Network Admins

SPAM fighting with RBL’s

2009-11-23T16:11:00.001+02:00

Our companies email server had been taking a bit of strain from SPAM recently and it seemed as though thousands of spam mails where getting through to my end users.

Scanmail for Exchange was picking up about 57000 SPAM mails a month, but I would still get about 200 spam mails a day in my own inbox!

I did some research and eventually found RBL (Real Time Blacklists). A RBL is a list of known spam email servers IP addresses. There are several RBL providers out there and it is very simple and in most cases free to setup.

Check out the following link to get your Exchange 2003 server setup with a RBL:

http://www.spamblogging.com/archives/000138.html

I am currently using the the following RBL’s

Since implementing the RBL I have seen spam on my own inbox drop from 200 a day to about 2 a day. I also noted that since the beginning of the month the number of SPAM is down from 57000 detected to 6500! And I should see an even greater drop next month as I implemented the RBL on about the 10th of the month!

South African Bank Phishing

2009-11-09T09:53:00.001+02:00

It seems as though some of our local South African banks are starting to fall foul of the phishers of late. It is a good time to keep your users informed and keep your proxy servers block list up to date with any new evil domains.

Here ore some examples of phishing emails I got from a user.

ABSA PHISHING EMAIL 1:

Url at the bottom takes user to a spoofed website that looks like an absa logon page:

Dear Customer,

We,upgrades its internet security on a continuing basis to ensure that our customers are protected. Protecting information is a shared responsibility and we request you to exercise caution at all times when using online services or accessing your emails.

Due to the open nature of the internet, Absa cannot guarantee the complete security of your transactions from hacking, unauthorized access, virus attacks, and /or other 3rd party attempts to breach our latest security features that we have used. All Online banking users are required to adhere strictly to this warning and follow up the process of this adjustments. Absa will not be responsible for loss of funds to online phishers as a result of failure to comply with this important new directives

Register your online banking access, click continue below and follow the instructions so you don't stand a chance of lossing your details to a third party.

http://www.absa.co.za/ib.jsp/Administrator
Administrator
Absa Bank Limited

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your absa Online account and choose the "Help" link on any page.
absa bank Email ID # 1009

ABSA PHISHING 2:

The link from this mail seemed to be broken at the time of publishing.

Dear Customer,

The internet has become widely accepted for banking online. While we have taken all the possible measures to ensure security and confidentiality of our online banking systems, you play an important role in protecting your personal information and Passwords. You have to protect your information at all times, be it over the internet or during your normal banking activities.

To Upgrade for this comprehensive security features,click below and follow the instructions

http://www.absa.co.za/security/features
Management
Absa Bank Group

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your absa Online account and choose the "Help" link on any page.
absa bank Email ID # 1009

FNB PHISHING 1

At the time of publishing the domain name that the link in the email takes the user to seems to have been disabled or broken.

Dear FNB Customer,

In the last fews weeks, our Online Banking Security team has observed multiple logon attempts on your internet banking account from different blacklisted IP's.

For your safety we have decided to suspend your access. You will need to verify your identity.

Click Here to continue

Security Management
First National Bank

Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your fnb Online account and choose the "Help" link on any page.
fnb bank Email ID # 1009

SPAM: Server Upgrade

2009-10-13T08:24:00.001+02:00

I have been alerted to a couple of users who are receiving spam that contains links to external websites. the message is as follows:

Attention!

On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.

The changes will concern security, reliability and performance of mail service and the system as a whole.

For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.

This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.<your domain>.<various>/ssl/id=73616375-<email>-patch2844683.aspx

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

I have noticed the following domain names being used so far which I have blocked on my proxy server:

*.admin-db.net
*.1ssl-certs.com

According to: http://www.dshield.org/diary.html?storyid=7333

The link leads the user to a download which disables AV and has Trojan / key logger characteristics.

Once again the URL contains the users email address so the site will probably log the entry to a db for future spamming.

I would suggest that you add all the domain names that you encounter in these messages to your proxy blocked list to prevent users from giving their email addresses away for future attacks.

tax-statement-taxpayer_id*.exe

2009-09-28T12:28:00.001+02:00

There are some fake IRS spam mails circulating at the moment that go to a page and try to get you to download a virus file which trend micro office scan picks up as TROJ_ZBOT.CBY.

I am particularly worried about this email as it seems as though the URL contains the email address of the user it was sent to. This will then allow the owner of the site to log valid email addresses when someone clicks on the link in the email. They don't even need to download the file to now be a bigger target for spam.

Solution: I also noticed that there are multiple domains that users are being redirected to so I decided to block *.irs.gov.*.com on our Proxy server to prevent users getting themselves on a spam list.

I found the following domain names in this type of attack so far:

*.irs.gov.y11dera.com

*.irs.gov.fedas1am.com

*.irs.gov.fedasaz.com

*.irs.gov.y11derq.com

Screenshot of the website you get redirected to when you click on the link in the emails.

AutoRuns

2009-07-16T10:55:00.001+02:00

Ever wondered why your computer is taking forever to start up? Well then AutoRuns is for you! This is the most comprehensive application that I have seen for killing automatic processes. I think I am going to be using AutoRuns a lot in future! I love sysinternals!

Sending Emails From CMD

2009-07-14T13:26:00.001+02:00

I was recently asked to write a script to check if a file exists and then email someone if the file is found. I found this program called Blat. Blat is a command line email client. basically all I did to get it working was download and copy blat.exe and blat.dll to %SystemRoot%\System32.

Check the code below:

@ECHO OFF
REM ### CONFiGuRE SETTINGS HERE ################
set SMTPServer=127.0.0.1
set ToAddress=email@mydoamin.com
set fromAddress=email@mydomain.com
set Servername=My Server Name
set find="C:\myfile.txt"
REM #####################################
IF EXIST %find% (goto senderror)
goto end

:senderror
set Subject=File Found
set MessageBody=%ServerName% -File Found. (%Date%)
%SystemRoot%\System32\blat.exe -server %SMTPServer% -f %fromAddress% -to %ToAddress% -subject "%ServerName% - %Subject%" -body "%MessageBody%"
goto end

:end
@ECHO ON

Google Chrome OS

2009-07-08T12:48:00.002+02:00

Google announced Google Chrome OS recently. It seems as though Google is again pushing cloud computing. The net-book revolution is the next thing in computers with all the major players starting to take notice. Ever since the Asus EEPC was launched a while back people have begun to sit up and notice. Intel is currently also in the race as they have started developing an operating system specifically for net-books.

I do think that Google once again has the advantage as they are the ones who have all the cloud applications already. With Gmail, Google Docs, Calendar and more already pretty stable they are more than ready to give the world a taste of cloud computing. And now with the announcement of their own net-book OS that comes with Google Chrome they will be able to run all of their applications in a browser specifically designed to run those applications as fast as possible.

I can’t wait to see what they come up with.

Windows Vista SP2

2009-06-10T15:06:00.000+02:00

Today I accidentally found out that Windows Vista SP2 has been released! I was going through my WSUS server and noticed that my machine had a lot of updates outstanding. I then say an entry that said: "Windows Vista Serivce Pack 2 Standalone (KB948465)- English, French, German, Japanse, Spanish"

Well it looks like SP2 was released about 2 weeks ago according to this KB Article.

http://support.microsoft.com/kb/948465

Anyway I am waiting for my WSUS server to download it so I can install!

Microsoft Doing it Again with Windows 7?

2009-02-04T12:02:00.003+02:00

It looks as though our dear friends at Microsoft are not learning from thier mistakes.

http://www.engadget.com/2009/02/03/windows-7-skus-announced-yes-your-worst-nightmare-has-come-to/2

According to this article Windows 7 is expected to come in 7 different flavours! ARG !

I wish these guys would catch a wakeup and stick to the good old days of single desktop and server OS releases instead of making life so confusing with 7 versions!

Come on Microsoft catch the hint, no-one wants 7 choices for something as boring as an operating system. Why do you think Linux has been struggeling for so many years?

Recession to fuel Open Source?

2009-01-29T15:25:00.002+02:00

With the world economies in a bit of a downward spiral, the demand for Open Source techologies should increase dramatically. Business should soon start to see the value in migrating certain systems to opensource. I have a hard tim justifying Microsoft Office licences when there are freely available alternatives. The only cost a business may incure is some training costs to migrate the users over to the new package. This however should quite easily be justified as it means a lifetime of free and open source as opposed to the pain of being forced to upgrade systems at huge expense every couple of years.

I still think that most businesses will however need to stick with Windows as an OS, but office applications and others can be migrated to Open Office.

Bulk Modify Active Directory Users Accounts

2009-01-19T14:05:00.001+02:00

Basically my friend upgraded his old server and migrated active directory to the new server. Active directory pointed their profile paths to the server name or IP address of the old server. So he needed to be able to modify all his users profile paths so that they pointed to the new server. He could do it one at a time, but after doing a couple of hundred I am sure he would have gone insane!

I found this tool: ADModify.net

Snippet from their website:

"ADModify.NET is a tool primarily utilized by Exchange and Active Directory administrators to facilitate bulk user attribute modifications."

This tool is awesome! It does exactly what is says it does! It allows you to bulk edit active directory user accounts. You can bulk modify almost any setting in an AD user account using this tool! I am definitely going to keep this one for future, it makes life so much easier!

Google Forms

2009-01-19T13:05:00.001+02:00

I recently noticed that Google Docs has a new feature called Google Forms. It seems to be a pretty cool feature that allows you to create online forms that can be emended in just about any blog, web page or emailed. When a person fills out the form the information gets saved into your Google Docs account. This lets you go through the results in a nice simple spreadsheet.

This is a very useful tool. Give it a try.

A Brief History of the Internet

2009-01-09T10:51:00.001+02:00

I found this cool video on digg. It is a nice introduction to the history of the Internet.

History of the Internet from PICOL on Vimeo.

Welcome to the Cloud

2008-12-05T08:15:00.003+02:00

It looks like cloud computing is going to be the next best thing!

There is a new OS called gOS (No it is not made by Google) that boots into a stripped down linux distro presenting the user with a browser. Effectivly with the massive increase in online apps users can now transfer all the processing and storage onto the "cloud" (web servers and web services on the internet). I think that we are going to see a lot more of this in future as it will reduce the cost of the end user device and increase online activity for service providers who will benefit from increased ad-revenue. I predict that this form of computing will slowly, but surely start taking over.

Anyway check out the slideshow below of gOS:

http://www.thinkgos.com/

http://en.wikipedia.org/wiki/Cloud_computing

Facebook Blocked?!? (static.ak.fbcdn.net)

2008-12-03T12:19:00.004+02:00

I tried to logon to facebook today using google chrome and was presented with the following screen:

It would seem that static.ak.fbcdn.net is being reported as a phishing website!

This is the information for the domain fbcdn.net:

Registrant:

Facebook, Inc

156 University Ave,

3rd Floor Palo Alto,

CA 94301 US

Domain name: FBCDN.NET

Administrative Contact: Admin,

Domain domain@facebook.com

156 University Ave,

3rd Floor Palo Alto,

CA 94301 US +1.6505434800

Fax: +1.6505434800

Technical Contact: Admin,

Domain domain@facebook.com

156 University Ave,

3rd Floor Palo Alto,

CA 94301 US

It would seem a though this is a legit facebook domain, but I am not able to find any info on the net as to why this domain is blocked! If anyone has any info please let me know.

Vista SP2 on its way!

2008-12-02T14:03:00.001+02:00

It seems as though Microsoft may be releasing Windows Vista Service Pack 2 in April 2009!

Check out this article:

http://blogs.chron.com/techblog/archives/2008/12/report_windows_vista_service_pack_2_coming_in_1.html

Lets hope that they don't release it on the 1st of April :P

Standard Bank Spoofed Email Malware

2008-10-06T13:43:00.005+02:00

Please note that there are emails circulating claiming to be from Standard Bank Offshore Bank.

The URL in the email takes you to a page on the domain reprsinos.com.

The website tries to download a file "StandardCertificate2008.exe" to your computer.

Trend Micro office scan picks up the malware as "Cryp_MEW-11".

Clip of the Spoofed Email:

"Attention to all Standard Bank Customers!
Some Standard Bank customers have reported experiencing disconnect or write error issues with online banking.
To address this, Standard Bank has released a 128-bit SSL update for the online banking page that eliminates this bug."

I would suggest that all admins block access to the domain reprsinos.com on thier proxy servers imediatly.

Screenshot of spoofed website

UPDATE:

Some more emails have made it through:

Example Subject lines:

Standard Offshore Bank - Security - security of individual customer information.
Standard Offshore Bank - Security - We use some information to help identify
Standard Offshore Bank - Security - Our customer information

Examble Email Body:

Attention to all Standard Bank Customers!
Some Standard Bank customers have reported experiencing disconnect or write error issues with online banking.
To address this, Standard Bank has released a 128-bit SSL update for the online banking page that eliminates this bug.

You can update your browser from our Customer Service Department>>>

More domains to Block:

bizcombf.com

The PHP Driven World Will End in 2037!

2008-10-01T15:01:00.004+02:00

PHP / Unix seems to have its very own Y2K bug. Except it will happen in 2037.If you try and do any date/time calculations greater than 2037 with PHP it freaks out and goes back to 1 Jan 1970!

I am currenlty writing a bookings application and was playing with the calendar and checking out the future. All of a sudden when I went past the year 2037 the system would jump back to 1970!

Apparently this is a known but and is a limitation in counter that is 32bits long. (http://bugs.php.net/bug.php?id=7103)

Apparently 64bit machines are not vulnerable to this.

After doing some reading it would seem that this is indeed the Unix equivilent of the Y2K Bug!

(http://en.wikipedia.org/wiki/Year_2038_problem)

So the moral of the story is that in the year 2038 you better make sure that you have a 64bit machine if you are running any unix based machines. Also make sure that the time_t is set to 64bit !

Image derived from: http://openclipart.org/media/files/valessiobrito/2564

Delivery Reciept SPAM

2008-10-01T13:19:00.004+02:00

It has recently been found that SPAMMERS are using the delivery reciept functionality of most mail clients to find valid email accounts.

It is reccomended that you switch off this feature to prevent you email account from sending a response back to the SPAMMERS letting them know that your email address is valid.

Further reading:
http://blog.trendmicro.com/spam-using-e-mail-delivery-notifications-to-verify-valid-addresses/

Some Google Chrome Features

2008-09-03T11:53:00.003+02:00

I have been playing with Google chrome today and found some usefull features that others may enjoy:

Application Shortcuts

This allows you to place shortcuts on your computer that link you to web applications such as Gmail or Facebook. The cool thing about this is that it opens up the application in its own window without all the browser controls etc. This allows you to view more of the application as the screen real-estate is not taken up by the other browser controls.

Incongnito Window

The incognito window feature is pretty cool. It allows you to open a "Special Window" that will not "remember" any information about where you went or what you did. i.e. All cookies, URL's and sessions will not be stored in your history or browser cache. This is a nice feature that will allow you to surf your internet banking or "other" sites (naughty naughty) without the fear of the information being stored on your computer for someone else to find.

Javascript Speed

According to many reports on the internet the implemenation of Javascript in Google Chrome is significantly faster than in other browsers. This is pretty visible when browsing the internet. I think that this browser is much faster than anything I have used before.

New Browser - Google Chrome

2008-09-03T11:38:00.000+02:00

Google released a new browser into the wild yesterday. The new browser called Google Chrome has many cool features and I think it has the potential to become a major player in the heavily contested browser market.

The new browser sports a whole bunch of features never before seen in the browser world as well as some of the same old standard things we have come to expect from a modern browser such as tabbed browsing.

As Google tends to do, they thought about stuff a lot more and came up with some really nice solutions to some age old problems.

Lets look at some of the cool new features I think will make this browser take the browser market to new levels:

Tabbed browsing processes

Tabbed browsing has become a standard feature since it was introduced a couple of years back.

The thing is google looked at the tabs and said mmm, lets take this and make it work better. They took the tabs and instead of running them as seperate threads under the same process they decided to split each tab into its own process. The benefit of this accoring to thier website is that it allows for better garbage collection which prevent the browser from using up all the computers resources after it has been open for some time. This will also allow you to end only the tab that causes the problems, not the entire browser itself. This is a major step forward in thinking and I think it will be a matter of time before all the bigger players in the browser market follow suite.

Internal Process Monitoring

Google Chrome comes with its own task manager that allows you to check which tabs and plugins are causing hassels and kill them if they are getting out of hand.

There is also a link in the bottom called stats for nerds which gives you more detail on the tasks.

Advanced URL Bar

Much like the Mozilla Firefox 3 URL bar the Google Chrome address bar gives you rich results based on not only the URL entered but based on the title of the page. In addition to this the Google Chrome address bar also uses google suggest to find search results in the address bar and you can use the address bar to search.

Google has used all of its considerable resources for page rank and other technologies to add assitave technology that is seemless, quick and pretty into this seeming simple portion of the web browser.

User Interface

Of all the browsers that I am awareof on the market today, Google Chrome is the most simple and clean in terms of UI. They have followed thier concepts from thier Google search page and made a very simple, fast and very powerfull system that is easy for anyone to use without much knowledge. Don't be fooled though because behind all the simplicity there are appear to be some awsome tools for the tech savvy nerds.

I have only spent about 1 hour with this browser, but I think this may be the browser of the future! I will keep you posted on any new features that I find.

Get Google Chrome here: http://www.google.com/chrome

Google to launch web browser

2008-09-02T12:47:00.000+02:00

It would appear that Google is looking at releasing a web browser called Chrome in the near future. According to reports on the net there was an accidental release of the information including video and screen shots, most of which have been removed already.

You can find information about the new browser on the following sites:

I for one am looking forward to see what Google can bring to the browser market. I am still however a loyal Firefox user, until something that compete with the power of Firefox and its array of useful extensions I am not budging, but hey Google normally makes really awesome easy to use products so I will hopefully have a copy soon to review.

5FM Blocked ?!?!

2008-08-08T09:11:00.001+02:00

I am not a regular visitor to 5FM.co.za, but I decided to go today and was greeted by the firefox "Reported Attack Site!" warning. I then tried to google 5fm and google displayed a warning as well. Something is clearly up on thier website. Check out the screenshots below:

SARS e@syFile Employers Manual Backup & Restore

2008-07-17T10:07:00.001+02:00

Our HR people had a problem with the new SARS e@syFile Employers application. On opening the program it could pop-up with a window saying
"The application has started from the incorrect icon. Please start e@syFile - employers from the desktop icon"

Even if you open the program from the desktop icon it still gives you this error.
I found that you can do the following to fix this.

goto
Windows XP: C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
Windows Vista: C:|Users\{username}\AppData\Roaming\easyFileEmployer.{hash}\Localstore\
Copy the EasyFile.db and easyFile-employer.air files to a safe location.
Uninstall the e@syFile Employer application.
Re-install the program from the setup file
Copy the EasyFile.db and easyFile-employer.air files back to the directory.
Windows XP: C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
Windows Vista: C:|Users\{username}\AppData\Roaming\easyFileEmployer.{hash}\Localstore\
Start the e@syFile program again.

All you data will now be back and the application should run fine.

I would suggest that you backup the EasyFile.db and easyFile-employer.air files on another computer/server or removable disk.

You can write an xcopy script that will copy the files to a server or backup disk and create folders named with the date of the backup like so:

@ECHO OFF
MD E:\PAYEBACKUP\%Date:~0,4%-%Date:~5,2%
CD C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
XCOPY *.* E:\PAYEBACKUP\%Date:~0,4%-%Date:~5,2%\
@ECHO ON

Music to Malwares Ears?

2008-07-16T08:43:00.001+02:00

As reported by Trend Micro there is a worrying new attack vector that malware writers are using to spread their code, multimedia. The malware apparently infects almost any multi-media files which, when opened, ask you to download a codec to play the file. The codec is actually the malware which then infects the computer.

As the Trend article pointed out this could be a massive problem because of P2P networks. Infected multimedia files could soon be flying around P2P networks infecting everyone.

Multimedia files are some of the most shared files and therefore this could be a very problematic attack to prevent. I would suggest that network administrators keep their eyes open and try to discorouge users from bringing multimedia files to the office.