info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
A good criterion for detecting new googlegroups virus-download spams
1 view
Skip to first unread message
Olivier Miakinen
Dec 5, 2023, 7:38:04 AM12/5/23
to
[Preliminary note:
This article is crossposted in three groups because I don't know which
one is the most appropriate. I would have said news.admin.net-abuse.usenet
but this group seems to be highly spammed itself, so I set the followup
to news.software.nntp.
Please do a new crosspost with the correct Followup-To if you know better
than I do.
]
For the past few days I've been actively chasing the new spams originated
from Google groups, all with a link to download a .zip or .rar file, most
probably a virus. I do it on fr.* french-speaking hierarchy because I am
a French man (also please excuse me if I do mistakes in English).
Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these
spams end with a kind of signature. He noticed it on alt.* newsgroups, but
I checked the exact same thing on fr.* newsgroups.
In brief, the very last line of all these spams is:
" 35727fac0c" from November the 22nd to November the 28th;
" eebf2c3492" after, up to today.
Maybe another signature could occur from time to time, but it changes way
less frequently that From header or Subject header. Of course it requires
to download the whole body and not only the headers before deciding that
it is a spam (that is why my own robot can not rely on that criterion),
but maybe it can help other guys here including newsmasters.
[reminder: please choose the appropriate group for responding]
Best Regards,
--
Olivier Miakinen
This article is crossposted in three groups because I don't know which
one is the most appropriate. I would have said news.admin.net-abuse.usenet
but this group seems to be highly spammed itself, so I set the followup
to news.software.nntp.
Please do a new crosspost with the correct Followup-To if you know better
than I do.
]
For the past few days I've been actively chasing the new spams originated
from Google groups, all with a link to download a .zip or .rar file, most
probably a virus. I do it on fr.* french-speaking hierarchy because I am
a French man (also please excuse me if I do mistakes in English).
Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these
spams end with a kind of signature. He noticed it on alt.* newsgroups, but
I checked the exact same thing on fr.* newsgroups.
In brief, the very last line of all these spams is:
" 35727fac0c" from November the 22nd to November the 28th;
" eebf2c3492" after, up to today.
Maybe another signature could occur from time to time, but it changes way
less frequently that From header or Subject header. Of course it requires
to download the whole body and not only the headers before deciding that
it is a spam (that is why my own robot can not rely on that criterion),
but maybe it can help other guys here including newsmasters.
[reminder: please choose the appropriate group for responding]
Best Regards,
--
Olivier Miakinen
0 new messages