A good criterion for detecting new googlegroups virus-download spams
From
Olivier Miakinen@21:1/5 to
All on Tue Dec 5 13:38:02 2023
XPost: news.admin.peering, news.software.nntp
[Preliminary note:
This article is crossposted in three groups because I don't know which
one is the most appropriate. I would have said news.admin.net-abuse.usenet
but this group seems to be highly spammed itself, so I set the followup
to news.software.nntp.
Please do a new crosspost with the correct Followup-To if you know better
than I do.
]
For the past few days I've been actively chasing the new spams originated
from Google groups, all with a link to download a .zip or .rar file, most probably a virus. I do it on fr.* french-speaking hierarchy because I am
a French man (also please excuse me if I do mistakes in English).
Yesterday, Pierre Pallier has pointed out on fr.usenet.abus.d that all these spams end with a kind of signature. He noticed it on alt.* newsgroups, but
I checked the exact same thing on fr.* newsgroups.
In brief, the very last line of all these spams is:
" 35727fac0c" from November the 22nd to November the 28th;
" eebf2c3492" after, up to today.
Maybe another signature could occur from time to time, but it changes way
less frequently that From header or Subject header. Of course it requires
to download the whole body and not only the headers before deciding that
it is a spam (that is why my own robot can not rely on that criterion),
but maybe it can help other guys here including newsmasters.
[reminder: please choose the appropriate group for responding]
Best Regards,
--
Olivier Miakinen
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)