Monthly Archives: April 2007

Britney Spears Spam Campaign Tied To .ANI Exploit Flaw

We have seen a rash of obvious spam touting vulgar pictures of Britney Spears this week. Users receive an email with the subject line “Hot Pictures of Britiney Speers” that is written in HTML and has anti-spam avoidance text within the HTML comments. Evidence that came to light this morning suggests that this particular spam campaign is directly related to the animated cursor exploit flaw that has been causing problems since last week. Links in the spam messages lead to sites either compromised, or built, to deliver trojans and keystroke loggers to any windows machine with animated cursors. Users should never, ever click on links in spammy messages…especially not these, no matter how badly they want to check out the hot pictures of Britney Spears.

Exchange and NDR Spam

Directory Harvest Attacks Can Turn You Into an NDR Spammer


If you don?t know what Exchange Recipient Filtering is, then your company may be sending out spam.  Many of our customers and friends run Exchange servers, so we like to periodically discuss Exchange best practices.  Fortunately, adding recipient filtering is a very simple and straight forward change to make.


First, a little background.  Directory Harvest Attacks (DHAs) are an extremely common way for spammers to infiltrate your corporate users’ inboxes.  The idea is simple?the spammer connects to your mail server and just starts guessing email addresses (e.g. john@, sally@, sales@, etc).  They might literally try thousands of combinations…and why not?  They are not paying for it and have all the time in the world.  This is of course very bad news for you.  Two problems arise:  1) The spammer(s) will eventually have your entire corporate email directory, and 2) All of these lookups can bring your mail server to a grinding halt.


Microsoft decided to address this threat in an unfortunate way.  By default, Exchange will asynchronously bounce bad recipients.  That means instead of telling the sending mail server right away that a recipient does not exist, Exchange says all recipients are valid.  According to the idea, spammers are just wasting their time with directory harvest attacks.  The server appears to accept ALL recipients for your domain, so the spammer cannot tell the good addresses from the bad.  The theory was that since this would provide little value to spammers, they simply would not do it.  It turns out a differently in practice.


The problem with this approach is that Exchange must at some point notify the sender that the recipient was not found.  So, Exchange generates a NEW email message (called an NDR or Non-delivery Report) and sends it to the sender of the email message.  But, wait.  What if the spammer did not use his REAL email address?  In fact, what if he LIED and said the message was coming from victim@someplace.com?  Your server just spammed the real victim. Not only have you inadvertently contributed to the spam epidemic, you have also put the reputation of your company, domain name, and IP address reputation at risk.


 


Configuring Recipient Filtering


 


We highly recommend that anyone running a corporate email server invest in top-of-the-line Anti-spam technology.  It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limiting the impacts of Directory Harvest attacks.  But almost all still will allow a sender to try quite a few bad recipients before shutting them down. 


 


That means that EVERYONE running an Exchange server should consider the following configuration change to limit the impacts of this problem.  If you are running Exchange 2003, then you need to add a recipient filter rule:


To configure recipient filtering, follow these steps:


1. Start the Exchange System Manager tool.
2. Expand Global Settings, right-click Message Delivery, and then click Properties.
3. Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK.
4. When you receive the following message, click OK:
Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help sections.
5. Expand Servers, expand your computer, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
6. On the General tab, click Advanced.
7. Click Edit, click to select the Apply Recipient Filter check box, and then click OK three times.


Note If you are running Exchange in a front-end/back-end environment, recipient filtering must be enabled on the SMTP bridgehead server or servers.


If you are on an older version of Exchange, then you are out of luck (sorry).  You might want to consider migrating to a business class hosted email solution and let all of this become someone else’s problem.  Alternatively, you can use a gateway email solution, which rejects bad recipients synchronously via its own internal directory, or via LDAP against your Active Directory.


MxToolBox customers who need help with this issue should contact our support team.  We are happy to walk you through the options.


 


Digg! Add to Technorati Favorites  Save This Page

Spam Costs $712 In Productivity Per Employee, Per Year

Research results released by Nucleus Research suggest that spam costs $712 in worker productivity per employee, per year. The study found that business email users typically receive 21 spam messages in their inboxes per day. Workers spend 16 seconds identifying and deleting each spam message, which translates into an annual cost of $70 Billion to US Businesses.


Bear in mind that this number only reflects lost productivity, and does not take into account the cost of anti-spam solutions employed by businesses. Although, a ” solution” that lets more than zero to five spam messages into a user’s inbox per day is really no solution at all.


How many spam messages do your users receive per day? How many spam messages do you block? 


Digg! Add to Technorati Favorites  Save This Page

***Draft: Best Practices: Exchange and NDR Spam

If you don’t know what Exchange recipient filtering is, your company may be sending out spam.   Many of our customers and friends run Exchange servers, so we like to periodically discuss Exchange best practices.  Fortunately, this change is very simple and straight forward to make.


