[unisog] cornell.edu blog being used for spam - and nowvirginia.edu as well

Brian Allen ballen at wustl.edu
Thu Nov 29 07:47:57 GMT 2007 

First, I would like to echo the services of REN-ISAC for requests like
these.  We had a student machine become a C&C a couple years ago.  We
had it down within hours, and since I know some of the guys at REN-ISAC
I sent them logs of 10,000 IPs that were connected into the box and they
took care of notifying all the owners.  I respond to any ren-isac alert
much faster than I would any unknown person because I trust them to give
me good logs, timestamps, any necessary background info, and they won't
waste my time with FPs.  I suspect they could handle a query for contact
info at a single school.

Now, is 12 hours reasonable for this type of complaint?  I say no, but
it is interesting that someone thinks it is.  Let's take a look at some
hit numbers for a quick and dirty google search:

viagra OR pharmacy OR poker OR Levitra OR Tramadol OR cialis AND cheap
site:edu 

site:org 2,000,000 hits / 2,570,000,000 total orgs = .078%

site:edu 774,000 hits / 956,000,000 total edus = .08%

site:com 19,100,000 hits / 4,830,000,000 total coms = .395%

site:org = .078%
site:edu = .08%
site:com = .395%

Dot coms are five times more likely than .edus to have spammer sites
when it comes to this quick search.  I did another quick search
replacing the "OR"s with "AND"s and dot coms again came out five times
higher than edus.  So play with the searches, I think the point is
clear.

The reality is that universities are becoming islands that are
relatively infection free compared to the rest of the Internet.  Where
are all the infections going, one might ask?  I am not exactly sure,
however, I did run the search a few more times to get these interesting
numbers:

site:ru  =  .97%
site:br  = 2.67%
site:ro  = 2.34%

I challenge someone to send complaints to a random sample of some of
those abuse departments and see how long it takes to get responses.   I
would suspect that several years ago it would have been extremely
unlikely to expect a 12 hour turn around time for a spam complaint to a
university.  It just shows how far universities have come that people
now expect this high level of security and attention from edus, and
clearly we are delivering.  

Despite this, anyone who posts a spam complaint about a specific
university on a message board is a User of the 'L' type.  Instead, just
ask for a good contact there and someone will gladly reply either on or
off list.  Duh.

Cheers,
Brian Allen
Network Security Analyst
Washington University

> -----Original Message-----
> From: unisog-bounces at lists.dshield.org [mailto:unisog-
> bounces at lists.dshield.org] On Behalf Of Frank Bulk - iNAME
> Sent: Wednesday, November 28, 2007 8:51 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] cornell.edu blog being used for spam - and
> nowvirginia.edu as well
> 
> Yes, an automated response would at least suggest that some system is
in
> place to handle the reports.  Detailing some escalation steps would
assist
> those who need to address something sooner rather than later (that
> definition clearly covers a wide range).
> 
> Ideally a ticket would be opened such that more notes/files could be
added
> to the case, and the abuse submitter could further categorize the
abuse so
> that the appropriate personnel could deal with the issue.  On the
abuse
> desk
> side, one would want a way to privately add notes and be able to
> consolidate
> tickets.
> 
> There is at least one group developing a way for abuse incidents to
> reported
> in some kind automatable format, the ASRG
> (http://asrg.sp.am/subgroups/abuse_reports.shtml), but there doesn't
> appear
> to have much activity.
> 
> Regards,
> 
> Frank
>

More information about the unisog mailing list