improved NANOG filtering

[Rob McEwen <rob () invaluement com>]

On 10/26/2015 12:06 PM, Job Snijders wrote:
> I expect some protection mechanisms will be implemented,
> rather sooner then later, to prevent this style of incident from
> happening again.

Job,

I can't tell for sure if you're a NANOG admin? Or if you're making 
educated guesses about what you think that NANOG will do?

If you really are a NANOG admin, I suggest adding some kind of URI 
filtering for blocking the message based on the the domains/IPs found in 
the clickable links in the body of the message.

Here are 4 such lists:
SURBL
URIBL
invaluement URI
SpamHaus' DBL list

(all very, very good!)

My own invaluementURI list did particularly well on this set of (mostly 
hijacked) spammy domains, possibly listing ALL of them! I spot checked 
about 40 of them and couldn't find a single one that wasn't already 
listed on ivmURI at the time of the sending. But then I discovered that 
my sample set wasn't truly random. So I can't say for sure, but it looks 
like ivmURI had the highest hit rate, possibly by a wide margin. (I wish 
I had meticulously collected ALL of them and checked ALL of them at the 
time they were received!) Since then, more of these are now listed on 
the other URI/domain blacklists. (but that doesn't mean as much if they 
weren't listed at the time the spam was sent!)

Nevertheless, going forward, I recommend checking these at 
multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) 
would have blocked the spam at the time of the sending... to get an idea 
of which blacklists are best for blocking this very sneaky series of spams.

PS - I'd be happy to provide complementary access to invaluement data to 
NANOG, if so desired.

--
Rob McEwen