First, a little background.  Directory Harvest attacks are extremely common ways for spammers to infiltrate your corporate users’ inboxes.  The idea is simple.  They connect to your mail server and just start guessing email addresses (e.g. john@, sally@, sales@, etc).  They might litterally try thousands of combinations…and why not?  They’re not paying for it and have all the time in the world.  This is of course very bad news for you.  Two problems arise:  1) they will eventually have your entire corporate directory, and 2) all of these lookups can bring your mail server grinding to a halt.


Microsoft decided to address this threat in an unfortunate way.  By default, Exchange will Asynchronisly bounce bad recipients.  That means instead of telling the sending mail server right away that a recipient doesn’t exist, Exchange says all recipients are valid.  According to the idea, spammers are just wasting their time with directory harvest attacks.  The server appears to accept ALL recipients for your domain, so the spammer can’t tell the good from the bad addresses.  The theory was that since this would be of little value to them, they simply wouldn’t do it.  It turns out a little differently in practice.


The problem with this approach is that Exchange must at some point notify the sender that the recipient was not found.  So, Exchange generates a NEW email message (called a NDR or Non-delivery Report) and sends it to the sender of the email message.  But hold on.  What if the spammer didn’t use his REAL email address.  In fact, what if he LIED and said the message was coming from victim@someplace.com?  Your server just spammed the real victim.


We highly recommend that anyone running  a corporate email server invest in top-of-the-line Anti-spam technology.  It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limited the impacts of Directory Harvest attacks.  But almost all still will allow a sender to try quite a few bad recipeints before shutting them down. 


That means that EVERYONE running an Exchange server should consider the following configuration change to limit the impacts of this problem.  If you are running Exchange 2003, then you need to add a recipient filter rule:



To configure recipient filtering, follow these steps:


1. Start the Exchange System Manager tool.
2. Expand Global Settings, right-click Message Delivery, and then click Properties.
3. Click the Recipient Filtering tab, click to select the Filter recipients who are not in the Directory check box, and then click OK.
4. When you receive the following message, click OK:
Connection, Recipient, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.
5. Expand Servers, expand your computer, expand Protocols, expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
6. On the General tab, click Advanced.
7. Click Edit, click to select the Apply Recipient Filter check box, and then click OK three times.



Note If you are running Exchange in a front-end/back-end environment, recipient filtering must be enabled on the SMTP bridgehead server or servers.


If you are on an older version of Exchange, then you are out of luck (sorry).  You might want to consider migrating to a business class hosted email solution and let all of this become someone else’s problem.  Alternatively, you can use a gateway email solution which rejects bad recipients syncronously via it’s own internal directory, or via LDAP against your Active Directory.


MxToolBox customers who need help with this issue should contact our support team.  We’re happy to walk you through the options.

Virus Disguised as Internet Explorer Download

A malware campaign with several variations of emails appearing to come from Microsoft encouraging readers to click on a link to download IE Explorer updates is currently making the rounds. The malware is delivered when readers click on the link (usually imbedded in a photo). This article discussses the issue. The virus, Virus.Win32.Grum.A, spreads by emailing itself to contacts in a user’s address book. It tampers with registry files to ensure it gets installed, and then tries to download additional files from the internet


The messages are sent high importance and have coincided with news about a zero day cursor flaw.   


I discovered two of these messsages in my spam quarantine folder. Both had a sent-from address of admin@microsoft.com and had professional looking images embedded. However, as expected, the links do not revert to Microsoft.


Admins should alert users immediately not to click these links.


Digg! Add to Technorati Favorites  Save This Page

Switzerland Makes Sending Spam Illegal

A new law in Switzerland banning spam took effect on Sunday, April 1, 2007. The law makes sending spam from Switzerland a punishable offense and brings Switzerland’s anti-spam laws into line with the US and EU. Offenders can face up to three years in prison and $82,566 in fines.


The most interesting (and unique) component of the legislation is that it places responsibility on end-users. Computer owners who fail to protect their machines from spam bot infection may now be help accountable and punished if spam is found to originate from their machines.


Is this what it will take to solve the botnet pandemic? 


 

Europe Sees First “Pump and Dump” Campaign

Europe’s first pump and dump spam scampaign was unleashed late last week. The campaign was designed to artificially manipulate the price of a German company’s stock. Pump and Dump has long been a problem for American penny, or Pink Sheet stocks. The US SEC recently announced a campaign, dubbeed ‘Operation Spamalot,’ to thwart the practice. 


Is it possible that the SEC’s move is leading the cyber thugs to test the pump and dump waters in Europe, or is it just a coincidence?   


Digg! Add to Technorati Favorites  Save This Page