nanog mailing list archives
Re: The spam is real
From: Rob McEwen <rob () invaluement com>
Date: Mon, 26 Oct 2015 18:03:39 -0400
On 10/26/2015 3:25 PM, William Allen Simpson wrote:
What's the exploit that corrupted the sites? ... All the sites that I checked (without the added suffix) seem legit. But maybe they are spammer sites? How do we know?
Most involve wordpress vulnerabilities that a spammer exploited, where the spammer then installed their spammy content on someone else's otherwise legit website. (other vulnerabilities happen too.)
NOTE: Anyone using wordpress need to be vigilante about keeping it updated (and associated plugins updated)!
That makes these particularly hard to blacklist because they always involve SOME amount of "collateral damage" (though often a small and well-justified amount) AND the same algorithms that help URI/domain blacklists to not have FPs, likewise often (and often mistakenly) prevent many of these from getting blacklisted... which explains why many of these were not on very many URI or domain blacklists.
-- Rob McEwen
Current thread:
- The spam is real Josh Luthman (Oct 26)
- Re: The spam is real Pablo Lucena (Oct 26)
- Re: The spam is real Royce Williams (Oct 26)
- Re: The spam is real William Allen Simpson (Oct 26)
- Re: The spam is real Rob McEwen (Oct 26)
- Re: The spam is real Alan Buxey (Oct 26)
- Re: The spam is real Pablo Lucena (Oct 26)
- Re: The spam is real Marcin Cieslak (Oct 26)
- Re: The spam is real Josh Luthman (Oct 26)
- Re: The spam is real Randy Bush (Oct 26)
- Re: The spam is real Larry Sheldon (Oct 26)
- Re: The spam is real Randy Carpenter (Oct 26)