Fw: important message

[Alberta Prieto via NANOG]

Hello!

 

Important message, please read 

 

Alberta Prieto

Re: Fw: important message

[Larry Sheldon]

On 10/8/2015 16:53, Job Snijders wrote:

On Thu, Oct 08, 2015 at 02:37:15PM -0700, Scott Berkman via NANOG wrote:

Hello!

Important message, please read 


smells compromised, moderation flag has been enabled. don't click that
link, sorry.


Every indication that it as you think, or worse.

It it being propagated (by|to) NANOG and Outages (that I know of).

It has been going on for some time.  As is my habit, I have tried to get 
help in shutting it down, but as you might expect, there is zero 
interest at the administration level in the problem.


Eventually some low-clue person will get burned bad and depending on how 
big the splash is some interest may arise.



--
sed quis custodiet ipsos custodes? (Juvenal)

Re: Fw: important message

[Job Snijders]

On Thu, Oct 08, 2015 at 02:37:15PM -0700, Scott Berkman via NANOG wrote:
> Hello!
> 
> Important message, please read 

smells compromised, moderation flag has been enabled. don't click that
link, sorry.

Kind regards,

Job
(for the communications committee)

Fw: important message

[Scott Berkman via NANOG]

Hello!

 

Important message, please read 

 

Scott Berkman

Re: Fw: important message

[Rob McEwen]

A lot of web sites have been infected by criminal spammers in the past 
couple of years. More recently, massive amounts of legitimate web sites 
run by non-spammers which used older versions of WordPress (in 
particular)... have had their web sites hacked into by criminal 
spammers. The WordPress exploit is epidemic. Since most of these sites 
are legitimate, they are difficult to blacklist because blacklisting 
them does cause some amount of collateral damage (though usually a very 
acceptable and targeted amount of collateral damage--given the 
circumstances). The problem here is that the SAME algorithms which help 
the better domain-based anti-spam blacklists to NOT have false 
positives--OFTEN--also prevent THESE sites from getting 
blacklisted--even when the infection is active. Those are arguably False 
Negatives, especially in the more extreme cases when much spam is 
spewing, with relatively little legit mail containing these domains!


Plus, feeling sorry for the site owner's "collateral damage" is like 
thinking that it is unfair that someone with a highly contagious 
disease, who got it from irresponsible behavior (dirty needle, etc), 
wasn't allowed allowed to walk in a crowded public area. When a web site 
is hosting such malicious content, the web site owner SHOULD lose some 
privileges until such time that they've cleaned up their mess.


Because of this situation, some changes were made to the invaluementURI 
domain blacklist (ivmURI) about 1 or 2 years ago... to enable it to 
better surgically target THESE types of exploited domains, yet with a 
reasonable balance that (hopefully) wouldn't trigger too many FPs. So 
far, that has been highly successful and I see evidence that other such 
lists (surbl, uribl, and SpamHaus's DBL list) have made some 
improvements in this area too.


For example, ivmURI had THIS particular domain blacklisted for over a 
week now (with nobody else listing it!)... and I seem to recall two such 
messages slipping through just weeks ago ago where the domain in one was 
only on SpamHaus' DBL list, and the other was only listed on ivmURI. (or 
was that the SA list where I saw those 2 messages?)


even as I type this, ivmURI seems to be the only blacklist which has 
"globalreagents DOT com" blacklisted, fwiw


--
Rob McEwen

Re: Fw: important message

[chris]

About the same danger as  virus.doc.exe :)
On Oct 8, 2015 9:09 PM, "symack"  wrote:

> It's a php script. How bad can it be ;)​
>

Re: Fw: important message

[symack]

It's a php script. How bad can it be ;)​