Rocksolid Light - news.admin.net-abuse.usenet - A good criterion for detecting new googlegroups virus-download spams

A good criterion for detecting new googlegroups virus-download spams

<ukn5ja$2068$1@cabale.usenet-fr.net>

https://news.novabbs.org/computers/article-flat.php?id=3796&group=news.admin.net-abuse.usenet#3796

copy link Newsgroups: news.admin.net-abuse.usenet news.admin.peering news.software.nntp
Followup: news.software.nntp

Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!eternal-september.org!news.gegeweb.eu!gegeweb.org!usenet-fr.net!.POSTED!not-for-mail
From: om+news@miakinen.net (Olivier Miakinen)
Newsgroups: news.admin.net-abuse.usenet,news.admin.peering,news.software.nntp
Subject: A good criterion for detecting new googlegroups virus-download spams
Followup-To: news.software.nntp
Date: Tue, 5 Dec 2023 13:38:02 +0100
Organization: There's no cabale
Lines: 38
Message-ID: <ukn5ja$2068$1@cabale.usenet-fr.net>
NNTP-Posting-Host: 200.89.28.93.rev.sfr.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: cabale.usenet-fr.net 1701779882 65736 93.28.89.200 (5 Dec 2023 12:38:02 GMT)
X-Complaints-To: abuse@usenet-fr.net
NNTP-Posting-Date: Tue, 5 Dec 2023 12:38:02 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0 SeaMonkey/2.49.4
X-Mozilla-News-Host: news://news.galacsys.net:119

by: Olivier Miakinen - Tue, 5 Dec 2023 12:38 UTC

[Preliminary note:

This article is crossposted in three groups because I don't know which
one is the most appropriate. I would have said news.admin.net-abuse.usenet
but this group seems to be highly spammed itself, so I set the followup
to news.software.nntp.

Please do a new crosspost with the correct Followup-To if you know better
than I do.
]

For the past few days I've been actively chasing the new spams originated
from Google groups, all with a link to download a .zip or .rar file, most
probably a virus. I do it on fr.* french-speaking hierarchy because I am
a French man (also please excuse me if I do mistakes in English).

Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these
spams end with a kind of signature. He noticed it on alt.* newsgroups, but
I checked the exact same thing on fr.* newsgroups.

In brief, the very last line of all these spams is:
" 35727fac0c" from November the 22nd to November the 28th;
" eebf2c3492" after, up to today.

Maybe another signature could occur from time to time, but it changes way
less frequently that From header or Subject header. Of course it requires
to download the whole body and not only the headers before deciding that
it is a spam (that is why my own robot can not rely on that criterion),
but maybe it can help other guys here including newsmasters.

[reminder: please choose the appropriate group for responding]

Best Regards,
--
Olivier Miakinen

"Stupidity, like virtue, is its own reward" -- William E. Davidsen

computers / news.admin.net-abuse.usenet / A good criterion for detecting new googlegroups virus-download spams

Subject	Author
A good criterion for detecting new googlegroups virus-download spams	Olivier Miakinen