Re: [outages] NANOG
On 26/10/2015 11:46, John Souvestre via Outages wrote: I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it? Seeing exactly the same here. Not even any ranting on-list about the spam. They have slowed, but I'm still getting them coming in this morning (dated around 01:25 on 25 October). Given that the From: line is easily matched, I'm surprised that someone hasn't applied some filtering and/or some deleting from the outgoing queue. Paul. ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
On 26 Oct 2015, at 8:05, Paul Thornton via Outages wrote: On 26/10/2015 11:46, John Souvestre via Outages wrote: I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it? Seeing exactly the same here. Not even any ranting on-list about the spam. They have slowed, but I'm still getting them coming in this morning (dated around 01:25 on 25 October). Given that the From: line is easily matched, I'm surprised that someone hasn't applied some filtering and/or some deleting from the outgoing queue. I have no insight into why nobody has blocked it (the messages seem trivial to identify, and doesn't NANOG have money and contractors, these days?) but this is what it is: http://wardinewrock.blogspot.ca/2015/09/email-sent-under-my-name-not-from-me.html Joe ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote: > After the appropriate wgets and less'es those all seemed to point back to > > avazunic [dot] com > > which is registered in -- wait for it -- CN... I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload. ---rsk ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
First: I see these leaking into outages@ as well. Second: Anyone else sad you were not spoofed? What? Am I not good enough to spoof? -- TTFN, patrick > On Oct 26, 2015, at 10:27 AM, John Sage via Outages> wrote: > > On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote: >> On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote: >>> After the appropriate wgets and less'es those all seemed to point back to >>> >>> avazunic [dot] com >>> >>> which is registered in -- wait for it -- CN... >> >> I have noted 374 different domains (so far) in this attack and have >> analyzed them at a cursory level. Thus far, I see no pattern of >> registration, DNS, geography, hosting, etc. I strongly suspect that >> many of these, perhaps even most or all, represent web sites that have >> been breached and are being used to spread the payload. > > In my OP I was referring to the domain name that the ultimate payload > contained, after the cobweb of redirects in the initial spam was followed > back to an endpoint. > > But I only did six or so, early yesterday, so who knows... > > #EOF > > > - John > -- > > ___ > Outages mailing list > Outages@outages.org > https://puck.nether.net/mailman/listinfo/outages ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
On 10/26/2015 07:13 AM, Rich Kulawiec via Outages wrote: On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote: After the appropriate wgets and less'es those all seemed to point back to avazunic [dot] com which is registered in -- wait for it -- CN... I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload. In my OP I was referring to the domain name that the ultimate payload contained, after the cobweb of redirects in the initial spam was followed back to an endpoint. But I only did six or so, early yesterday, so who knows... #EOF - John -- ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
On 10/26/2015 05:30 AM, Rich Kulawiec via Outages wrote: I sent a message to the NANOG mail adminstration team asking them to throw the "emergency moderation" flag. This is a switch inside Mailman (the piece of software that runs the NANOG lists) which causes all incoming list traffic to be held for manual approval. When stuff like this happens, it's a fast way to stop the bleeding. I've had no response to that and am also still (8:30 AM EDT) observing a steady flow of outbound spam via NANOG. Note that this is part of a much larger attack: so far, I've seen the same thing on about 15 other mailing lists. Whether all of these were launched by the same entity is unknown, but the patterns match quite closely, so that's certainly a possibility. I looked at five or six to the Outages list yesterday in detail. After the appropriate wgets and less'es those all seemed to point back to avazunic [dot] com which is registered in -- wait for it -- CN... - John -- ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
I sent a message to the NANOG mail adminstration team asking them to throw the "emergency moderation" flag. This is a switch inside Mailman (the piece of software that runs the NANOG lists) which causes all incoming list traffic to be held for manual approval. When stuff like this happens, it's a fast way to stop the bleeding. I've had no response to that and am also still (8:30 AM EDT) observing a steady flow of outbound spam via NANOG. Note that this is part of a much larger attack: so far, I've seen the same thing on about 15 other mailing lists. Whether all of these were launched by the same entity is unknown, but the patterns match quite closely, so that's certainly a possibility. ---rsk ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
On 10/26/2015 06:46, John Souvestre via Outages wrote: I haven’t seen anything but a steady stream of spam on NANOG for the last 1.5 days or so. Is this what you are seeing? They can’t filter it? I have no useful information for the currently active problem except to say that identifying it is so trivial that my Thunderbird filters catch 100% of it with no false positives. I do have one or more questions that I will raise on -discussion. -- sed quis custodiet ipsos custodes? (Juvenal) ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote: As an aside, a couple of years ago I argued that Mailman should have a feature added that measured the normal rate of message flow (per hour, per day, perhaps per week) and provided a setting which would engage the moderation flag if that rate was exceeded by a (configurable) multiplier. E.g., "if normal for this list is 20 messages a day and and the multiplier is set to 3, then once the message count hits 60 in a 24-hour period, hold all subsequent messages for manual approval". This is one of the use cases that I had in mind for it. I like that idea, but I wonder whether it has unpleasant implications for operations lists. If something horrible happens in a global context, it's not unusual for somewhat quiet ops lists to explode with content. That's kind of what those lists are for. It'd be unfortunate if the one time you really wanted the list to work in anger, it automatically throttled itself. Joe ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
FYI, closer inspection of the most recent samples (via NANOG) suggests that someone may have stuffed a cork in it circa 0130 UTC yesterday (Sunday), as I don't yet see any messages whose arrival time at mail.nanog.org is later than that. I speculate that perhaps what we're observing now is the outbound MTA queue draining. (Although if that's correct, I don't understand why someone didn't stop it and manually clean it out.) As an aside, a couple of years ago I argued that Mailman should have a feature added that measured the normal rate of message flow (per hour, per day, perhaps per week) and provided a setting which would engage the moderation flag if that rate was exceeded by a (configurable) multiplier. E.g., "if normal for this list is 20 messages a day and and the multiplier is set to 3, then once the message count hits 60 in a 24-hour period, hold all subsequent messages for manual approval". This is one of the use cases that I had in mind for it. ---rsk ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
Re: [outages] NANOG
> On Oct 26, 2015, at 08:41 , Joe Abley via Outageswrote: > > > > On 26 Oct 2015, at 11:26, Rich Kulawiec via Outages wrote: > >> As an aside, a couple of years ago I argued that Mailman should have >> a feature added that measured the normal rate of message flow (per hour, >> per day, perhaps per week) and provided a setting which would engage >> the moderation flag if that rate was exceeded by a (configurable) >> multiplier. E.g., "if normal for this list is 20 messages a day and >> and the multiplier is set to 3, then once the message count hits 60 >> in a 24-hour period, hold all subsequent messages for manual approval". >> This is one of the use cases that I had in mind for it. > > I like that idea, but I wonder whether it has unpleasant implications for > operations lists. > > If something horrible happens in a global context, it's not unusual for > somewhat quiet ops lists to explode with content. That's kind of what those > lists are for. It'd be unfortunate if the one time you really wanted the list > to work in anger, it automatically throttled itself. > I think we can solve that problem, actually… What if once the list went into “automoderation”, instead of requiring manual approval, it sent a notification back to the poster asking them to log in to their mailman account and approve the message. It could even provide a link in the email which would take care of everything so long as they were able to supply their mailman password. (Manual approval would remain an option, but valid users would be able to get their message out if it was urgent or they cared). Thoughts? Owen ___ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages