Re: [outages] NANOG

2015-10-26 Thread Paul Thornton via Outages 

On 26/10/2015 11:46, John Souvestre via Outages wrote:


I haven’t seen anything but a steady stream of spam on NANOG for the 
last 1.5 days or so.  Is this what you are seeing? They can’t filter it?





Seeing exactly the same here.  Not even any ranting on-list about the spam.

They have slowed, but I'm still getting them coming in this morning 
(dated around 01:25 on 25 October).  Given that the From: line is easily 
matched, I'm surprised that someone hasn't applied some filtering and/or 
some deleting from the outgoing queue.


Paul.
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Joe Abley via Outages 

On 26 Oct 2015, at 8:05, Paul Thornton via Outages wrote:


On 26/10/2015 11:46, John Souvestre via Outages wrote:


I haven’t seen anything but a steady stream of spam on NANOG for 
the last 1.5 days or so.  Is this what you are seeing? They can’t 
filter it?


Seeing exactly the same here.  Not even any ranting on-list about the 
spam.


They have slowed, but I'm still getting them coming in this morning 
(dated around 01:25 on 25 October).  Given that the From: line is 
easily matched, I'm surprised that someone hasn't applied some 
filtering and/or some deleting from the outgoing queue.


I have no insight into why nobody has blocked it (the messages seem 
trivial to identify, and doesn't NANOG have money and contractors, these 
days?) but this is what it is:


  
http://wardinewrock.blogspot.ca/2015/09/email-sent-under-my-name-not-from-me.html



Joe
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Rich Kulawiec via Outages 
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
> After the appropriate wgets and less'es those all seemed to point back to
> 
> avazunic [dot] com
> 
> which is registered in -- wait for it -- CN...

I have noted 374 different domains (so far) in this attack and have
analyzed them at a cursory level.  Thus far, I see no pattern of
registration, DNS, geography, hosting, etc.  I strongly suspect that
many of these, perhaps even most or all, represent web sites that have
been breached and are being used to spread the payload.

---rsk
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Patrick W. Gilmore via Outages 
First: I see these leaking into outages@ as well.

Second: Anyone else sad you were not spoofed? What? Am I not good enough to 
spoof? 

-- 
TTFN,
patrick

> On Oct 26, 2015, at 10:27 AM, John Sage via Outages  
> wrote:
> 
> On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:
>> On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
>>> After the appropriate wgets and less'es those all seemed to point back to
>>> 
>>> avazunic [dot] com
>>> 
>>> which is registered in -- wait for it -- CN...
>> 
>> I have noted 374 different domains (so far) in this attack and have
>> analyzed them at a cursory level.  Thus far, I see no pattern of
>> registration, DNS, geography, hosting, etc.  I strongly suspect that
>> many of these, perhaps even most or all, represent web sites that have
>> been breached and are being used to spread the payload.
> 
> In my OP I was referring to the domain name that the ultimate payload 
> contained, after the cobweb of redirects in the initial spam was followed 
> back to an endpoint.
> 
> But I only did six or so, early yesterday, so who knows...
> 
> #EOF
> 
> 
> - John
> -- 
> 
> ___
> Outages mailing list
> Outages@outages.org
> https://puck.nether.net/mailman/listinfo/outages

___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread John Sage via Outages 

On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote:

On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:

After the appropriate wgets and less'es those all seemed to point back to

avazunic [dot] com

which is registered in -- wait for it -- CN...


I have noted 374 different domains (so far) in this attack and have
analyzed them at a cursory level.  Thus far, I see no pattern of
registration, DNS, geography, hosting, etc.  I strongly suspect that
many of these, perhaps even most or all, represent web sites that have
been breached and are being used to spread the payload.


In my OP I was referring to the domain name that the ultimate payload 
contained, after the cobweb of redirects in the initial spam was 
followed back to an endpoint.


But I only did six or so, early yesterday, so who knows...

#EOF


- John
--

___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread John Sage via Outages 

On 10/26/2015 05:30 AM, Rich Kulawiec via Outages wrote:


I sent a message to the NANOG mail adminstration team asking them to
throw the "emergency moderation" flag.  This is a switch inside Mailman
(the piece of software that runs the NANOG lists) which causes all
incoming list traffic to be held for manual approval.  When stuff like
this happens, it's a fast way to stop the bleeding.

I've had no response to that and am also still (8:30 AM EDT) observing a
steady flow of outbound spam via NANOG.  Note that this is part of a much
larger attack: so far, I've seen the same thing on about 15 other mailing
lists.  Whether all of these were launched by the same entity is unknown,
but the patterns match quite closely, so that's certainly a possibility.


