hats....


now that the number of messages discussing the spam has exceed the
number of spam messages, perhaps we can get back to work and hope that
the list admins have learned something.


A couple of factoids that might be useful in realizing the hope.

The mail handler at Cox cable correctly binned about 600 of them--I don't remember setting relevant customization, but I can check if anybody cares.

And I found messages reporting the problem Saturday. And one that said the problem (as my failing memory wants to believe) started about a month ago.