For the past few days I've been actively chasing the new spams originated >from Google groups, all with a link to download a .zip or .rar file, most >probably a virus. I do it on fr.* french-speaking hierarchy because I am
a French man (also please excuse me if I do mistakes in English).
Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these >spams end with a kind of signature. He noticed it on alt.* newsgroups, but
I checked the exact same thing on fr.* newsgroups.
In brief, the very last line of all these spams is:
" 35727fac0c" from November the 22nd to November the 28th;
" eebf2c3492" after, up to today.
Maybe another signature could occur from time to time, but it changes way >less frequently that From header or Subject header. Of course it requires
to download the whole body and not only the headers before deciding that
it is a spam (that is why my own robot can not rely on that criterion),
but maybe it can help other guys here including newsmasters.
i am not a server administrator but
filtering out google is recommended:
path: ...googlegroups.com
injection-info: ...googlegroups.com
message-id: ...googlegroups.com
references: ...googlegroups.com
Ok, so you would choose to filter out not only what comes from Google (spam and non-spam) but also the responses (via the header References).
Any other reactions to my proposal ?
Or maybe my message was already filtered out by the detection of the strings " 35...0c" and " ee...92", so that nobody else has seen it before?
Or maybe my message was already filtered out by the detection of the strings >> " 35...0c" and " ee...92", so that nobody else has seen it before?
Chances are that some of the nocemizers have already been filtering on
10 character hex strings as the only non-whitespace content of a line ;-).
BTW: I have also noted other hex strings than the two you quoted
and I found hints that these strings might be passwords for the
zip and rar archives that are advertised in the postings.
Haven't bothered to test this.
Thus spake Olivier Miakinen <om+news@miakinen.net>
Ok, so you would choose to filter out not only what comes from Google (spam >> and non-spam) but also the responses (via the header References).
Any other reactions to my proposal ?
Or maybe my message was already filtered out by the detection of the strings >> " 35...0c" and " ee...92", so that nobody else has seen it before?
Chances are that some of the nocemizers have already been filtering on
10 character hex strings as the only non-whitespace content of a line ;-).
Hello D,
Le 05/12/2023 14:22, D a ecrit :
i am not a server administrator but
filtering out google is recommended:
path: ...googlegroups.com
injection-info: ...googlegroups.com
message-id: ...googlegroups.com
references: ...googlegroups.com
Ok, so you would choose to filter out not only what comes from Google (spam >and non-spam) but also the responses (via the header References).
Chances are that some of the nocemizers have already been filtering on
10 character hex strings as the only non-whitespace content of a line
;-).
The line begins with a space followed by the code.
On the last or penultimate line of the message.
I'm not interested in the subject but perhaps adding [> \t]* to the
beginning of the regex will do the trick, even if the line is quoted in
the future?
Hi,
Franck a tapoté le 08/12/2023 07:49:
I'm not interested in the subject but perhaps adding [> \t]* to the
beginning of the regex will do the trick, even if the line is quoted in
the future?
Thanks for your advice.
I use it.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 74:58:01 |
Calls: | 6,715 |
Calls today: | 3 |
Files: | 12,246 |
Messages: | 5,357,385 |