Monthly Archives: September 2011

Attack of Zeus, Win32/Zbot – Malware/Trojan Horse

We have noticed an uptick of inquires on our site about the Trojan Horse Zues Win32/Zbot. This bot was originally discovered in January 2010 but appears to be rearing its ugly head again with a vengeance. Zeus is a banking malware trojan, and specializes in stealing personal information (passwords, account information, etc) from interactions with banking sites through the use of “formgrabs”. This generally means that this trojan is distributed through spam campaigns and drive-by downloads form the web.

Now that a computer(s) has been infected on your network the trojan really gets to work. The bot will then attempt to send out infected emails without being detected. This will more than likely cause your mail server IP to become listed on the CBL Blacklist.

Now you may be asking yourself: How did I get infected when I have Anti-Virus on all machines and am blocking Port 25 traffic on my email server? You have done the majority of the work to protect yourself by locking the front door (Anti-Virus) and the back door (block Port 25), but you may have unknowingly left the window open (Web Filtering). With up to 85% of malware now distributed via the Web, proactive Web security is a necessity.

MxToolbox has partnered with Webroot (May 2010 Newsletter) to offer Web Filtering to protect your network from attacks through the web browser. Our Total Security Solution includes Business Email Perimeter Security in combination with Web Security to provide additional layers of protection to combat Email and Internet threats. Webroot eliminates spyware and viruses with best-of-breed scanning engines and offers a 100% guarantee. In addition to protecting against malware you have the ability to enforce web access policies across your entire organization or specific to groups of employees and generate detailed reports of Internet browsing over time.

Vulnerability Scanning and Spyware Detection

Webroot is the only Web Security Service to include Vulnerability Scanning, which is an extra layer of protection. This tool scans endpoints directly from the Desktop Web Proxy (DWP) to identify known vulnerabilities including operating systems, browser versions, media players, office programs, and other installed software

If you are interested in speaking to one of our web security experts to learn more about our Total Security offering please feel free to contact us at 866-mxtoolbox or at sales@mxtoolbox.com

Additional Resources
Webroot
Wikipedia
Symantec

.

Non-Delivery Report (NDR) Spam or Backscatter Spam

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

In our continuing blog series about bounce backs and error codes we wanted to talk about NDR Spam or Backscatter Spam. As we all know, spammers are tricky devils and they spend the majority of their time learning to adapt and circumvent email defense systems. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containing error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn’t exist, it is helpful for your server to send the original sender a Non-Delivery Report (NDR) notification to let them know that their message wasn’t delivered.

Unfortunately spammers can exploit this feature by creating a message with a forged Sender (From: field) so that it will reach their intended target. They then send this message to an email address they know doesn’t exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically a legitimate notification.

The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it’s own user of the failure.

How to Handle Non-Delivery Reports
With Exchange servers, non-delivery reports (NDRs) are enabled. You can disable them by using Exchange System Manager. You can also specify who can receive copies of NDRs.

To disable NDRs in Exchange 2003, follow these steps:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
  3. Click the Advanced tab.
  4. Click to clear the Allow non-delivery reports check box, and then click OK.

To specify who can receive copies of NDRs, follow these steps:

  1. Under Administrative Groups, expand First Administrative Group, expand Servers, expand server name, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
  2. Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
  3. Stop, and then restart the MS Exchange Routing Engine and SMTP services.

“Lock Down”
Another method to ensure that your server is not helping created Backscatter spam is to have a perimeter Lock Down in place. This will protect your entire network and company by using a Perimeter Defense Email system that will protect spam and viruses from ever reaching your network.

We highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.. It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limiting the impacts of NDR spam attacks.  But almost all still will allow a sender to try quite a few bad recipients before shutting them down.

Additional Resources:
http://support.microsoft.com/kb/294757
How to Read Email Bounces Backs and Errors

Bounce Backs: Denied For Spam, Message Rejected, Spam Source Blocked, What Does it Mean?

Bounce backs and error codes for email can be very mysterious and misleading. To help better understand them, we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series please follow this link.

Have you ever received a bounce back that refers to your message as being blocked because it was considered spam? While the actual language of the bounce back or error message may vary if the error code is a 500 error, that does mean the message could not be delivered to the recipient (400/500 Email Bounce Back Errors Explained). In this particular case, we are referring to bounce backs that reference messages as being denied due to spam or IP reputation. The bounce back message itself will help identify why the message may have been denied (How to Read Email Bounce Backs and Errors); content of the message, unsolicited commercial email, or the Internet Service Provider (ISP) or email provider has a sending IP Address reputation problem (Blacklist).

Example Bounces
551 Denied for Spam
554 Service unavailable; Client host [<hostname>] blocked using Barracuda Reputation
554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation
554 Denied (Mode: normal)
550 5.7.1 Message rejected as spam by Content Filtering
571 spam source blocked – psmtp

Message Content
The subject line and content of an email message are incredibly important! These two components can often lead to a spam filter flagging a message as spam and either placing the message in the recipient’s Junk Folder or worse, sending the message into a black hole never to be seen. We highly recommend taking extra time to ensure that your message has valuable content that someone would want to read and doesn’t sound too “spammy” or “salesy.”  This may seem simple, but it is amazing how often this is overlooked.

Another critical element to consider when constructing your message is that most larger Email Service Providers are using human influence in their spam scoring. This human touch is important to consider as users finally have the power to influence spam filtering. When users mark a message as spam some providers use this data to flag similar emails as spam and may add your email address, domain, or IP to a Blocked List. Sometimes the message is in fact a legitimate mailing that was requested by the end user but in the end if the recipient does not want the message in their inbox, they will often mark it as spam (The Search for the Perfect Spam Filter – October Newsletter).

Email Signatures
We have been seeing more and more issues with email signatures causing messages to be blocked. Just like the content of your message, be sure to keep your signature simple and free of extraneous information. For instance if you are recommending an outside company’s URL, make sure they are not Blacklisted and that they don’t have domain reputation problems. If certain messages are not getting through your recipient’s spam filter, make sure your signature is as clean as possible. You may also consider removing any images in your signature as well as that is a tactic that spammers will often use.

Explicit Blocked List
Another way that you could receive this bounce back message is if your email address or domain has been added to an explicit block list. This means that someone adjusted their spam filters to specifically block messages from your email address or domain. Unfortunately there is not much you can do in this case other than reach out to the recipient by other means to ask if they will consider removing the block. However, if they took the time to adjust the filters they usually have a reason for it.

Blacklist
If your company gets Blacklisted it could cause major trouble for your business and slow down your communication with current customers, prospects and in general, the outside world. A Blacklist, also known as a Real Time Blacklist (RBLs) is a list of problematic IP Addresses that are compiled by organizations monitoring spam on the Internet. There are many such organizations ranging from one person tinkering in their free time to large multinational corporations. MxToolBox provides a Free Blacklist Lookup Tool that will check an IP Address aggainst over 100 different blacklists. We do not control nor are we affiliated with any of the organizations running the lists; the tool simply performs a search against each list and aggregates the data into one result. Without such a tool in place, you would need to go to the website for each list and manually search for yourself. There are many reasons an IP Address may end up on a Blacklist.  More often that not it’s because the administrators controlling it have not taken appropriate steps to secure their email infrastructure or the network has workstations that have been compromised by spammers, hackers, or virus propagators.

Bounce messages are all very different and may contain different language but if they contain wording like Denied, Spam, and the like, it means they were more than likely blocked due to one of the issues listed above. Ensuring that your messages are clean, simple and desirable to the recipient will go a long way to making sure your message reaches the recipient.

Taking the time to ensure that your messages get delivered is incredibly important, take the extra step and get advanced, real-time monitoring of your server against blacklists, as well as availability and performance. Please visit our website to learn more – MxWatch Monitoring – Email | Website | Network.

Additional Resources
400/500 Email Bounce Back Errors Explained
How to Read Email Bounce Backs and Errors
What Blackslists Are & How MxToolBox Helps

September Newsletter – MailFlow Monitoring – Giving you the Power to Save the Day!

mxtoolbox

Most people can relate to that, “I just sent you an email, do you have it YET?” experience.  Most monitors only detect when your email is down completely.  MailFlow Monitoring from MxToolBox will tell you when your server (or service provider) is SLOW.  And, you can see those trends over time.

90 Day View

If you have ever found out that your mail server was down from one of your users, and you are the System Administrator, you know that can be kind of embarrassing, not to mention stressful. MailFlow Monitoring was built specifically by our Engineers to go beyond just monitoring static SMTP availability, so you can know right away when there is an issue. It provides real-time daily, weekly or monthly statistics by monitoring the status of all mail in and out of your server. With this information you can really start to build a true picture of the Up/Down status and performance of your mail server. Plus the system can help you identify any issues with intermittent delays so you can address the problems before they escalate.

How does it work?
The MailFlow Monitor tests the full availability and performance of an SMTP server by sending a test message every five minutes to a predetermined mailbox on your domain. Once the message is injected into your server it obeys the mail hops or set routes and then your mail server auto-replies or forwards the message back to us. Once we receive the reply we automatically graph all the data for you showing the high and low response times and how long it took mail to pass in and out of your server. This graphical data can be sorted by multiple time periods, i.e. last 7 days, 30, days, etc.

7 Day View

We built this service so we could monitor the status of our own many mail servers!  When we really looked at our own needs we didn’t feel that any of the current available monitoring services in the market could tackle this request in an efficient and cool way. After seeing how valuable the end result was in managing our own infrastructure, we realized that we couldn’t keep the tool all to ourselves, so we made it available to everyone!

To get the power to save the day, you need to check out our Basic and Professional Monitoring Products.


*Note that that MailFlow Monitoring is not eligible with a Free Monitor account.

Blog Email Security Blog Follow us on Twitter Twitter Become our fan on Facebook Facebook Forums Forums


Copyright 2011 MxToolbox Inc. 12710 Research Blvd. Austin, TX 78759