24 November 2009

SPAM fighting with RBL’s

Our companies email server had been taking a bit of strain from SPAM recently and it seemed as though thousands of spam mails where getting through to my end users.

Scanmail for Exchange was picking up about 57000 SPAM mails a month, but I would still get about 200 spam mails a day in my own inbox!

I did some research and eventually found RBL (Real Time Blacklists). A RBL is a list of known spam email servers IP addresses. There are several RBL providers out there and it is very simple and in most cases free to setup.

Check out the following link to get your Exchange 2003 server setup with a RBL:

I am currently using the the following RBL’s

image

Since implementing the RBL I have seen spam on my own inbox drop from 200 a day to about 2 a day. I also noted that since the beginning of the month the number of SPAM is down from 57000 detected to 6500! And I should see an even greater drop next month as I implemented the RBL on about the 10th of the month!

09 November 2009

South African Bank Phishing

It seems as though some of our local South African banks are starting to fall foul of the phishers of late. It is a good time to keep your users informed and keep your proxy servers block list up to date with any new evil domains.

Here ore some examples of phishing emails I got from a user.

ABSA PHISHING EMAIL 1:

Url at the bottom takes user to a spoofed website that looks like an absa logon page:

image

Dear Customer,

We,upgrades its internet security on a continuing basis to ensure that our customers are protected. Protecting information is a shared responsibility and we request you to exercise caution at all times when using online services or accessing your emails.

Due to the open nature of the internet, Absa cannot guarantee the complete security of your transactions from hacking, unauthorized access, virus attacks, and /or other 3rd party attempts to breach our latest security features that we have used. All Online banking users are required to adhere strictly to this warning and follow up the process of this adjustments. Absa will not be responsible for loss of funds to online phishers as a result of failure to comply with this important new directives

Register your online banking access, click continue below and follow the instructions so you don't stand a chance of lossing your details to a third party.

http://www.absa.co.za/ib.jsp/Administrator
Administrator
Absa Bank Limited

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your absa Online account and choose the "Help" link on any page.
absa bank Email ID # 1009

ABSA PHISHING 2:

The link from this mail seemed to be broken at the time of publishing.

Dear Customer,

The internet has become widely accepted for banking online. While we have taken all the possible measures to ensure security and confidentiality of our online banking systems, you play an important role in protecting your personal information and Passwords. You have to protect your information at all times, be it over the internet or during your normal banking activities.

Due to the open nature of the internet, Absa cannot guarantee the complete security of your transactions from hacking, unauthorized access, virus attacks, and /or other 3rd party attempts to breach our latest security features that we have used.

To Upgrade for this comprehensive security features,click below and follow the instructions

http://www.absa.co.za/security/features
Management
Absa Bank Group

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your absa Online account and choose the "Help" link on any page.
absa bank Email ID # 1009

FNB PHISHING 1

At the time of publishing the domain name that the link in the email takes the user to seems to have been disabled or broken.

Dear FNB Customer,

In the last fews weeks, our Online Banking Security team has observed multiple logon attempts on your internet banking account from different blacklisted IP's.

For your safety we have decided to suspend your access. You will need to verify your identity.

Click Here to continue

Security Management
First National Bank

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your fnb Online account and choose the "Help" link on any page.
fnb bank Email ID # 1009

13 October 2009

SPAM: Server Upgrade

I have been alerted to a couple of users who are receiving spam that contains links to external websites. the message is as follows:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.<your domain>.<various>/ssl/id=73616375-<email>-patch2844683.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

I have noticed the following domain names being used so far which I have blocked on my proxy server:

*.admin-db.net
*.1ssl-certs.com

According to: http://www.dshield.org/diary.html?storyid=7333

The link leads the user to a download which disables AV and has Trojan / key logger characteristics.

Once again the URL contains the users email address so the site will probably log the entry to a db for future spamming.

I would suggest that you add all the domain names that you encounter in these messages to your proxy blocked list to prevent users from giving their email addresses away for future attacks.

28 September 2009

tax-statement-taxpayer_id*.exe

There are some fake IRS spam mails circulating at the moment that go to a page and try to get you to download a virus file which trend micro office scan picks up as TROJ_ZBOT.CBY.

I am particularly worried about this email as it seems as though the URL contains the email address of the user it was sent to. This will then allow the owner of the site to log valid email addresses when someone clicks on the link in the email. They don't even need to download the file to now be a bigger target for spam.

Solution: I also noticed that there are multiple domains that users are being redirected to so I decided to block *.irs.gov.*.com on our Proxy server to prevent users getting themselves on a spam list.

I found the following domain names in this type of attack so far:

*.irs.gov.y11dera.com

*.irs.gov.fedas1am.com

*.irs.gov.fedasaz.com

*.irs.gov.y11derq.com

image

Screenshot of the website you get redirected to when you click on the link in the emails.

