[Preliminary note:

This article is crossposted in three groups because I don't know which
one is the most appropriate. I would have said news.admin.net-abuse.usenet
but this group seems to be highly spammed itself, so I set the followup
to news.software.nntp.

Please do a new crosspost with the correct Followup-To if you know better
than I do.
]

For the past few days I've been actively chasing the new spams originated
from Google groups, all with a link to download a .zip or .rar file, most
probably a virus. I do it on fr.* french-speaking hierarchy because I am
a French man (also please excuse me if I do mistakes in English).

Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these
spams end with a kind of signature. He noticed it on alt.* newsgroups, but
I checked the exact same thing on fr.* newsgroups.

In brief, the very last line of all these spams is:
" 35727fac0c" from November the 22nd to November the 28th;
" eebf2c3492" after, up to today.

Maybe another signature could occur from time to time, but it changes way
less frequently that From header or Subject header. Of course it requires
to download the whole body and not only the headers before deciding that
it is a spam (that is why my own robot can not rely on that criterion),
but maybe it can help other guys here including newsmasters.

[reminder: please choose the appropriate group for responding]

Best Regards,
--
Olivier Miakinen

On Tue, 5 Dec 2023 13:38:02 +0100, Olivier Miakinen <om+news@miakinen.net> wrote:
>For the past few days I've been actively chasing the new spams originated
>from Google groups, all with a link to download a .zip or .rar file, most
>probably a virus. I do it on fr.* french-speaking hierarchy because I am
>a French man (also please excuse me if I do mistakes in English).
>Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these
>spams end with a kind of signature. He noticed it on alt.* newsgroups, but
>I checked the exact same thing on fr.* newsgroups.
>In brief, the very last line of all these spams is:
>" 35727fac0c" from November the 22nd to November the 28th;
>" eebf2c3492" after, up to today.
>Maybe another signature could occur from time to time, but it changes way
>less frequently that From header or Subject header. Of course it requires
>to download the whole body and not only the headers before deciding that
>it is a spam (that is why my own robot can not rely on that criterion),
>but maybe it can help other guys here including newsmasters.

i am not a server administrator but
filtering out google is recommended:

path: ...googlegroups.com
injection-info: ...googlegroups.com
message-id: ...googlegroups.com
references: ...googlegroups.com

it's also recommended to post using
nntp or at least non-google servers

google could stop their google2news
gateway to atone in the xmas spirit

Hello D,

Le 05/12/2023 14:22, D a écrit :
>
> i am not a server administrator but
> filtering out google is recommended:
>
> path: ...googlegroups.com
> injection-info: ...googlegroups.com
> message-id: ...googlegroups.com
> references: ...googlegroups.com

Ok, so you would choose to filter out not only what comes from Google (spam
and non-spam) but also the responses (via the header References).

Any other reactions to my proposal ?

Or maybe my message was already filtered out by the detection of the strings
" 35...0c" and " ee...92", so that nobody else has seen it before?

--
Olivier Miakinen

Thus spake Olivier Miakinen <om+news@miakinen.net>
> Ok, so you would choose to filter out not only what comes from Google (spam
> and non-spam) but also the responses (via the header References).

> Any other reactions to my proposal ?

> Or maybe my message was already filtered out by the detection of the strings
> " 35...0c" and " ee...92", so that nobody else has seen it before?

Chances are that some of the nocemizers have already been filtering on
10 character hex strings as the only non-whitespace content of a line ;-).

BTW: I have also noted other hex strings than the two you quoted
and I found hints that these strings might be passwords for the
zip and rar archives that are advertised in the postings.
Haven't bothered to test this.

--
Пу́тін — хуйло́
http://www.eternal-september.org

Le 06/12/2023 16:32, Ray Banana a écrit :
>
>> Or maybe my message was already filtered out by the detection of the strings
>> " 35...0c" and " ee...92", so that nobody else has seen it before?
>
> Chances are that some of the nocemizers have already been filtering on
> 10 character hex strings as the only non-whitespace content of a line ;-).

Ok, so the fact was already known. Sorry that I haven't read the articles that
talked about that.

> BTW: I have also noted other hex strings than the two you quoted

Ok.

> and I found hints that these strings might be passwords for the
> zip and rar archives that are advertised in the postings.
> Haven't bothered to test this.

I tried once to click on one of the links, and a message said that the
password for the .rar was 1234. Indeed the password 1234 worked, and
the archive contained one .exe and several .dll. Of course I did not
go further.

--
Olivier Miakinen

Ray Banana a présenté l'énoncé suivant :
> Thus spake Olivier Miakinen <om+news@miakinen.net>
>
>> Ok, so you would choose to filter out not only what comes from Google (spam
>> and non-spam) but also the responses (via the header References).
>
>> Any other reactions to my proposal ?
>
>> Or maybe my message was already filtered out by the detection of the strings
>> " 35...0c" and " ee...92", so that nobody else has seen it before?
>
> Chances are that some of the nocemizers have already been filtering on
> 10 character hex strings as the only non-whitespace content of a line ;-).

The line begins with a space followed by the code.
On the last or penultimate line of the message.

On Wed, 6 Dec 2023 14:19:24 +0100, Olivier Miakinen <om+news@miakinen.net> wrote:
>Hello D,
>Le 05/12/2023 14:22, D a ecrit :
>> i am not a server administrator but
>> filtering out google is recommended:
>> path: ...googlegroups.com
>> injection-info: ...googlegroups.com
>> message-id: ...googlegroups.com
>> references: ...googlegroups.com
>
>Ok, so you would choose to filter out not only what comes from Google (spam
>and non-spam) but also the responses (via the header References).

spam seems to be a normal percentage of content posted to unmoderated
usenet newsgroups from many thousands of different sources, the price
of free speech, a small cost which experienced newsgroup participants
find acceptable; however, what is popularly called googlespam appears
to be systematic and orchestrated around the usenet world; oftentimes
replies to googlespam articles quote all or part of the original spam
and are sometimes posted from non-google servers working in collusion

Hello,

>> Chances are that some of the nocemizers have already been filtering on
>> 10 character hex strings as the only non-whitespace content of a line
>> ;-).
>
> The line begins with a space followed by the code.
> On the last or penultimate line of the message.

I'm not interested in the subject but perhaps adding [> \t]* to the
beginning of the regex will do the trick, even if the line is quoted in
the future?

Franck

Hi,
Franck a tapoté le 08/12/2023 07:49:
> I'm not interested in the subject but perhaps adding [> \t]* to the
> beginning of the regex will do the trick, even if the line is quoted in
> the future?

Thanks for your advice.

I use it.

--
Stéphane

yamo' a émis l'idée suivante :
> Hi,
> Franck a tapoté le 08/12/2023 07:49:
>> I'm not interested in the subject but perhaps adding [> \t]* to the
>> beginning of the regex will do the trick, even if the line is quoted in
>> the future?
>
> Thanks for your advice.
>
>
> I use it.

Three others: a8ba361960, d8cbe59d7d et 0aad45d008

The latest joins the daily spam wave