The spam is real

Josh_Luthman · October 25, 2015, 4:22am

Can we please get a filter for messages with the subject "Fw: new message"
???

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Marcin_Cieslak · October 26, 2015, 4:53pm

I have this in my $HOME/.procmailrc:

:0:
* ^List-ID:.*nanog.nanog.org>
* ^Subject: Fw: new message
nanog-junk

355 pieces since I put this rule (only two or so missed).

Marcin

Josh_Luthman · October 26, 2015, 4:57pm

I did the same with Gmail. Has the words - listid:nanog@nanog.org and
matching subject.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Randy_Carpenter · October 26, 2015, 5:10pm

I have to hand it to EdgeWave (with whom I have a very tumultuous love/hate relationship) for catching this flood from the very first message.

thanks,
-Randy

Pablo_Lucena · October 26, 2015, 5:10pm

So far I've dealt with it via Gmail's 'mute conversation' setting somewhat
effectively.

Royce_Williams · October 26, 2015, 5:41pm

Unfortunately, the 'mute conversation' feature only works for threads that
are in the inbox. I filter all lists into their own subfolders, reserving
the inbox for real people.

So the 'mute conversation' feature is useless for most conversations that I
actually want to mute.

Royce

William_Allen_Simps3 · October 26, 2015, 7:25pm

Gmail was smart enough to put those addressed directly to me
into the spam folder -- and let those via nanog through. It's
been trained well!

Let's look at this as an opportunity. We have a relatively
small set of websites that have been corrupted with additional
links (presumably unknown to the owner), that then redirect
one or more times.

What's the exploit that corrupted the sites?

Have the site owners been contacted?

All the sites that I checked (without the added suffix) seem
legit. But maybe they are spammer sites? How do we know?

Rob_McEwen · October 26, 2015, 10:03pm

Most involve wordpress vulnerabilities that a spammer exploited, where the spammer then installed their spammy content on someone else's otherwise legit website. (other vulnerabilities happen too.)

NOTE: Anyone using wordpress need to be vigilante about keeping it updated (and associated plugins updated)!

That makes these particularly hard to blacklist because they always involve SOME amount of "collateral damage" (though often a small and well-justified amount) AND the same algorithms that help URI/domain blacklists to not have FPs, likewise often (and often mistakenly) prevent many of these from getting blacklisted... which explains why many of these were not on very many URI or domain blacklists.

Alan_Buxey · October 26, 2015, 11:27pm

There's also probably a large number of people gnashing their teeth that all of these compromised sites have been so readily identified by a very basic spam scam. A massive waste of opportunity for real black hats....

alan

Bandy_Rush1 · October 27, 2015, 3:16am

now that the number of messages discussing the spam has exceed the
number of spam messages, perhaps we can get back to work and hope that
the list admins have learned something.

randy

Larry_Sheldon · October 27, 2015, 3:42am

A couple of factoids that might be useful in realizing the hope.

The mail handler at Cox cable correctly binned about 600 of them--I don't remember setting relevant customization, but I can check if anybody cares.

And I found messages reporting the problem Saturday. And one that said the problem (as my failing memory wants to believe) started about a month ago.