I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it? John John Souvestre - New Orleans LA
On 26/10/2015 11:46, John Souvestre via Outages wrote:
I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it?
Seeing exactly the same here. Not even any ranting on-list about the spam. They have slowed, but I'm still getting them coming in this morning (dated around 01:25 on 25 October). Given that the From: line is easily matched, I'm surprised that someone hasn't applied some filtering and/or some deleting from the outgoing queue. Paul.
On 26 Oct 2015, at 8:05, Paul Thornton via Outages wrote:
On 26/10/2015 11:46, John Souvestre via Outages wrote:
I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it?
Seeing exactly the same here. Not even any ranting on-list about the spam.
They have slowed, but I'm still getting them coming in this morning (dated around 01:25 on 25 October). Given that the From: line is easily matched, I'm surprised that someone hasn't applied some filtering and/or some deleting from the outgoing queue.
I have no insight into why nobody has blocked it (the messages seem trivial to identify, and doesn't NANOG have money and contractors, these days?) but this is what it is: http://wardinewrock.blogspot.ca/2015/09/email-sent-under-my-name-not-from-me... Joe
I sent a message to the NANOG mail adminstration team asking them to throw the "emergency moderation" flag. This is a switch inside Mailman (the piece of software that runs the NANOG lists) which causes all incoming list traffic to be held for manual approval. When stuff like this happens, it's a fast way to stop the bleeding. I've had no response to that and am also still (8:30 AM EDT) observing a steady flow of outbound spam via NANOG. Note that this is part of a much larger attack: so far, I've seen the same thing on about 15 other mailing lists. Whether all of these were launched by the same entity is unknown, but the patterns match quite closely, so that's certainly a possibility. ---rsk
On 10/26/2015 05:30 AM, Rich Kulawiec via Outages wrote:
I sent a message to the NANOG mail adminstration team asking them to throw the "emergency moderation" flag. This is a switch inside Mailman (the piece of software that runs the NANOG lists) which causes all incoming list traffic to be held for manual approval. When stuff like this happens, it's a fast way to stop the bleeding.
I've had no response to that and am also still (8:30 AM EDT) observing a steady flow of outbound spam via NANOG. Note that this is part of a much larger attack: so far, I've seen the same thing on about 15 other mailing lists. Whether all of these were launched by the same entity is unknown, but the patterns match quite closely, so that's certainly a possibility.
I looked at five or six to the Outages list yesterday in detail. After the appropriate wgets and less'es those all seemed to point back to avazunic [dot] com which is registered in -- wait for it -- CN... - John --
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
After the appropriate wgets and less'es those all seemed to point back to
avazunic [dot] com
which is registered in -- wait for it -- CN...
I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload. ---rsk
On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
After the appropriate wgets and less'es those all seemed to point back to
avazunic [dot] com
which is registered in -- wait for it -- CN...
I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload.
In my OP I was referring to the domain name that the ultimate payload contained, after the cobweb of redirects in the initial spam was followed back to an endpoint. But I only did six or so, early yesterday, so who knows... #EOF - John --
First: I see these leaking into outages@ as well. Second: Anyone else sad you were not spoofed? What? Am I not good enough to spoof? <pout> -- TTFN, patrick
On Oct 26, 2015, at 10:27 AM, John Sage via Outages <outages@outages.org> wrote:
On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
After the appropriate wgets and less'es those all seemed to point back to
avazunic [dot] com
which is registered in -- wait for it -- CN...
I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload.
In my OP I was referring to the domain name that the ultimate payload contained, after the cobweb of redirects in the initial spam was followed back to an endpoint.
But I only did six or so, early yesterday, so who knows...
#EOF
- John --
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
FYI, closer inspection of the most recent samples (via NANOG) suggests that someone may have stuffed a cork in it circa 0130 UTC yesterday (Sunday), as I don't yet see any messages whose arrival time at mail.nanog.org is later than that. I speculate that perhaps what we're observing now is the outbound MTA queue draining. (Although if that's correct, I don't understand why someone didn't stop it and manually clean it out.) As an aside, a couple of years ago I argued that Mailman should have a feature added that measured the normal rate of message flow (per hour, per day, perhaps per week) and provided a setting which would engage the moderation flag if that rate was exceeded by a (configurable) multiplier. E.g., "if normal for this list is 20 messages a day and and the multiplier is set to 3, then once the message count hits 60 in a 24-hour period, hold all subsequent messages for manual approval". This is one of the use cases that I had in mind for it. ---rsk
On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote:
As an aside, a couple of years ago I argued that Mailman should have a feature added that measured the normal rate of message flow (per hour, per day, perhaps per week) and provided a setting which would engage the moderation flag if that rate was exceeded by a (configurable) multiplier. E.g., "if normal for this list is 20 messages a day and and the multiplier is set to 3, then once the message count hits 60 in a 24-hour period, hold all subsequent messages for manual approval". This is one of the use cases that I had in mind for it.