16 July 2009

AutoRuns

Ever wondered why your computer is taking forever to start up? Well then AutoRuns is for you! This is the most comprehensive application that I have seen for killing automatic processes. I think I am going to be using AutoRuns a lot in future! I love sysinternals!

image

14 July 2009

Sending Emails From CMD

I was recently asked to write a script to check if a file exists and then email someone if the file is found. I found this program called Blat. Blat is a command line email client. basically all I did to get it working was download and copy blat.exe and blat.dll to %SystemRoot%\System32.

Check the code below:

@ECHO OFF
REM ### CONFiGuRE SETTINGS HERE ################
set SMTPServer=127.0.0.1
set ToAddress=email@mydoamin.com
set fromAddress=email@mydomain.com
set Servername=My Server Name
set find="C:\myfile.txt"
REM #####################################
IF EXIST %find% (goto senderror)
goto end

:senderror
set Subject=File Found
set MessageBody=%ServerName% -File Found. (%Date%)
%SystemRoot%\System32\blat.exe -server %SMTPServer% -f %fromAddress% -to %ToAddress% -subject "%ServerName% - %Subject%" -body "%MessageBody%"
goto end

:end
@ECHO ON

08 July 2009

Google Chrome OS

Google announced Google Chrome OS recently. It seems as though Google is again pushing cloud computing. The net-book revolution is the next thing in computers with all the major players starting to take notice. Ever since the Asus EEPC was launched a while back people have begun to sit up and notice. Intel is currently also in the race as they have started developing an operating system specifically for net-books.

I do think that Google once again has the advantage as they are the ones who have all the cloud applications already. With Gmail, Google Docs, Calendar and more already pretty stable they are more than ready to give the world a taste of cloud computing. And now with the announcement of their own net-book OS that comes with Google Chrome they will be able to run all of their applications in a browser specifically designed to run those applications as fast as possible.

I can’t wait to see what they come up with.

11 June 2009

Windows Vista SP2

Today I accidentally found out that Windows Vista SP2 has been released! I was going through my WSUS server and noticed that my machine had a lot of updates outstanding. I then say an entry that said: "Windows Vista Serivce Pack 2 Standalone (KB948465)- English, French, German, Japanse, Spanish"

Well it looks like SP2 was released about 2 weeks ago according to this KB Article.

Anyway I am waiting for my WSUS server to download it so I can install!

04 February 2009

Microsoft Doing it Again with Windows 7?

It looks as though our dear friends at Microsoft are not learning from thier mistakes.
According to this article Windows 7 is expected to come in 7 different flavours! ARG !
I wish these guys would catch a wakeup and stick to the good old days of single desktop and server OS releases instead of making life so confusing with 7 versions!
Come on Microsoft catch the hint, no-one wants 7 choices for something as boring as an operating system. Why do you think Linux has been struggeling for so many years?

30 January 2009

Recession to fuel Open Source?

With the world economies in a bit of a downward spiral, the demand for Open Source techologies should increase dramatically. Business should soon start to see the value in migrating certain systems to opensource. I have a hard tim justifying Microsoft Office licences when there are freely available alternatives. The only cost a business may incure is some training costs to migrate the users over to the new package. This however should quite easily be justified as it means a lifetime of free and open source as opposed to the pain of being forced to upgrade systems at huge expense every couple of years.

I still think that most businesses will however need to stick with Windows as an OS, but office applications and others can be migrated to Open Office.

20 January 2009

Bulk Modify Active Directory Users Accounts

Basically my friend upgraded his old server and migrated active directory to the new server. Active directory pointed their profile paths to the server name or IP address of the old server. So he needed to be able to modify all his users profile paths so that they pointed to the new server. He could do it one at a time, but after doing a couple of hundred I am sure he would have gone insane!

I found this tool: ADModify.net

Snippet from their website:

"ADModify.NET is a tool primarily utilized by Exchange and Active Directory administrators to facilitate bulk user attribute modifications."

This tool is awesome! It does exactly what is says it does! It allows you to bulk edit active directory user accounts. You can bulk modify almost any setting in an AD user account using this tool! I am definitely going to keep this one for future, it makes life so much easier!

Google Forms

I recently noticed that Google Docs has a new feature called Google Forms. It seems to be a pretty cool feature that allows you to create online forms that can be emended in just about any blog, web page or emailed. When a person fills out the form the information gets saved into your Google Docs account. This lets you go through the results in a nice simple spreadsheet.

This is a very useful tool. Give it a try.

google forms

09 January 2009

A Brief History of the Internet

I found this cool video on digg. It is a nice introduction to the history of the Internet.