Monthly Archives: September 2010

Back to Spam – September Newsletter

Back to Spam

Most companies make use of some type of Spam and Virus Protection which does a remarkable job of neutralizing unsolicited and detrimental messages, so how is it that spam still exists and thrives to wreak havoc? Below are some of the five most common pitfalls that allow spam to continue, and what you can do about it:

Zombie Workstations
Either via an inbound spam message that was missed, a website exploiting a bug in a browser, or an infected file being transported onto your network by a user, workstations are very prone to being infected with malicious code in the form of a virus, malware, trojan, or the like. The source can be complicated to cure, but there’s a very simple fix to save the rest of us from those machines sending us spam, and getting your public IP Blacklisted to boot.

Simply configure an outbound firewall rule to only allow outbound connections on port 25 from your in-house mail server. If you don’t have a mail server, then your network shouldn’t need to make outbound connections on port 25 (or inbound ones for that matter). You may need to reconfigure some Email clients who are using port 25 to connect to their SMTP server, but most servers these days have the ability to leave port 587 open for this type of connection.

By shutting down your local network from creating outbound 25 traffic, you are removing the ability for your workstations to generate a message and deliver it without going through your gateway which you as a good sys-admin monitor and control.

Servers Acting as Open Relays
The next largest source of unintentional spam are misconfigured servers or servers with accounts that have weak passwords. By not having authentication configured correctly you can allow connections from the outside to use your server to send mail. Spammers will just troll IP addresses looking for Open Relays and exploit any hole that is left open for them to use your server to send their spam. Additionally they can find the home server for an email account and attempt to authenticate as that user with a “brute force” password attack. However brute is not a fitting adjective when you let your users set up their account with their password set to “password” or “1234” or the like.

At the very least, we recommend having a good firewall in front of your mail server to look for these types of attacks. Ideally you would have either an Edge MTA which acts as a perimeter for your main mail server or employ a cloud based solution so that you can block incoming traffic against your mail server from anybody but that trusted source which has very high levels of security in place.

Clever Trickery
Spammers are tricky devils and they learn and adapt to email defense systems to break those systems or to circumvent them. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containg error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn’t exist, it is helpful for your server to send the original sender a notification Non-Delivery Report (NDR) to let them know that their message wasn’t delivered.

Spammers can make use of this feature in the following way: They create a message and forge the From: field to contain the email address of their intended target. Then they send this message to an email address they know doesn’t exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically an illegitimate notification.

The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it’s own user of the failure.

Malware, Trojans & Viruses
These three words strike fear into all system administrators. You know that if your workstations become infected with malware, a trojan or a virus you have hours of work ahead of you identifying and eradicating the source.

Malware spreads spam by infecting a computer by secretly accessing a computer system without the owner’s informed consent. The infection can spread through several sources including computer viruses, worms, trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software. In the end you are left with a barely working machine that could be blasting out spam and spreading the infection further.

Trojans are malware that appear to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. Once executed machines are often turned into zombie bots that send out spam.

Viruses are computer programs that can copy themselves and infect computers. A virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive.

New Spam Tactics
Filter providers continue to hone their techniques in this constant game of cat and mouse. The latest trend is a shift to email worms. “The worm arrives via emails with the subject line ‘Here You Have’ or something similar, and the messages contain a link to a site that will download a malicious file to the victim’s PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file.” (Slashdot)

Wrap up
A few years ago the worse spam you saw was “image spam“, this type of spam tricked the filters because it was a .jpg or .gif file that was at that time allowed by most servers as a non-threat. However, each day spam is evolving to become more aggressive and preys on your unassuming users. As well, many sources of online threats have shifted their attention from launching attacks through email systems and have targeted web browsers as an often unguarded entryway into a network. To combat all of these threats, it is highly recommended to include a Business Perimeter Security Solution in combination with Web Filtering.

August Newsletter
Sailing the Email Marketing Seas

From all of us at MxToolBox, thank you for your business and your time.

Forums Find updates on our BLOG
Twitter Join us on our FORUMS
Blog Follow us on TWITTER Facebook Become our fan on FACEBOOK

Telnet Test – A Great Troubleshooting Tool & Technique

Oftentimes it is very helpful to remove your mail server from the equation to see if there is an underlying network / reputation problem blocking mail flow. Here’s how you can manually send a test message using the telnet command built into every operating system. You’ll need to determine the name or address of your recipeints mail server. You can do this by looking up their MX record at http://mxtoolbox.com. In my example the MX record is a1.mx-route.com. Your commands are in bold below and the responses I got are in italic. Be careful, on Windows if you typo you cannot backspace and correct yourself. Just hit enter and retype the entire command.

telnet a1.mx-route.com 25
Trying 208.123.79.41…
Connected to a1.mx-route.com (208.123.79.41).
Escape character is ‘^]’.
220 a1-1.mx-route.com ESMTP

helo mxtoolbox.com
250 a1-1.mx-route.com
mail from: <peter@mxtoolbox.com>
250 sender <peter@mxtoolbox.com> ok
rcpt to: <support@mxtoolbox.com>
250 recipient <support@mxtoolbox.com> ok
data
354 go ahead
Subject: Test Message
This is a test message.
.

250 ok:  Message 156715331 accepted
quit
221 a1-1.mx-route.com
Connection closed by foreign host.

Here you can see that the sender, recipient and message were accepted by the 250 responses from the recieving mail server. If there are problems you will see them reflected with 4xx or 5xx responses that can be very helpful for figuring out the problem.

A few of our readers had asked for an explanation of the above commands, here ya go!

telnet a1.mx-route.com 25 Use the telnet command to connect to a1.mx-route.com on port 25
Trying 208.123.79.41… Trying to connect
Connected to a1.mx-route.com (208.123.79.41). Connection was successful
Escape character is ‘^]’. The server is telling you how to hang up. In this case you press Control-]
220 a1-1.mx-route.com ESMTP This is called the banner. The server is telling you some more about itself and letting you know that it is your turn to talk. In this case the 220 means that it’s a good connection, the machine’s name is a1-1.mx-route.com and it can talk using the ESMTP protocol.

helo mxtoolbox.com We are saying hello to the machine and telling it our domain name. I can use the domain name to reverse lookup our IP and make try to make sure we aren’t spoofing somebody else and that we are reputable.
250 a1-1.mx-route.com The server is saying okay (250 means good) and again telling us it’s name.
mail from: <peter@mxtoolbox.com> I would like to send you a message from <peter@mxtoolbox.com>.
250 sender <peter@mxtoolbox.com> ok The server seems to be agreeable to this idea (again 250 means good). It can use several methods to decide if it wants to accept a message from you.
rcpt to: <support@mxtoolbox.com> I would like to send the message to <support@mxtoolbox.com>.
250 recipient <support@mxtoolbox.com> ok The server again is okay with this transaction so far.
data I am ready to send you the message data.
354 go ahead Server says okie dokie.
Subject: Test Message The message subject.
This is a test message.
Some text.
.
The period all by itself is the signal that we are done sending message data.
250 ok: Message 156715331 accepted The server has successfully (250 again) accepted the message and assigned it ID 156715331.
quit We are done now. You can close the connection.
221 a1-1.mx-route.com The server agrees. . Good bye.
Connection closed by foreign host. The server has closed the connection.