I like that idea, but I wonder whether it has unpleasant implications for operations lists. If something horrible happens in a global context, it's not unusual for somewhat quiet ops lists to explode with content. That's kind of what those lists are for. It'd be unfortunate if the one time you really wanted the list to work in anger, it automatically throttled itself. Joe
On Oct 26, 2015, at 08:41 , Joe Abley via Outages <outages@outages.org> wrote:
On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote:
As an aside, a couple of years ago I argued that Mailman should have a feature added that measured the normal rate of message flow (per hour, per day, perhaps per week) and provided a setting which would engage the moderation flag if that rate was exceeded by a (configurable) multiplier. E.g., "if normal for this list is 20 messages a day and and the multiplier is set to 3, then once the message count hits 60 in a 24-hour period, hold all subsequent messages for manual approval". This is one of the use cases that I had in mind for it.
I like that idea, but I wonder whether it has unpleasant implications for operations lists.
If something horrible happens in a global context, it's not unusual for somewhat quiet ops lists to explode with content. That's kind of what those lists are for. It'd be unfortunate if the one time you really wanted the list to work in anger, it automatically throttled itself.
I think we can solve that problem, actually… What if once the list went into “automoderation”, instead of requiring manual approval, it sent a notification back to the poster asking them to log in to their mailman account and approve the message. It could even provide a link in the email which would take care of everything so long as they were able to supply their mailman password. (Manual approval would remain an option, but valid users would be able to get their message out if it was urgent or they cared). Thoughts? Owen
On Mon, Oct 26, 2015 at 11:58 AM, Owen DeLong via Outages <outages@outages.org> wrote:
On Oct 26, 2015, at 08:41 , Joe Abley via Outages <outages@outages.org> wrote:
On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote:
As an aside, a couple of years ago I argued that Mailman should have a feature added that measured the normal rate of message flow (per hour, per day, perhaps per week) and provided a setting which would engage the moderation flag if that rate was exceeded by a (configurable) multiplier. E.g., "if normal for this list is 20 messages a day and and the multiplier is set to 3, then once the message count hits 60 in a 24-hour period, hold all subsequent messages for manual approval". This is one of the use cases that I had in mind for it.
I like that idea, but I wonder whether it has unpleasant implications for operations lists.
If something horrible happens in a global context, it's not unusual for somewhat quiet ops lists to explode with content. That's kind of what those lists are for. It'd be unfortunate if the one time you really wanted the list to work in anger, it automatically throttled itself.
I think we can solve that problem, actually…
What if once the list went into “automoderation”, instead of requiring manual approval, it sent a notification back to the poster asking them to log in to their mailman account and approve the message. It could even provide a link in the email which would take care of everything so long as they were able to supply their mailman password. (Manual approval would remain an option, but valid users would be able to get their message out if it was urgent or they cared).
Thoughts?
Personally I don't think that it's a MLM problem to fix. Those emails should NEVER have gone through ops or nanog, they should have been caught at the MTA level with appropriate content filtering (SpamAssassin has been detecting such emails for a few years now). -Jim P.
On 10/26/2015 06:46, John Souvestre via Outages wrote:
I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it?
I have no useful information for the currently active problem except to say that identifying it is so trivial that my Thunderbird filters catch 100% of it with no false positives. I do have one or more questions that I will raise on -discussion. -- sed quis custodiet ipsos custodes? (Juvenal)
On 10/26/2015 10:41, Larry Sheldon wrote:
On 10/26/2015 06:46, John Souvestre via Outages wrote:
I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it?
I have no useful information for the currently active problem except to say that identifying it is so trivial that my Thunderbird filters catch 100% of it with no false positives.
I do have one or more questions that I will raise on -discussion.
My apologies for the duplicate--I did not recognize the addressing error. I am no longer on the line, but back in the day I got banned from NANOG several times for raising the issues of network abuse and insisting that abuse of the network was a proper topic for Network Operators. But in spite of the fact that I managed a 65,000-address address space with several thousand active addresses spread of much of eastern Nebraska, I was not worthy of any respect. In addition, it appears that the major operators were (are?) in fact pro-abuse because it generates revenue producing traffic. No argument that people who provide "for a cash cost transit" get paid for the abuse traffic. One of my questions is this: Don't the people that have to pay for transit have an interest in reducing the traffic they have to pay for? A related question: Don't the people that operate networks have a loss in man-power dollars supporting the abuse traffic? In equipment dollars? In loss of goodwill? -- sed quis custodiet ipsos custodes? (Juvenal)
participants (9)
-
Jim Popovitch -
Joe Abley -
John Sage -
John Souvestre -
Larry Sheldon -
Owen DeLong -
Patrick W. Gilmore -
Paul Thornton -
Rich Kulawiec