Sponsored by..

Friday, 26 January 2007

One Invalid Recipient..

In my opinion, one of the great underappreciated Microsoft Knowledgebase articles is KB147093 which explains one of those mysteries you see with Exchange servers from time-to-time.

The symptom is this - a remote sender transmits a message to multiple recipients on your Exchange server, but one or more of the recipients is incorrect. This causes the mail transaction to fail and NO recipients get the message.

Although KB147093 refers to X400, in fact this is the behaviour that you'll see on an Exchange 5.5 Internet Mail Connector, and it works with other SMTP-based mail servers too.

The problem is this - when sending to multiple recipients at one remote domain, the software at the sender's end will make a single connection to the remote mail servers.. and it's an all-or-nothing proposition.

The problem is compounded if you suppress NDRs (nondelivery reports) to the internet, because a remote sender will never receive a bounce message to say that the mail transaction failed. In these circumstances, it can take some time to work out that there's a problem at all.. but in this case you need to carefully check the recipient list for invalid users and remove them.

Now, if you have NDRs enabled, the problem will probably be spotted much sooner. But these days a lot of organisations turn them off, especially if they are the targets of mass spamming or directory harvesting attacks. It's one of those cases where the current levels of spam have unexpected adverse impacts on infrastructure.

Wednesday, 17 January 2007

Travelocity Template Spam

A couple of days ago, we saw a pump and dump spam using an Incredimail template to bypass spam filters. We pointed out that Incredimail messages could be scored as being somewhat spammy.

With a new twist, spammers are now using a Travelocity template [click image on right to enlarge] with an embedded image in the middle. Businesses are more likely to allow Travelocity mail than ones with Incredimail templates.

Clever.. but these messages don't come from a Travelocity email address, nor a Travelocity IP (whatever that might be). So, if you roll your own filters you can look for elements of the Travelocity template in messages that don't originate from Travelocity.

If you use Postini, add an inbound filter something like:
  • Select "Match All"
  • Body | contains | 1-888-709-5983
  • Sender | does not contain | travelocity
  • Set Message Disposition to "User Quarantine"

What's clear is that the spammers have found a new technique here and there's probably (sadly) quite a bit of mileage in it. Expect to see more variants of this soon.

Monday, 15 January 2007

"Incredimail" spam

A novel twist to the CBFE pump and dump spam that's been doing the rounds is a large scale run of spam messages using an Incredimail template to fool spam filters. [Click the image to enlarge]

The trick here is that Incredimail uses a lot of embedded images, as does the recent batch of P&D messages.. so if a filter has been "detuned" to let these templates through, then the spam can slip through on the back of it.

In this particular case, the CBFE spam is encoded with the Windows-1251 Cyrillic character set which makes it distinctive, although that will probably change.

If you roll your own filters, look for X-Mailer: IncrediMail in the headers, and charset="windows-1251" on each MIME boundary.

If you use Postini, you could create an inbound filter of Header | contains | X-Mailer: IncrediMail and set Message Disposition to "User Quarantine".

There's probably no harm for most people in scoring messages with Incredimail templates higher for spam as very little of it will be business related.

Wednesday, 10 January 2007

Patch Tuesday - January

A very small number of patches this month, none of which are critical for servers (assuming you don't read email, process office documents or surf the web on a server) and which may not even require a reboot on most client PCs. I've ordered these roughly in order of importance.

MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969)
This addresses an active exploit in IE and should be applied as soon as possible.
Client impact: high
Server impact: low

MS07-003 Vulnerabilities in Microsoft Outlook Could Allow Remote Code Execution (925938)
A series of potentially serious flaws that could lead to an exploit if the user opens a specially crafted email message. Outlook 2000 is vulnerable to this, but cannot be patched via WSUS so this would need to be applied manually where possible. Replaces MS06-055.
Client impact: high
Server impact: low

MS07-002 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (927198)
Similar to MS07-003, and Excel 2000 is similarly impacted with no WSUS remediation.
Client impact: high
Server impact: low

MS07-001 Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution (921585)
This only impacts Office 2003 with the Brazilian Portuguese language pack. It should be a big problem for most users.
Client impact: low
Server impact: low

Monday, 8 January 2007

Braindead spam from eReplicaShop.com

eReplicaShop.comeReplicaShop.com is a particularly persistent spammer, using image spam from zombie PCs and a large variety of domains. Most of these domains are registered to "Paul Gregoire" or a number of other aliases.. the smart money is that this is actually Alex Polyakov.

Unusually, the eReplicaShop servers are rented from fairly legitimate web hosts.. but bearing in mind that Polyakov is linked with phishing and money laundering scams it's quite likely that at least some of these services are being paid for by stolen credit cards.

Rule 3 of the Rules of Spam states that "Spammers are stupid". In this case, the eReplicaShop.com spam is particularly stupid as it often gets sent to abuse@ addresses. Most mail admins get really pissed off about abuse@ spam.. and this often leads to a satisfyingly short lifespan for the eReplicaShop mirrors.

If you do end up reporting one of these, it's always worthwhile to point out to the host that they might not be getting paid for the services they're providing. That normally gets a very quick response.


Well.. alright, I've come to the blogging thing pretty late on, I know. But sometimes it's just too much work to break out the web editor and fiddle around, and at least this way I can get things to press more quickly.

Anyway, here's a completely gratuitous shot of a Compaq Portable II for you..