nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fw: important message

From: Rob McEwen <rob () invaluement com>
Date: Thu, 8 Oct 2015 21:41:13 -0400
A lot of web sites have been infected by criminal spammers in the past couple of years. More recently, massive amounts of legitimate web sites run by non-spammers which used older versions of WordPress (in particular)... have had their web sites hacked into by criminal spammers. The WordPress exploit is epidemic. Since most of these sites are legitimate, they are difficult to blacklist because blacklisting them does cause some amount of collateral damage (though usually a very acceptable and targeted amount of collateral damage--given the circumstances). The problem here is that the SAME algorithms which help the better domain-based anti-spam blacklists to NOT have false positives--OFTEN--also prevent THESE sites from getting blacklisted--even when the infection is active. Those are arguably False Negatives, especially in the more extreme cases when much spam is spewing, with relatively little legit mail containing these domains!
Plus, feeling sorry for the site owner's "collateral damage" is like thinking that it is unfair that someone with a highly contagious disease, who got it from irresponsible behavior (dirty needle, etc), wasn't allowed allowed to walk in a crowded public area. When a web site is hosting such malicious content, the web site owner SHOULD lose some privileges until such time that they've cleaned up their mess.
Because of this situation, some changes were made to the invaluementURI domain blacklist (ivmURI) about 1 or 2 years ago... to enable it to better surgically target THESE types of exploited domains, yet with a reasonable balance that (hopefully) wouldn't trigger too many FPs. So far, that has been highly successful and I see evidence that other such lists (surbl, uribl, and SpamHaus's DBL list) have made some improvements in this area too.
For example, ivmURI had THIS particular domain blacklisted for over a week now (with nobody else listing it!)... and I seem to recall two such messages slipping through just weeks ago ago where the domain in one was only on SpamHaus' DBL list, and the other was only listed on ivmURI. (or was that the SA list where I saw those 2 messages?)
even as I type this, ivmURI seems to be the only blacklist which has "globalreagents DOT com" blacklisted, fwiw 

--
Rob McEwen
Previous By Date Next
Previous By Thread Next

Current thread: