Monthly Archives: December 2006

One in Twenty Search Results Risky

Secuirty Researcher B. Endelman reports that 4.4% of current organic search results link to sites rated as “risky” because of the presence of spyware, viruses, junk mail or excessive pop-ups. The study ran searches for 2,500 popular keywords on the major search engines.

Sponsored links are twice as likely to be linked to malware than non-sponsored links.

This highlights a vexing challenge for IT administrators- how to balance the need for information found via search (25% of knowledge worker time is spent searching online for information) with the threats that search poses.

As malicious websites continue to proliferate, robust Web Filtering becomes ever more important to manage IT risk. Filtering must be combined with user education and awareness, however, to ensure adequate protection.

Federal Ruling Places More Stringent eMessaging Archiving Rules on Businesses, Schools and Not-For Profits

A Federal Ruling on electronic discovery requirements took effect December 1, 2006. The e-discovery rule will place more stringent electronic message archiving requirements on Businesses, Schools and Not-For-Profits (for a digestible summary go here). The ruling states that an entity involved in litigation shall be able to produce all relevant electronically stored information–email, IM, etc.–during legal discovery. This means that organizations must store the communications AND be able to retrieve them in a timely fashion. The ruling also states that organizations will not be expected to produce the documents when doing so would result in “undue burden of cost.”


Add to Technorati Favorites    Digg!   Save This Page

Small Businesses Targeted By Cyber Criminals

An article published yesterday in Business Week argues that Cyber Criminals are targeting small business. The article suggests that small businesses make easy, or easier targets than larger enterprises because small businesses typically cannot allocate the same amount of money and time to information security as large companies. The negative impact of a smaller resource pool is compounded by the fact that small businesses have historically taken a reactive approach towards information security. 

The 2005 Small Business Information Security Readiness Study by the Small Business Security Institute (SBCI) found that small businesses, as a whole, were lacking fundamental information security protection. Of the 1,000 businesses surveyed, 20% had no virus or spam filtering and 60% did not have any encryption on their wireless networks. The authors also found that small firms that allocated a proportional amount of their IT budget to information security were adequately protected…an interesting correlation is found in the fact that businesses with the best protection were also businesses that previously suffered a security breach.

SBCI is planning another study for 2007, but they maintain the statistics found in the 2005 study represent what is occurring in the market.

 How can small businesses ensure that they are protecting their information and infrastructure from malicious attacks?

1) Allocate an adequate amount of resources ($) to proactively protect information- As a rule of thumb, small businesses should expect to spend approximately $200 per month, per user for information security. The amount spent on security should rise every year in proportion with the amount spent on new IT hardware (PCs, Laptops, Servers etc.) and software.

2) Continuous Administrator education on threats- Protect against threats at the network and hardware levels, but avoidance information should always be passed down to the user base. Users are notoriously undereducated on how to avoid security breaches…especially phising scams and other social engineering scams designed to deliver web based malware.

3) This is related to 2 above…lock down your perimeter(s)- Email Filtering, IM Filtering, Web Filtering, Wireless Network Encryption and Mobile Messaging Protection should all be robust and employed at all entry points.

4) Be ready- Remember, it is far cheaper and far easier to have a proactive info security policy than it is to recover from a breach.

5) Back up critical data offsite. Most authors do not present data backup as a security issue…but it is (in fact, it is more than a security issue, but it definitely intersects with security). If there is a breach (or natural disaster for that matter), you need to know that your data is safely backed up and easily accessible somewhere far from the reach of the Cyber Thugs.

Don’t become a small business info. security statistic.  

Digg! Add to Technorati Favorites  Save This Page

SBC Global and Comcast Users Having Blacklist Issues

In the past several days, we have seen a large number of both SBC Global and Comcast users with blacklist problems. Predominately, the host IP Addresses are showing up on the Sorbs Dynamic User and Host List (DUHL) blacklist. By extension, users are seeing bounce back messages indicating that their emails are blocked because their IP Address is on a blacklist. We have every reason to believe that these particular blocks are false positives stemming from Net Blocking. Net Blocking is a shotgun approach to blacklisting, where a large range of IP Addresses are blocked, presumably because they are near a known spam IP. Unfortunately, for the people we have spoken with, they are at the mercy of their respective ISP/Email Host to get the problem resolved…which is a frustrating exercise according to most. Incidentally, we have also seen a large number of emails blocked by the blacklists that SBC uses to curb spam…probably no connection, but interesting.

The only other reportable trend is a large number of Level 1 blocks from an obscure German blacklist- UCEProtect. A UCEProtect Level 1 block blocks a single IP addresses that have “either wrong or missing or generic reverse dns (PTR), or dialups, open proxy’s, open relays, or which are using abusive techniques or which assigned to well known spammers.” However, most of the people on the UCEProtect list that we spoke with did not meet these conditions. This leads us into an interesting discussion topic:

False positives are a significant problem with many widely used blacklists, which is just one reason why a strong inbound/outbound email filtering solution is a superior anti-spam tool.

Spam Rates Skyrocketing

For our first post to the MX News Blog, I thought it would be appropriate to dive into the hotest story of the Late Fall/Early Winter- Spam rates have soared (sored) into the stratosphere. According to Postini, Spam volumes increased by 60% in September and October. Barracuda networks reported an increase of 67% during roughly the same time frame. What does this mean in terms of raw numbers? Well, Postini reports that it monitored 70 Billion Emails during September and October and 91% were Spam. That means that there were 60.4 Billion or SPAM messages filtered in September and October by Postini ALONE! That is an increase of 30 Billion over two months.

Estimates have placed the total number of Spam messages sent to be 55 Billion Per day…and that was in June, 2006, BEFORE the massive uptick we have seen this Fall/Winter. Any business that doesn’t have an airtight Spam and Virus filter in place RIGHT NOW is in danger of having Spam render their email useless, possibly (probably) open the door(s) for massive virus and malware infections on their networks, destroy their “Email Reputation,” and jeoprodize their business viability. It is that serious.     

Not only are the Spammers busy flooding the entire system with gargantuan amounts of bandwidth chewing, productivity killing Spam, they are dictating the rules of the filtering game as well. For example, there has been a huge increase in Image Spam over the past several months. Why? Because many Spam filtering solutions are entirely text based. So, Spammers build messages with layers of images to slip past inadequate filters, hog more bandwidth than before and land in millions of inboxes daily. Here is an example:



Don’t call your stock broker just yet 🙂 Image Spam is just the latest “innovation” by what I have coined the “Web Thugs” to bypass filters and continue with Web Thuggery as usual. Luckily for all of us, it is only effective at bypassing the, shall we say, less than robust filtering systems.

One final thought- Some Spam experts have suggested that the recent increase represents a collective last ditch effort by Spammers to salvage the last possible rewards from their efforts and that the Spam battle has reached the end-game. I tend to disagree. There is no question that Spammers are making money…tens of millions of dollars a year in some cases. There is also no question that this money is made a few cents at time. In my mind, the economics of Spam dictate that Spammers must constantly increase the number of messages they are sending, especially as more and more of those messages are intercepted by filters. To me, economics explains the Spam explosion, nothing else. While I hope to see the day when Spam and Spammers are nothing more than a footnote in the Internet history books, I do not believe that day is yet upon us. In the meantime, let’s be thankful that we have Spam filters that keep the nasty stuff off of our networks and out of our inboxes…I know I am.

Digg! Add to Technorati Favorites  Save This Page

Directory Harvest Attacks accounting for new problems

 The latest DHA ‘infestation’ appears to be targeting recipients’ Accounting Departments — using subject lines such as: “Billing Update, Claim (or Form) #***”, “August Payment (or Bill) Summary, Invoice #***” and others. When the message is checked for content by the inbound email server’s anti-spam solution, the body of the email contains a simple inoffensive line or two (such as “Vendor Invoice attached”) followed by gibberish in the form of random blocks of characters, digits and letters. Thus the content filtering is defeated, letting the infected message through to the end users.

On the blacklist front, we’ve noticed fewer reverse DNS issues over the past week, which is good news for those requesting de-listing. However, static IP addresses are still being mis-identified as dynamic by a few of the RBLs, and the practice of netblocking entire ranges of IPs continues on the part of both blacklist organizations and ISPs.

DID YOU KNOW? A Directory Harvest Attack (DHA) is an insidious dictionary type attack on email servers designed to probe email directories within an organization, then collect or harvest legitimate email addresses, which then receive even more spam. DHAs cause email servers to use valuable resources responding to thousands of bogus address requests, slowing the delivery of legitimate, business critical messages.

Possible change of heart between ISPs and RBLs?


While the majority of requests since Friday have been from a large variety of ISP accounts…the common thread has been the continued elevation of reverse DNS issues. Most common scenarios have shown outbound IP addresses (“A” records) matching up with ISPs’ domains (PTR records) rather than the users…and we’re still noticing missing PTR and “A” records. Remember, any of these situations can make it difficult for receiving DNS servers to trust the senders.

Otherwise, it’s been the usual mix of RBLs listing ranges of IP addresses…or identifying static IP addresses as dynamic…with only a few isolated reports of spam messages being sent directly from the specific IP addresses.

In an unusual development, we’ve now received multiple requests from companies that have received bounceback messages from Yahoo accounts stating that SORBS blacklists were used to reject their emails. This is the first time we’ve heard of a “meeting of the minds” between ISP hosts and RBL companies. Up to now, that relationship has been more one of two opposing army camps…with neither side willing to see the other’s point of view. It will be interesting to see if this apparent change in attitude turns into a trend.

Using RBLs for email security can bite when you least expect


A situation that arose today illustrates the problematic nature of RBL use for spam filtering: A business owner who had been using the same email address to correspond with a client for the past seven years suddenly got a bounceback message from that client stating that she is being blocked by a public blacklist (SORBS). Further research on that site revealed that her IP address was contained in a range of addresses owned by her ISP host that have sent spam in the past.

Our intrepid communicant then tried to contact her customer using her Yahoo email account instead. She was bounced back again, but this time the message stated that her email had been blocked by yet another blacklist (SPAMCOP) in another spamming netblock. At this point, she picked up the phone and called her customer instead. As you can see, the use of blacklists can create high false positive rates…with the capacity to interrupt and damage your business communications with trusted customers.

On another note, many of the reports over the past two days have involved SBC, QWEST, VERIO and BellSouth customers — both hosted and non-hosted — who have been included in ISP spammer netblocks by JAMMDNSBL, SORBS, SPEWS, NOMOREFUNN and DNSBL. Once again, the blacklist companies are not saying that these companies’ specific domains and IP addresses have been spamming…but they are still suffering the consequences.

Reverse DNS issues have expanded again…and include missing PTR (domain name) or “A” (IP address) records…multiple PTR record listings for the same IP…with other checks showing upstream host PTR records instead of the user’s. Keep in mind that while these scenarios don’t usually create NDRs (Non Delivery Reports), they can make it difficult to get de-listed from various RBL sites.

Dog Days of Summer return

Things have pretty much returned to normal over the weekend — we’re seeing the usual scenario: RBLs such as SORBS, SPAMCOP, FIVETEN and others are netblocking entire IP address ranges from ISPs that have included known spammers in the past…which means they’re continuing to catch non-spamming companies in their nets as well.

There have been a few new reports of open relay problems, while reverse DNS issues have dropped off again…and no new Non Delivery Reports (NDRs) from the major ISPs have popped up so far this week.

Technology Blogs - Blog Top Sites

FARS Require Government Contractors to Archive Emails, IM and other Digital Communication

Government Contractors (large and small) have special electronic message archiving requirements, which they must follow to be in compliance with the Federal Acquisition Regulations (FARS). The specifics of the retention requirements are complicated, and, are further complicated by additional requirements placed by various branches of the Federal Government (DOE, DOD, etc.). Consult your legal counsel for specifics.