Re: improved NANOG filtering

[Blake Dunlap <ikiris () gmail com>]

Please stop using this as an opportunity to spam your commercial
anti-spam list.... ffs

On Mon, Oct 26, 2015 at 11:38 AM, Rob McEwen <rob () invaluement com> wrote:
> On 10/26/2015 12:06 PM, Job Snijders wrote:
> > I expect some protection mechanisms will be implemented,
> > rather sooner then later, to prevent this style of incident from
> > happening again.
>
>
> Job,
>
> I can't tell for sure if you're a NANOG admin? Or if you're making educated
> guesses about what you think that NANOG will do?
>
> If you really are a NANOG admin, I suggest adding some kind of URI filtering
> for blocking the message based on the the domains/IPs found in the clickable
> links in the body of the message.
>
> Here are 4 such lists:
> SURBL
> URIBL
> invaluement URI
> SpamHaus' DBL list
>
> (all very, very good!)
>
> My own invaluementURI list did particularly well on this set of (mostly
> hijacked) spammy domains, possibly listing ALL of them! I spot checked about
> 40 of them and couldn't find a single one that wasn't already listed on
> ivmURI at the time of the sending. But then I discovered that my sample set
> wasn't truly random. So I can't say for sure, but it looks like ivmURI had
> the highest hit rate, possibly by a wide margin. (I wish I had meticulously
> collected ALL of them and checked ALL of them at the time they were
> received!) Since then, more of these are now listed on the other URI/domain
> blacklists. (but that doesn't mean as much if they weren't listed at the
> time the spam was sent!)
>
> Nevertheless, going forward, I recommend checking these at
> multirbl.valli.org (or mxtoolbox) to see *which* domain blacklist(s) would
> have blocked the spam at the time of the sending... to get an idea of which
> blacklists are best for blocking this very sneaky series of spams.
>
> PS - I'd be happy to provide complementary access to invaluement data to
> NANOG, if so desired.
>
> --
> Rob McEwen