Wiz's Computer and Website Security Blog

For the third week in a row, the volume has increased again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software, Russian brides and Work at home (Money Mule - criminal money laundering) scams.

This past 7 days, spam for various types of garbage amounted to 49% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 24-30, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 49%; up 3% from last week
Number of messages classified as spam: 328 
Number classified by my custom spam filters: 279
Number and percentage of spam according to my custom blacklist: 39
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 3
Number of spam messages seen, reported to SpamCop & manually deleted: 20

Pharmaceuticals and fake prescription drugs: 21.50%
Fake Viagra and Cialis: 17.13%
Counterfeit Watches: 16.82%
Known Spam Domains in links (usually Russian: .RU): 15.58%
Blacklisted sender names and domains (my blacklist): 12.15%
Male Enhancement scam: 4.67%
Russian Bride scam: 4.36%
Re: (digits): 1.87%
Other Filters (with small percentages): 1.87%
Software Spam: 1.25%
Work At Home Scam: 1.25%
DNS Blacklisted Senders: 0.93%
Lottery Scam: 0.62%

I made 9 additions/updates to my custom filters:
Dating Spam,
Russian Bride Scam,
Diploma Spam,
Facebook Scam,
Known Spam Domains,
Pump and Dump Scam,
Work At Home Scam (3x),
Viagra [B].
New filter: Russian Bride Scam.

I made 1 changes to my custom Blacklist:
[email protected]

As mentioned in the previous paragraphs, I use MailWasher Pro to delete spam before I download it to my email program (Windows Live Mail). This is my first line of defense against email-borne threats. If you are using a desktop email client (Windows Live mail, Outlook, Outlook Express, etc) and are not pre-screening incoming email for threats, you may be at risk from scripted attacks carried inside email messages, or from infected attachments, or from hostile links enclosed in them.

Where does email spam come from?

In the last decade of the 20th Century, most spam was sent from email providers that were paid to send out spam runs. Some was even sent through the personal email accounts of spammers, until they had their accounts terminated for violating the terms of service. As complaints mounted against unsolicited commercial email blasts, International laws, like the American "Can-Spam Act" were enacted to address the issue. As a result, the legitimate bulk email companies began dropping obvious spam accounts and refusing to take on new ones.

When email spammers were unable to rent the use of legitimate, or even quasi-legitimate bulk mail services, they turned to Chinese based email hosts that were billed as "bullet-proof" email services. They were called bullet-proof because they totally ignored complaints from angry spam recipients and spam reporting companies, like SpamCop. Furthermore, they were affiliated with similarly unconcerned upstream IP service providers who also turned a blind eye to complaints.

With so much spam being sent from China and its neighboring countries, email server administrators began blocking all Chinese and other Asian IP addresses. I myself began compiling a series of IP blocklists, one of which is known as the Chinese Blocklist. The Chinese Blocklist (and all others I publish) is available in two formats: .htaccess (for use on personal websites on shared hosting account servers) and iptables (for installation into Linux firewalls in the operating system of the server). Mail server admins often download my regularly updated iptables blocklists and use them to block undesirable traffic from particular regions of the World.

About 5 years ago the email spam sender-scape changed again, in large part due to the blocking of Chinese IP addresses at incoming email servers. This time, it shifted to the use of compromised personal and business computers that had become infected with malware known as "Botnet" executables. The Bot infections were spread by; what else: spam. People were tricked into downloading and installing Bot Trojans, turning their own PCs into zombies in spam armies. Now, in January 2011, all spam email is sent from infected PCs that are members of various Botnets.

How to prevent your computer from becoming a member of a spam Botnet

First of all, if you use a desktop (POP3) email client (program), rather than your browser, to send and receive email, try using MailWasher Pro to screen your incoming email for spam, before you download it to your desktop email client. Set MailWasher to check for mail every 15 or 20 minutes, but disable automatic checking in your email client. Once MailWasher has inspected your incoming messages and you have deleted spam and malware infected threats, then manually sync or receive the desirable email to your email program. My custom MailWasher filters will make it easier to identify and delete spam and known threat email.

Next, you need to protect your PC from constantly evolving viruses, spyware, keyloggers and Bot malware. I recommend Trend Micro Internet Security (TMIS), with its "cloud-based" definitions that are updated constantly, as malware is altered by criminal software writers, hackers and Bot herders. You can read about TMIS and download it from my webpage about Trend Micro security products. You can even try it for free for a month! A nice feature of TMIS, is that one annual license allows you to install it on 3 PCs.

Trend Micro security programs all feature what they call the Smart Protection Network. It is part of the "cloud" based protection I mentioned. As hostile web pages are discovered their locations are added to the definitions in the cloud. Any computers that use TMIS, with valid subscriptions, are blocked from accessing those pages, until their webmasters remove the infections (if ever).

If you use your Internet browser to handle email, any embedded threats will be downloaded into the browser's cache, or temporary files. These threats may be able to launch from those hidden caches and infect your computer. MailWasher Pro doesn't protect browser based email, but Trend Micro Internet Security does. With its advanced Bot detection and prevention mechanisms, it could become your computer's best friend.

Posted by Wiz at 5:03 PM | Permalink

back to top ^

On January 28, 2011, Microsoft released a security advisory acknowledging a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure, or worse.

Begin Techno-babble:

Proof Of Concept code has already been published and soon this vulnerability will be added to all of the most popular exploit attack kits. The vulnerability exists in all supported (and unsupported - end of life) versions of Windows, in an Internet protocol known as MHTML. Windows includes a web document protocol handler (MHTML:) that allows various applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing a hostile script to be executed.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a "client-side" script (that's your side) in the user's Internet Explorer browser, or background process. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a "pluggable" protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications capable of recognizing MHTML content.

End Techno-babble

What you can do to protect your PC from this script injection vulnerability

First of all, limit your target-ability by using Mozilla Firefox or Google Chrome as your default web browser, instead of Microsoft's Internet Explorer. The MHTML scripts that are used in this exploit trigger certain events that are specific to Internet Explorer. However, even if you use a different brand of browser, if you are lured or redirected by a link to a hostile website, you can take it to the bank that other exploits will be launched against your browser. Still, you won't have the code injected into your Firefox or Chrome browser, as you would if you encounter this exploit using Internet Exploder!

The second thing all Windows users can do is to disable the MHTML handler that is responsible for this new vulnerability. A Fix-It Tool has been released by Microsoft, which can disable the affected protocol until Microsoft releases an official patch. There is also an Undo Tool on the same page. These Tools are just Windows Registry entries that turn off the MHTML Handler security zones for Internet Explorer and its children (MS Outlook, Outlook Express, Windows Mail, Windows Live mail). This also disables (rare) MHTML content in Windows Media Player

Note: since the MHTML vulnerability exists in other Windows applications besides Internet Explorer, you are strongly advised to disable that protocol, using the Fix-It Tool. Since this tool is based upon the Microsoft .msi extension, you must run it either from an Administrator level account (Win XP, Windows Server 2003 or older), or by elevating your privileges to Run As Administrator in Windows Server 2008, Vista and 7. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

See the Registry hack in my extended content to include the "Run As" command for .MSI files under Windows XP, Server 2003 and 2008, Windows Vista and Windows 7

A few words about how this vulnerability can be exploited by email.

By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows (Live) Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user has unchecked the option to open email in that Zone, or clicks on a hostile link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

A Registry hack that adds the Run As command for .MSI files to the right click options

Copy and paste these 5 lines of code into a new text document (right-click inside a folder of your choice, then select New, then Text Document), save the pasted in contents, then rename it to something like: Run MSI As Admin.reg

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@="msiexec /i \"%1\""

Now, double click on that reg file and when asked if you want to add the information in (path and file name) to your Windows Registry, click Yes. If your account has sufficient privileges (Power User, Standard User, Administrator Group) to add information to the Local Machine branch of the Registry, the changes will take instantly. If you are running Vista or Windows 7, you may have to allow this change by answering a UAC prompt box.

If your account type is too limited to allow you to install this Registry update, switch users into an account that does have Admin privileges, then install the Reg file from there and log off that account and back into your regular (Limited User) account.

With the Registry hack installed, you can now right click on a .msi file, select "Run As" (XP, Server 2003), or "Run As Administrator" (Vista, 7, or Server 2008+). You will be asked for the Administrator account's password under XP and Server 2003) and possibly also under some or all of the newer systems. Type the password for an admin level account and proceed with the agreeing to any conditions of use and installation of the .msi file.

I have tested this Registry hack in Windows XP Professional, as a Power User, and it worked instantly.

Posted by Wiz at 2:03 PM | Permalink

back to top ^

For the second week in a row, the volume has increased again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software and Work at home (Money Mule) scams.

This past 7 days, spam for various types of garbage amounted to 46% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 17-23, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 46%; up just 2% from last week
Number of messages classified as spam: 285 
Number classified by my custom spam filters: 255
Number and percentage of spam according to my custom blacklist: 18
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 8

Fake Viagra and Cialis: 35.90%
Pharmaceuticals and fake prescription drugs: 29.67%
Counterfeit (Rolex, etc) Watches: 10.99%
Known Spam Domains in links (usually Russian: .RU): 8.79%
Blacklisted sender names and domains (my blacklist): 6.59%
Male Enhancement scams: 2.20%
Other Filters (with small percentages): 1.83%
Nigerian 419 Scam: 1.10%
Software Spam: 1.10%
Work At Home Scam: 1.10%
Re: (digits): 0.73%

I made 2 additions/updates to my custom filters:
Work At Home Scam (2x)

I made 0 changes to my custom Blacklist:

As mentioned in the previous paragraphs, I use MailWasher Pro to delete spam before I download it to my email program (Windows Live Mail). This is my first line of defense against email-borne threats. If you are using a desktop email client (Windows Live mail, Outlook, Outlook Express, etc) and are not pre-screening incoming email for threats, you may be at risk from scripted attacks carried inside email messages, or from infected attachments, or from hostile links enclosed in them.

Where does email spam come from?

In the last decade of the 20th Century, most spam was sent from email providers that were paid to send out spam runs. Some was even sent through the personal email accounts of spammers, until they had their accounts terminated for violating the terms of service. As complaints mounted against unsolicited commercial email blasts, International laws, like the American "Can-Spam Act" were enacted to address the issue. As a result, the legitimate bulk email companies began dropping obvious spam accounts and refusing to take on new ones.

When email spammers were unable to rent the use of legitimate, or even quasi-legitimate bulk mail services, they turned to Chinese based email hosts that were billed as "bullet-proof" email services. They were called bullet-proof because they totally ignored complaints from angry spam recipients and spam reporting companies, like SpamCop. Furthermore, they were affiliated with similarly unconcerned upstream IP service providers who also turned a blind eye to complaints.

With so much spam being sent from China and its neighboring countries, email server administrators began blocking all Chinese and other Asian IP addresses. I myself began compiling a series of IP blocklists, one of which is known as the Chinese Blocklist. The Chinese Blocklist (and all others I publish) is available in two formats: .htaccess (for use on personal websites on shared hosting account servers) and iptables (for installation into Linux firewalls in the operating system of the server). Mail server admins often download my regularly updated iptables blocklists and use them to block undesirable traffic from particular regions of the World.

About 5 years ago the email spam sender-scape changed again, in large part due to the blocking of Chinese IP addresses at incoming email servers. This time, it shifted to the use of compromised personal and business computers that had become infected with malware known as "Botnet" executables. The Bot infections were spread by; what else: spam. People were tricked into downloading and installing Bot Trojans, turning their own PCs into zombies in spam armies. Now, in January 2011, all spam email is sent from infected PCs that are members of various Botnets.

How to prevent your computer from becoming a member of a spam Botnet

First of all, if you use a desktop (POP3) email client (program), rather than your browser, to send and receive email, try using MailWasher Pro to screen your incoming email for spam, before you download it to your desktop email client. Set MailWasher to check for mail every 15 or 20 minutes, but disable automatic checking in your email client. Once MailWasher has inspected your incoming messages and you have deleted spam and malware infected threats, then manually sync or receive the desirable email to your email program. My custom MailWasher filters will make it easier to identify and delete spam and known threat email.

Next, you need to protect your PC from constantly evolving viruses, spyware, keyloggers and Bot malware. I recommend Trend Micro Internet Security (TMIS), with its "cloud-based" definitions that are updated constantly, as malware is altered by criminal software writers, hackers and Bot herders. You can read about TMIS and download it from my webpage about Trend Micro security products. You can even try it for free for a month! A nice feature of TMIS, is that one annual license allows you to install it on 3 PCs.

Trend Micro security programs all feature what they call the Smart Protection Network. It is part of the "cloud" based protection I mentioned. As hostile web pages are discovered their locations are added to the definitions in the cloud. Any computers that use TMIS, with valid subscriptions, are blocked from accessing those pages, until their webmasters remove the infections (if ever).

If you use your Internet browser to handle email, any embedded threats will be downloaded into the browser's cache, or temporary files. These threats may be able to launch from those hidden caches and infect your computer. MailWasher Pro doesn't protect browser based email, but Trend Micro Internet Security does. With its advanced Bot detection and prevention mechanisms, it could become your computer's best friend.

Posted by Wiz at 4:43 PM | Permalink

back to top ^

On Patch Tuesday, January 11, 2011, Microsoft re-released an update that fixes the three issues identified in the December 14, 2010 Office Update for Microsoft Outlook 2007 (see my extended content for details). The original December update was withdrawn three days later, following numerous complaints about problems caused by that update. The new update released on January 11 was distributed by Microsoft Update and referenced as updated KB article KB2412171.

If you did not uninstall the December Update for Outlook 2007, then the update released on Tuesday, January 11, will fix the three known issues which you may be experiencing. It can be installed over the previous patch; thus, patching the patch.

If you did uninstall the December Update for Outlook 2007, then you can benefit from the new January update. To receive the January 11 update you can either run Windows Update on your computer; or download and install the update directly from the Microsoft Download Center. If you have automatic updates enabled, you will receive this update automatically.

Coincidentally, This re-released Office 2007 update has also patched a long standing vulnerability in the allowable Dynamic Link Library path; which was being targeted in published exploit kits used by hackers and criminals. The list of known applications affected by that particular Dll path vulnerability are listed on the Insecure Library Loading advisories page, on Secunia.com. Microsoft had 20 of its programs listed as being exploitable. Now, half have been patched; and it took five months to fix those 10. The list first appeared on August 24, 2010.

The three issues identified in the December 2010 update for Outlook 2007 are as follows:

1. Outlook fails to connect if Secure Password Authentication (SPA) is configured for an account and the mail server does not support SPA. This is important for Google Gmail users because Gmail does not support SPA. Outlook customers using Gmail who have the SPA option turned on cannot connect to Gmail.
2. Noticeable performance issues are experienced when switching between folders if you do not have a Microsoft Exchange Server account configured in Outlook. Switching folders might take several seconds depending on the performance of your computer. This issue only applies when you use an IMAP, POP3, or Outlook Live Connector account, such as Windows Live Hotmail, and do not have an Exchange Server account configured in the same Outlook profile. To determine if you are using an Exchange Server account, see the help article What is an Exchange account?
3. AutoArchive cannot be configured for IMAP, POP3, or Outlook Live Connector accounts if there is no Exchange Server account configured in the same Outlook profile. If you previously configured AutoArchive, no additional items are archived.

Posted by Wiz at 5:59 PM | Permalink

back to top ^

After three steady weeks of declining spam, the volume has spiked up again. Botnets are again spewing out email spam for fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, pirated software and Russian dating scams.

This past 7 days, spam for various types of garbage amounted to 44% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 10-16, 2011. These classifications are based upon my own custom MailWasher spam filters. Most of this spam is automatically deleted by MailWasher Pro and my custom filters. The statistics are obtained from the program's logs.

Percentage classified as spam: 44%; up 12% from last week
Number of messages classified as spam: 237 
Number classified by my custom spam filters: 228
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 12

Fake Viagra and Cialis: 34.50%
Pharmaceuticals and fake prescription drugs: 21.83%
Counterfeit (Rolex, etc) Watches: 13.54%
Male Enhancement scams: 10.92%
Dating Spam (Russian Bride scams): 7.42%
Known Spam Domains in links (usually Russian: .RU): 3.49%
Software Spam: 3.06%
Other Filters (with small percentages): 2.18%
Numeric IP (to malware attack sites): 0.87%
Lottery Scam: 0.87%
Work AT Home Scam: 0.87%
Blacklisted sender names and domains: 0.44%

I made 3 additions/updates to my custom filters:
Lottery Scam
Work At Home Scam
Pump and Dump Stock Scam

I made 0 changes to my custom Blacklist:

As mentioned in the previous paragraphs, I use MailWasher Pro to delete spam before I download it to my email program (Windows Live Mail). This is my first line of defense against email-borne threats. If you are using a desktop email client (Windows Live mail, Outlook, Outlook Express, etc) and are not pre-screening incoming email for threats, you may be at risk from scripted attacks carried inside email messages, or from infected attachments, or from hostile links enclosed in them.

Where does email spam come from?

In the last decade of the 20th Century, most spam was sent from email providers that were paid to send out spam runs. Some was even sent through the personal email accounts of spammers, until they had their accounts terminated for violating the terms of service. As complaints mounted against unsolicited commercial email blasts, International laws, like the American "Can-Spam Act" were enacted to address the issue. As a result, the legitimate bulk email companies began dropping obvious spam accounts and refusing to take on new ones.

When email spammers were unable to rent the use of legitimate, or even quasi-legitimate bulk mail services, they turned to Chinese based email hosts that were billed as "bullet-proof" email services. They were called bullet-proof because they totally ignored complaints from angry spam recipients and spam reporting companies, like SpamCop. Furthermore, they were affiliated with similarly unconcerned upstream IP service providers who also turned a blind eye to complaints.

With so much spam being sent from China and its neighboring countries, email server administrators began blocking all Chinese and other Asian IP addresses. I myself began compiling a series of IP blocklists, one of which is known as the Chinese Blocklist. The Chinese Blocklist (and all others I publish) is available in two formats: .htaccess (for use on personal websites on shared hosting account servers) and iptables (for installation into Linux firewalls in the operating system of the server). Mail server admins often download my regularly updated iptables blocklists and use them to block undesirable traffic from particular regions of the World.

About 5 years ago the email spam sender-scape changed again, in large part due to the blocking of Chinese IP addresses at incoming email servers. This time, it shifted to the use of compromised personal and business computers that had become infected with malware known as "Botnet" executables. The Bot infections were spread by; what else: spam. People were tricked into downloading and installing Bot Trojans, turning their own PCs into zombies in spam armies. Now, in January 2011, all spam email is sent from infected PCs that are members of various Botnets.

How to prevent your computer from becoming a member of a spam Botnet

First of all, if you use a desktop (POP3) email client (program), rather than your browser, to send and receive email, try using MailWasher Pro to screen your incoming email for spam, before you download it to your desktop email client. Set MailWasher to check for mail every 15 or 20 minutes, but disable automatic checking in your email client. Once MailWasher has inspected your incoming messages and you have deleted spam and malware infected threats, then manually sync or receive the desirable email to your email program. My custom MailWasher filters will make it easier to identify and delete spam and known threat email.

Next, you need to protect your PC from constantly evolving viruses, spyware, keyloggers and Bot malware. I recommend Trend Micro Internet Security (TMIS), with its "cloud-based" definitions that are updated constantly, as malware is altered by criminal software writers, hackers and Bot herders. You can read about TMIS and download it from my webpage about Trend Micro security products. You can even try it for free for a month! A nice feature of TMIS, is that one annual license allows you to install it on 3 PCs.

Trend Micro security programs all feature what they call the Smart Protection Network. It is part of the "cloud" based protection I mentioned. As hostile web pages are discovered their locations are added to the definitions in the cloud. Any computers that use TMIS, with valid subscriptions, are blocked from accessing those pages, until their webmasters remove the infections (if ever).

If you use your Internet browser to handle email, any embedded threats will be downloaded into the browser's cache, or temporary files. These threats may be able to launch from those hidden caches and infect your computer. MailWasher Pro doesn't protect browser based email, but Trend Micro Internet Security does. With its advanced Bot detection and prevention mechanisms, it could become your computer's best friend.

Posted by Wiz at 2:52 PM | Permalink

back to top ^

Emails are a significant part of a business's records, and need to be stored to meet organizational needs as well as legal and compliance requirements. How this is done can make an incredible difference to the lives of both end-users and administrators.

Is your organization archiving email the right way?

An Exchange or email server may easily be brought down when its mailboxes contain too many large email attachments or when there are large numbers of email accounts. System administrators usually solve this by putting a quota on each mailbox so as to limit the amount of information stored on the server while moving older emails to a different location so as not to surpass this limit. This can irritate or frustrate end-users, especially when they need to retrieve emails that date back to many years before. In order to save these emails and respect the quota simultaneously, some end-users store their email in PST files (open proprietary file formats that are used for storing copies of messages) which they either save on their local machine or on a network share. If this sounds like the system in place at your organization, steady yourself: You might be in for a few problems.

When stored locally, PST files cannot be backed up regularly. This means that if one of them is damaged or accidentally deleted, the emails within it are lost. On the other hand, when end-users store their PST files on a network share, this simply transfers the whole issue of storage space from one location (the server) to another (the network share), while also presenting the need to increase the number of backups coupled with the ordeal of having to manage all those PST files - a pet hate for many administrators.

How to tackle this storage problem

So how can you tackle this storage problem?

Simple - implement a solid mail archiving system. Email archives consume less physical storage space than any other email storage method and moderate the demand for storage space by reducing the amount of online emails on the mail server. Also, message contents and attachments can be automatically extracted from both incoming and outgoing emails and, after indexing, stored in a read-only format - ensuring archived records are preserved in their original state as certain legislation requires.

As for the risk of accidental or intentional deletion of emails by end-users, this is close to impossible when using email archives as a copy of all email is saved and accessible in a centralized system. This also means that administrators do not need to go through the hurdle of searching manually for and through personal archives on each and every local machine whenever a particular email thread is requested for litigation support or business needs. With just a few clicks, end-users and/or administrators can access whichever email they like.

Another point to keep in mind is that different archiving technologies can affect the efficiency of an archiving solution. Microsoft, for example, believes stubbing can create problems with performance, as opposed to journaling which does not require any additional software to be installed on the Exchange Server, saves email in a safe scalable database and does all archiving activities on a system separate from the Exchange server. So make sure that when choosing an archiving solution, you opt for one that addresses this concern.

Using a good mail archiving solution not only simplifies the lives of both administrators and employees, but also helps manage email server resources efficiently while meeting business needs.

This guest post was provided by Christina Goggi on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Find more information about this, at: GFI email archiving solution.

All product and company names herein may be trademarks of their respective owners.

Posted by Wiz at 1:15 PM | Permalink

back to top ^

Again this week, fewer spammers than previously are still promoting fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards or messages containing only a link to malware exploit sites, fake product recommendations and dating scams.

This past 7 days, spam for various types of garbage amounted to 32% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Jan 3 - 9, 2011. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 32%; down 6% from last week (-16% over 2 wks!)
Number of messages classified as spam: 139 
Number classified by my custom spam filters: 127
Number and percentage of spam according to my custom blacklist: 1
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 0
Number of spam messages seen, reported to SpamCop & manually deleted: 1

Pharmaceuticals and fake prescription drugs: 31.25%
Fake Viagra and Cialis: 21.88%
Counterfeit (Rolex, etc) Watches: 19.53%
Male Enhancement scams: 19.53%
Pills: 3.91%
Known Spam Domains in links (usually Russian: .RU): 1.56%
Blacklisted sender names and domains: 0.78%
Dating Spam (Russian Bride scams): 0.78%
E-Card Scam (containing Botnet infection links): 0.78%

I made 1 additions/updates to my custom filters:
New filter: E-card Scam (Storm 3.0 or Waledac 2.0 Botnet)

I made 0 changes to my custom Blacklist:

Watch out for fake e-cards this Winter. They all lead to malware attacks that will hit your browsers with over a dozen exploit attempts, led by Java exploits with a fake Java Update file named host.exe. Many un-savvy users could be fooled by this social engineering trick, which pops up a warning that the publisher of the file, although claiming to be Java Sun, cannot be varified. That is because there is no signed certificate accompanying this hostile file!

Not just Java is vulnerable to exploit attacks. If just one of the other installed pieces of software is a vulnerable version, your PC could be taken over by criminals without your knowledge. If your PC gets owned by cybercriminals, it will probably become a member of a criminal Botnet. This means that your computer will become a spam sending tool and may also be used as an attack tool against websites and Governments.

A word regarding knockoff watches: they are made in China, have no applicable warranty, cannot be returned if defective, are sold by criminal spammers, and are inferior to the real items they are copying. If you buy a counterfeit name brand watch, know that a fool and his money soon will part! Ditto for fake diplomas that are offered from time to time and all of the fake Viagra pills and enlargement scams that appear every day. Fake drugs may harm or kill you and are illegal to import into the USA and Canada and subject to seizure by Customs.

Take my advice and never reply to spam email, just delete it. Don't bother trying to unsubscribe from spam mail lists. Nobody ever gets de-listed; you will only confirm that your email address is valid by using the bogus unsubscribe links. Think about it: if you never signed up to receive the (fake) goods advertised in a spam email, why should you have to unsubscribe? The unsubscribe links are not honored. However, people using them are added to databases of proven live accounts and their names are sold to other spammers.

If you are tricked by an email message into visiting a malware attack site, scan your computer for acquired malware threats using the legitimate online scanner at http://housecall.trendmicro.com, or at kaspersky.com.

If malware is found, their scanners can remove most of it. If not, download a trial version of Trend Micro Internet Security. You can read about it and download it from my webpage about Trend Micro security products.

Posted by Wiz at 3:07 PM | Permalink

back to top ^

I publish a weekly report on my personal analysis of spam volume and categories, on this blog. Over the last quarter of 2010 there has been a very significant drop in the volume of mail classified as spam. In fact, since spam peaked at 70% of my incoming mail for the week of June 14 through 20, 2010, it declined 45 percent over the last week of December, 2010, through January 2, 2011.

Prologue

Other security companies and writers have also been curious about why this huge decline has occurred. Now, we may have found some believable answers to that question. There is a threefold answer that I believe will explain this phenomena: Botnet command and control server shutdowns, arrests of Bot Masters and the closure of a spam affiliate program.

First of all, virtually all spam is sent through compromised (Windows) computers that have been infected with Bot programs that cause them to become spam relays. The actual spammers buy the use of Botnets, which are owned and maintained by seasoned cyber criminals, many of whom reside in the former USSR. These (Russian, Ukrainian, Latvian, etc,) "Bot Herders" have until recently enjoyed total immunity from prosecution by means of payoffs and by flying under the "radar" of local authorities. That began to change in the Fall of 2010.

Since October, 2010, there have been a number of high profile arrests made of the individuals behind the major Botnets and the purveyors of the files that are used to infect PCs. Some of the World's most prolific spammers and Bot Masters are either in jail, or under indictment in the USA, Spain, The Ukraine, Russia and Great Britain.

Additionally, after much input from security companies and International Police agencies, Visa, MasterCard and PayPal have ceased processing payments for sales of illegal pharmaceuticals and commissions to affiliates of several spam networks, like "Spamit," forcing them to go out of business. Spamit, a Russian crime operation, was the promoter of the now defunct (and fake) "Canadian Pharmacy" websites. Spamit paid large commissions to thousands of minor and major affiliates who rented the use of Botnets to send spam runs for the Canadian Pharmacy, and others with similar names. Spamit shut down operations in October, 2010. Spam for the "Canadian" Pharmacies still continued to account for a large percentage of all spam that month. This was due to the fact that individual spammers had already paid to use Botnets to send spam for those pharmacy sites and the spam templates were already dispensed to the zombie computers in those Botnets.

As the affiliates began to realize that they would not be paid any commissions for sales to gullible people, the volume of Canadian Pharmacy dropped, until it ceased to exist, around December, 2010.

The next important factor in the decline of spam in last quarter of 2010 was the shift in purpose of the Rustock Botnet; the largest surviving Botnet at this time. Until the closure of Spamit and the resulting decline of paying spammers who leased its use, Rustock was responsible for up to 1/2 of all the spam messages sent during 2010. Since the demise of Spamit, Rustock has all but stopped being used for spamming and has now shifted its focus into the field of advertising click fraud. While this was going on for most of 2010, it appears to be the current sole purpose of the remaining active Rustock Bots.

Another factor in the decline of spam was that in October, 2010, authorities in the Netherlands took down several servers associated with the Bredolab botnet. This Botnet was used not only to send huge amounts of spam, but was also the main means of dispensing and controlling the Zeus key-logging Trojan. Much of the spam sent by Bredolab zombies contained attachments, which were in actuality copies of the Zeus installer. Amazingly, it appears that there was one individual running the main Zeus campaign; a Ukrainian man who had a flair for fast sports cars, US casinos and car shows. He was in transit from the Ukraine to Las Vegas, to attend a car show in November, 2010, not knowing that a warrant had been issued for his arrest. He was taken into custody upon his arrival in the USA and now sits in prison, awaiting trial for the damages caused by his Zeus bank account stealing operation.

Additionally, there was a forced closure of the command and control servers and disinfection of the member zombies in the Pushdo / Cutwail botnet, responsible for 10% of the World's spam, in the 3rd quarter of 2010.

Summary

The combination of actions taken by authorities across several continents to shutdown command and control servers used by major Botnets, coupled with disinfection of many of the zombies operating as spam relays, and the arrest of several owner/operators of some of the spam Botnets, has resulted in a marked decline in the overall volume of spam, during the last quarter of 2010. Spam volumes are still down, during the first half of the first week of 2011. Hopefully, that will remain the case for a long time to come.

Epilogue

Although the volume of spam has declined, it is not dead. I have been writing and will continue to update spam detection filters for the anti-spam program, MailWasher Pro. This program has been in circulation for a decade now and is currently at version 2011. If you are still plagued by spam and are looking for a reasonably priced solution to detecting and deleting it before it is downloaded to your desktop email clients, please try using MailWasher Pro. It is free to try for 30 days. My description page explains many of its features and how to use them. My personally developed and published spam filters are kept up to date to meet current spam tricks and threats.

The latest threat to be added to my spam filters is the now-circulating fake e-card spam that leads to browser exploit attacks that install a new version of the Storm or Waledac Bot. So, stay aware of the threats posed by spam email and protect your computers with the best anti-spam solutions you can afford.

Posted by Wiz at 11:50 AM | Permalink

back to top ^

The last two weeks of December 2010 saw fewer vulnerability reports than some previous weeks in the last quarter of the year. This doesn't mean that criminals are sitting still, just that they are laying low to try to avoid attracting the attention of local authorities. Lately, Police in such far away places as The Ukraine and Russia have been arresting cyber criminals for unlawful online activities. Many of those arrested thought they were safe in the former USSR, but they were mistaken.

Here is a rundown of the security alerts issued and patched software released by the vendors of exploitable software, from December 14, through 31, 2010.

Son Of Storm Worm
Shadowserver Foundation has uncovered a new spam campaign that they think is the work of a new botnet based on a new generation of the Storm or Waledac Bot executables. One of the main characteristics of this new botnet is its large scale e-card spam campaigns, sending out scam e-mails with links to exploit pages hosted on a Fast-Flux network of botnetted PCs. It also shares some code used in the original Storm Worm and Waledec Bot. ShadowServer is temporarily referring to this new Botnet as Storm 3.0 or Waledac 2.0.

The original Storm Worm Botnet was most active in 2007. Millions of spam messages were sent by zombie computers, all containing links to fellow zombies, with numeric IP URLs in the spam emails. Most featured a fake e-card, or love message, or fake news about a storm than swept across parts of Europe in early 2007. The destination pages had a fake, non-functional video, with an Adobe Flash player that "needed to be updated" with their version. That player was the Storm Worm, which made those computers members of the then largest Botnet on Earth, at the time.

Storm declined in late 2007, but made a big resurgence in the summer of 2008. Because of the sheer number of Windows PCs infected with the Storm Worm, it attracted the attention of the code writers working on the Microsoft Malicious Software Removal Tool. The September 2008 Windows Updates featured code routines that detected both variants of the Storm Worm and completely eradicated it from hundreds of thousands of computers on Patch Tuesday, September 18, 2008. Days later, authorities forced rogue ISP Atrivo off the Internet, severing 3 of the 4 Command and Control servers used by the Russian or Ukranian gang running the Storm Botnet.

I have already warned my readers of my weekly spam analysis to be on the lookout for fake e-card greetings this Winter. They have links to compromised websites, with instant refreshes to fake Flash Player updates and other exploits, hosted on compromised personal computers. The IP addresses change with every connection request (Fast-Flux Domains); rotating the payload among the thousands of zombie PCs in the new Botnet.

Each of these Fast-Flux domains also appears to be hosted on a single Ukrainian IP address at 91.204.48.50. I would recommend blocking access to this IP address. It is already included in my published Russian Blocklist, but you can add it to your Windows computer by opening your HOSTS file and adding this line of code, then saving the file again as HOSTS (no extension):

127.0.0.1 91.204.48.50
_____________________

Wordpress Critical Update
Next up, there was a critical flaw discovered in the base code of the Wordpress PHP files. Therefore, Wordpress.org has released a patched version: 3.0.4 of WordPress, available immediately through the update page in your Wordpress dashboard, or for download here. It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as "critical."

Note: if your websites, like mine, are hosted on Bluehost, or certain other hosting companies associated with Bluehost, you can use the custom script installers found in the Simple Scripts section of your cPanel control panel. These commonly deployed scripts are kept up to date with security patches and are easy to install with a few mouse clicks. Wordpress is included as it is so commonly probed and exploited. Any out-dated version of Wordpress will be owned by hackers and used to infiltrate your website with hostile redirection scripts, spam comments, or phishing pages.

Zero Day IE Exploit
There is a new zero day exploit for Internet Explorer browsers in the wild. Imagine that! See this page on PCMag for the details.

Microsoft WMI Administrative Tool ActiveX Control Vulnerability
US-CERT is aware of a vulnerability affecting the WBEMSingleView.ocx ActiveX control. This control is part of the Microsoft WMI Administrative Tools package. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to set the kill bit for CLSID 2745E5F5-D234-11D0-847A00C04FD7BB08 to help mitigate the risks until a fix is available from the vendor. Information on how to set a kill bit can be found in Microsoft knowledge-base article KB240797. Users and administrators are also encouraged to implement best security practices defined in the Securing Your Web Browser document to reduce the risk of this and similar vulnerabilities.

That's all I have for you tonight. I'll post more security updates news next week, or sooner if necessary.

Posted by Wiz at 3:47 PM | Permalink

back to top ^

This week, fewer spammers than usual are still promoting fake Cialis and Viagra, counterfeit watches, bogus male enlargement herbs and pills, illegal to import prescription drugs, fake e-cards or messages containing only a link to malware exploit sites, fake product recommendations and Nigerian 419 scams.

This past 7 days, spam for various types of garbage amounted to 38% of my incoming email. This is according to MailWasher Pro, which I use to screen incoming email before downloading it to my desktop email program (Windows Live Mail). I often see the same spam message sent to several of my accounts at the same time. I report any spam messages that make it through my auto-delete filters to SpamCop.

Here are some statistics regarding the spam received and categorized, from Dec 27, 2010 - Jan 2, 2011. These classifications are based upon my own custom MailWasher spam filters.

Percentage classified as spam: 38%; down 10% from last week
Number of messages classified as spam: 172 
Number classified by my custom spam filters: 161
Number and percentage of spam according to my custom blacklist: 3
Number classified as spam according to DNS Blocklists (SpamCop, Spamhaus, etc): 2
Number of spam messages seen, reported to SpamCop & manually deleted: 6

Counterfeit (Rolex, etc) Watches: 26.32%
Male Enhancement scams: 26.32%
Fake Viagra and Cialis: 25.73%
Pharmaceuticals and fake prescription drugs: 11.70%
Known Spam Domains in links (usually Russian: .RU): 2.92%
Blacklisted sender names and domains: 1.75%
Other miscellaneous filters (small percentages each): 1.74%
African Sender (419 scams): 1.17%
DNS Blacklisted Servers (RBL): 1.17%
Hidden ISO Subjects: 0.58%
Re: or Fwd spam: 0.58%

I made 1 additions/updates to my custom filters:
New filter: Dating Spam #2

I made 0 changes to my custom Blacklist:

Watch out for fake e-cards this Winter. They all lead to malware attacks that will hit your browsers with over a dozen exploit attempts, led by Java exploits with a fake Java Update file named host.exe. Many un-savvy users could be fooled by this social engineering trick, which pops up a warning that the publisher of the file, although claiming to be Java Sun, cannot be varified. That is because there is no signed certificate accompanying this hostile file!

Not just Java is vulnerable to exploit attacks. If just one of the other installed pieces of software is a vulnerable version, your PC could be taken over by criminals without your knowledge. If your PC gets owned by cybercriminals, it will probably become a member of a criminal Botnet. This means that your computer will become a spam sending tool and may also be used as an attack tool against websites and Governments.

A word regarding knockoff watches: they are made in China, have no applicable warranty, cannot be returned if defective, are sold by criminal spammers, and are inferior to the real items they are copying. If you buy a counterfeit name brand watch, know that a fool and his money soon will part! Ditto for fake diplomas that are offered from time to time and all of the fake Viagra pills and enlargement scams that appear every day. Fake drugs may harm or kill you and are illegal to import into the USA and Canada and subject to seizure by Customs.

Take my advice and never reply to spam email, just delete it. Don't bother trying to unsubscribe from spam mail lists. Nobody ever gets de-listed; you will only confirm that your email address is valid by using the bogus unsubscribe links. Think about it: if you never signed up to receive the (fake) goods advertised in a spam email, why should you have to unsubscribe? The unsubscribe links are not honored. However, people using them are added to databases of proven live accounts and their names are sold to other spammers.

If you are tricked by an email message into visiting a malware attack site, scan your computer for acquired malware threats using the legitimate online scanner at http://housecall.trendmicro.com, or at kaspersky.com.

If malware is found, their scanners can remove most of it. If not, download a trial version of Trend Micro Internet Security. You can read about it and download it from my webpage about Trend Micro security products.

Posted by Wiz at 2:40 PM | Permalink

back to top ^