I looked at five or six to the Outages list yesterday in detail.

After the appropriate wgets and less'es those all seemed to point back to

avazunic [dot] com

which is registered in -- wait for it -- CN...


- John
--

___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Rich Kulawiec via Outages 

I sent a message to the NANOG mail adminstration team asking them to
throw the "emergency moderation" flag.  This is a switch inside Mailman
(the piece of software that runs the NANOG lists) which causes all
incoming list traffic to be held for manual approval.  When stuff like
this happens, it's a fast way to stop the bleeding.

I've had no response to that and am also still (8:30 AM EDT) observing a
steady flow of outbound spam via NANOG.  Note that this is part of a much
larger attack: so far, I've seen the same thing on about 15 other mailing
lists.  Whether all of these were launched by the same entity is unknown,
but the patterns match quite closely, so that's certainly a possibility.

---rsk
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Larry Sheldon via Outages 

On 10/26/2015 06:46, John Souvestre via Outages wrote:

I haven’t seen anything but a steady stream of spam on NANOG for the
last 1.5 days or so.  Is this what you are seeing?  They can’t filter
it?


I have no useful information for the currently active problem except to 
say that identifying it is so trivial that my Thunderbird filters catch 
100% of it with no false positives.


I do have one or more questions that I will raise on -discussion.

--
sed quis custodiet ipsos custodes? (Juvenal)
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Joe Abley via Outages 



On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote:


As an aside, a couple of years ago I argued that Mailman should have
a feature added that measured the normal rate of message flow (per 
hour,

per day, perhaps per week) and provided a setting which would engage
the moderation flag if that rate was exceeded by a (configurable)
multiplier.  E.g., "if normal for this list is 20 messages a day and
and the multiplier is set to 3, then once the message count hits 60
in a 24-hour period, hold all subsequent messages for manual 
approval".

This is one of the use cases that I had in mind for it.


I like that idea, but I wonder whether it has unpleasant implications 
for operations lists.


If something horrible happens in a global context, it's not unusual for 
somewhat quiet ops lists to explode with content. That's kind of what 
those lists are for. It'd be unfortunate if the one time you really 
wanted the list to work in anger, it automatically throttled itself.



Joe
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Rich Kulawiec via Outages 

FYI, closer inspection of the most recent samples (via NANOG) suggests
that someone may have stuffed a cork in it circa 0130 UTC yesterday
(Sunday), as I don't yet see any messages whose arrival time at
mail.nanog.org is later than that.  I speculate that perhaps what we're
observing now is the outbound MTA queue draining.  (Although if that's
correct, I don't understand why someone didn't stop it and manually
clean it out.)

As an aside, a couple of years ago I argued that Mailman should have
a feature added that measured the normal rate of message flow (per hour,
per day, perhaps per week) and provided a setting which would engage
the moderation flag if that rate was exceeded by a (configurable)
multiplier.  E.g., "if normal for this list is 20 messages a day and
and the multiplier is set to 3, then once the message count hits 60
in a 24-hour period, hold all subsequent messages for manual approval".
This is one of the use cases that I had in mind for it.

---rsk
___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Re: [outages] NANOG

2015-10-26 Thread Owen DeLong via Outages 

> On Oct 26, 2015, at 08:41 , Joe Abley via Outages  wrote:
> 
> 
> 
> On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote:
> 
>> As an aside, a couple of years ago I argued that Mailman should have
>> a feature added that measured the normal rate of message flow (per hour,
>> per day, perhaps per week) and provided a setting which would engage
>> the moderation flag if that rate was exceeded by a (configurable)
>> multiplier.  E.g., "if normal for this list is 20 messages a day and
>> and the multiplier is set to 3, then once the message count hits 60
>> in a 24-hour period, hold all subsequent messages for manual approval".
>> This is one of the use cases that I had in mind for it.
> 
> I like that idea, but I wonder whether it has unpleasant implications for 
> operations lists.
> 
> If something horrible happens in a global context, it's not unusual for 
> somewhat quiet ops lists to explode with content. That's kind of what those 
> lists are for. It'd be unfortunate if the one time you really wanted the list 
> to work in anger, it automatically throttled itself.
> 

I think we can solve that problem, actually…

What if once the list went into “automoderation”, instead of requiring manual 
approval, it sent a notification back to the poster asking them to log in to 
their mailman account and approve the message. It could even provide a link in 
the email which would take care of everything so long as they were able to 
supply their mailman password. (Manual approval would remain an option, but 
valid users would be able to get their message out if it was urgent or they 
cared).

Thoughts?

Owen



___
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages