A brief article has just gone live at the Handlers Diary at the SANS Internet Storm Centre with by-line “Relay Reject Woes”
Pity that poor guy putting all that time and effort into fighting the spam-bots.
The article brings to mind my experiences about 6 years ago; I’d just started taking care of a server running Novell and GroupWise. Every night their server had been crashing and/or running extremely slowly and their current IT provider were unable to work out what the problem was. They threw money at that server – more RAM, bigger hard drives, upgrading software, etc to no avail.
It didn’t take long for me to work out what was going on; mail relaying was enabled on the server (back in those days mail relaying was enabled by default) and said server was being brought to its knees every night by the spam load being pumped through it and the inevitable NDRs that were being generated. The server was on every blacklist in existence and, of course, postmaster@ was not being monitored. Damned if I know how the situation could have escaped the attentions of the IT support provider.
Ok, so I turn mail relaying off, but that did not resolve the situation. Sure, it stopped the spam from being relayed, but it didn’t stop the stuff from being accepted in the first place and dumped into the BAD directory. The server was STILL under an amazing load, and guess who had to pay the cost of the bandwidth being used.
Fast forward to current day and another server, this time running SBS. This time there is no mail relaying enabled but we are still the recipient of ridiculous loads of spam. Again, time and effort is devoted to trying to stem the flood – users a complaining about the level of spam getting into their inbox. Now that Exchange has mail filtering the job is easier, but it still takes up way too much time. Being a law firm, no email can be automatically deleted. Every single filtered message must be checked to ensure it is not a legitimate email and NDRs must be enabled :o(
It irritates me that so much spam is getting to me unimpeded. It irritates me that so much of that spam is coming from spam-bots owned by home users. But there is little that *I* can do to solve the problem. The problem has to be solved at the source, not the destination.
Then there are the baddies trying to log into my server for nefarious purposes using names like ‘webmaster’ or ‘postmaster’ or ‘admin’ or ‘asdfasdf’ (yeah right, like that last one is gonna work) or ‘Pete’ or ‘Fred’ or ‘Sam’.
It irritates me that so much time and effort and cost is expended fighting the bad stuff. Go..away..and..leave..my..server..alone.
I’ve just been reading this article about the latest “ransomware” to hit the streets:
I’m sure Kapersky will forgive me for quoting the sections pertinent to this post:
“I think we have an interesting development going on here, I think there are two different types of ransomware. Real ransomware, which encrypts your data or does other nasty stuff. And malware which claims to do all sorts of nasty stuff but actually doesn’t. It’s bluffing, like bluff poker.
Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code.”
Writing difficult code… its a good point. Its amazing how much stuff out there nowadays is being created by script kiddies using various tools to generate their wares. There was a virus generator around for a while (not sure if it it still is) and a rootkit generator as well. But, when push comes to shove, those script kiddies ain’t that good – without the generators they use they wouldn’t be able to do what they’re doing.
The capabilities of malware, and of malware writers, have been a high point of focus for me lately. Its been said that if we lock things down in one way the bad guys will simply find a way around our defences. But, when I read things like the Kapersky article it reminds me that a lot of the stuff out there that won’t adapt to new defences.
The quick money.. the easy money.. that’s what the vast majority of bad guys are after. Sure there are “professionals” out there (popular sentiment placing them in Russia and other eastern bloc countries) who write very sophisticated malware that can be extremely difficult to remove, and a small percentage of such malware is able to get through our firewalls, but what percentage of the bad guys out there have such abilities?
It has been said that if we introduce a particular security feature, then the bad guys will see that feature and bypass it anyway. I’ve been thinking about the sentiment over the past few days. I’ve come to realise its a pervasive mindset, but its one that I’m finding hard to settle in my mind as ok. Are we correct to *not* block 95% of the bad stuff via outbound filtering simply because 5% may get through anyway? If we do block that 95%, how long will it take before that it adapts and neutralises our measures? Will it adapt at all?
I can understand how forcing the bad guys to increase their level of sophistication is a bad thing – as the bad guys get better at what they do, and bypass more and more of our security measures, then things get harder and harder for us in the battle to win. But, at the same time, without that crossing of swords we wouldn’t have seen the security improvements that we now have the benefit of – a lot of software either would not come to be, or would not have been improved.
Error message when you start Internet Explorer 6 on a Windows XP-based computer: “Runtime Error! Program: C:Program FilesInternet ExplorerIEXPLORER.EXE”
(I am wondering if the above should refer to iexplore.exe, not iexplorer.exe – there is malware that uses an executable called iexplorer.exe, but that doesn’t seem to be the target of this article despite the reference to running a spyware check at the end of the article).
FIX: An access violation may occur when you use Internet Explorer 6 to visit a Web page that uses HTML Components to do DHTML scripting
But enough for this introduction, I don’t know why, but I was playing with the Encarta Instant Answers a little bit and I though I would ask it who our current queen is. I must say the answer is a little surprising:
EncartaÂ® Instant Answers: I don’t know about the Queen of the Netherlands, but I do know that the ruler of the Netherlands is German occupation.
Did I miss something? Have the Germans been ruling us all the time without us noticing it? Our royal family is German of course, if you go back long enough in time, but I think Encarta Instant Answers has been mixing up some articles about the Netherlands and the Second World War here.
The next step I took is to implement these equations in a little tool that just tries to find the closest answer by trying a lot of different angles, etc. This worked rather well (and also rather fast), so I will be using this approximation for my gates later on.
Now the next step is to put some data for different aircraft types in the equations and see if I can create proper animations from that. I will be giving that a try over the next few days, but I think this is going to work fine.
** Dedicado a la familia Font (y sus BBQ’s) y a todos los Jordis **
Una solterona se entera que una amiga suya habia quedado embarazada solo con un ave marÃa en la iglesia de un pueblo vecino.
Unos dÃas despues decide ir a esa iglesia con el deseo de quedar encinta al igual que su amiga.
-Bueno dÃas padre, saluda la solterona.
-Buenos dÃas hija, Â¿en que puedo ayudarte?
-Fijese padre que me enterÃ© que una amiga vino aqui y quedÃ³ embarazada con un ave marÃa.
-No hija, fue con un padre nuestro, pero ya lo despedimos….
Un ama de casa recibe a su amante durante el dÃa mientras su esposo estÃ¡ en el trabajo. Sin ella saberlo, su hijo de 9 aÃ±os se escondiÃ³ en el armario.
Inesperadamente, su esposo llega a casa. Ella esconde a su amante en el armario. El niÃ±o ahora tiene compaÃ±Ãa y se produce el siguiente diÃ¡logo:
- El niÃ±o: “EstÃ¡ oscuro”.
- El amante: “si lo estÃ¡”.
- El niÃ±o: “tengo una pelota de baseball”.
- El amante: “quÃ© bien”
- El niÃ±o: “me la quieres comprar?” El amante: “no, gracias”
- El niÃ±o: “mi papÃ¡ estÃ¡ afuera”
- El amante: “estÃ¡ bien, cuanto quieres?”
- El niÃ±o: “250EUR”
Semanas despuÃ©s ocurre lo mismo, y el niÃ±o estÃ¡ en el armario otra vez con el amante y…
- El niÃ±o: “estÃ¡ oscuro”
- El amante: “si lo estÃ¡”
- El niÃ±o: “tengo un guante de baseball”
- El amante: “cuando quieres” El niÃ±o: ” 750EUR “
- El amante: “ni hablar, niÃ±o, gracias”
- El niÃ±o: “mi papÃ¡ esta afuera”, pagas Ã³ grito?
- El amante: “estÃ¡ bien” pero quÃ©date calladito
DÃas despuÃ©s, el papÃ¡ le dice al niÃ±o, “coje tu guante y pelota, vamos a jugar baseball afuera. ” el niÃ±o dice, “no puedo papi. Los vendÃ. ” el papÃ¡ le pregunta, “Por cuanto los vendiste?” El niÃ±o dice, ” 1.000 EUR” El papa dice, “Eso es terrible, no debes de cobrar de mÃ¡s a tus amigos. Eso es mÃ¡s de lo que esas dos cosas valen. Te voy a llevar para la iglesia para que te confieses. “
Van para la iglesia y el papÃ¡ le explica al Sacerdote lo que pasÃ³ y manda al niÃ±o para el confesionario y cierra la puerta.
El niÃ±o dice, “estÃ¡ oscuro”.
Y el Sacerdote contesta: , “No empieces a tocarme los huevos. . .”
Â¿Alguna vez se han planteado cÃ³mo nace un pueblo?
Pues muy fÃ¡cil:
Llega un tÃo a un desierto, pone un bar, y alrededor empiezan a construir casas. Â¡Por lo menos en EspaÃ±a!. La prueba es que en EspaÃ±a hay pueblos sin escuela, sin ayuntamiento, sin farmacia, sin cuartelillo…., pero sin bar…Â¡ Ni de coÃ±a!
Â¿Y saben cuÃ¡l es el motivo? Que en los bares podemos hacer muchÃsimas cosas que no se pueden hacer en casa… En un bar puedes tirar al suelo las cabezas de las gambas… TÃralas en casa y verÃ¡s la que se lÃa… en el bar tiras las cabezas de las gambas y las tapan con serrÃn.
Â¿QuÃ© se cae una cerveza?. Â¡La tapan con serrÃn!
Â¿QuÃ© se cae un borracho?.Â¡Lo tapan con serrÃn!
Â¡SerÃ¡ por serrÃn!.
Otra cosa no, pero en un bar hay mÃ¡s serrÃn que en la tumba de Pinocho.
El bar tambiÃ©n sirve para quedar con los colegas. Porque mi casa es tan pequeÃ±a que sÃ³lo cabemos tres (y sin el mÃ³vil), Y, claro Â¿dÃ³nde vas a quedar si no? Â¿En una ferreterÃa?. Â¿En la farmacia? Â¿Y que vas a pedir, tres chupitos de Bisolvon y dos lexatines?. Â¿O en la Iglesia?..Y eso… que… pensÃ¡ndolo bien… una iglesia es lo mÃ¡s parecido a un bar… Hay un seÃ±or detrÃ¡s de una barra, vino, mÃºsica, gente… y a veces hay hostias… Y los domingos, a la hora del aperitivo, los dos sitios se ponen hasta el culo. Eso sÃ, en los bares hay mÃ¡s buen rollito que en la Iglesia… Porque mientras que en la Iglesia pasa un tÃo con una panera para que sueltes algo, en el bar discutes por pagar.
Â¿DÃ³nde mÃ¡s pasa eso?. Â¿En la Comunidad de vecinos?. Â¿Se imaginan que discutiÃ©ramos por invitar en la Comunidad de Vecinos, por ejemplo?:
- Â¡Chssst!. La parabÃ³lica la pago yo.
- Pero si tÃº ya pagaste la caldera…
- Â¡QuÃ© mÃ¡s da!… Â¡Si no vamos a salir de pobres!.
Eso sÃ, en un bar, lo mÃ¡s importante es el camarero. Los camareros se pueden dividir bÃ¡sicamente en dos tipos: el camarero ÃGIL… y el AGIL-ipollado. El AGIL, segÃºn entras por la puerta, te limpia la mesa, te acerca el servilletero, te pone una caÃ±a y te dice: – Van dos cero, pierde el Madrid, ha bajado el Ãndice Dow Jones y el polÃtico menos valorado es Mayor Oreja … Â¿te pongo una de oreja? El AGIL-ipollado se reconoce porque parece que estÃ© saliendo de la anestesia: ni te oye, ni te ve. TÃº le estÃ¡s haciendo seÃ±as, como si estuvieras aparcando un aviÃ³n, pero el tÃo pasa por tu lado sin mirarte, como un mÃ©dico de la Seguridad Social. Que entras por la maÃ±ana, y cuando por fin te hace caso… A ver. Â¿quÃ© va a ser?. – Â¿Que quÃ© va a ser…? Â¡Dentro de nada de noche, huevazos!. Pero donde el bar alcanza la gloria es cuando hay partido.
El bar es el TEMPLO DEL FUTBOL. Antes habÃa unos carteles en los que se leÃa: “Estupendos berberechos”, “Tenemos nÃ©coras deliciosas”. Ahora no, ahora ponen: “HOY: DEPOR-REAL MADRID…” Y en todo el dÃa no se habla de otra cosa… Nada mÃ¡s entrar pides una caÃ±a y el camarero te dice: – “Zidane tiene osteopatÃa de pubis”. Y Ã©sa es la gran diferencia entre el bar y tu casa: nunca se discute por el mando. En el bar no hay zapping: Si hay partido, se ve el partido; si hay patinaje artÃstico, se ve el partido; si hay “Informe Semanal”, se ve el partido; y si hay peli porno en el Plus… se graba el partido y PUNTO PELOTA!!
Y para terminar algunas colaboraciones:
Lavabos pÃºblicos en Cadiz (By Xavi): http://www.uyssoft.com/Viernes/LavabosCadiz.jpg (161 Kb)
Gato en un partido de futbol (By Melon): http://www.uyssoft.com/Viernes/GatoFutbol.jpg (64 Kb)
Video: “Gesto de amor” (By Dani): http://www.uyssoft.com/Viernes/gesto_de_amor.wmv (654 Kb)
Buen finde a tutti,
The Web site www.itnews.com.au has highlighted a Russian ‘smartbomb’ for purchase that allegedly targets unpatched PCS:
According to itnews, Websense has reported that 1,000 sites are using the smartbomb, which can be purchased for as little as US$10.00.
The worrying thing that caught my attention about the report is that according to the statistics from just one attacker site, over 1,770 PCs were successfully compromised via a vulnerability that was patched back in April 2003!!! I find it amazing that there are still computers out there that are vulnerable to an exploit that was patched three years ago.
The second most successful exploit for the highlighted attack site was one that targeted createTextRange, which was patched on April 11 – Websense reports that 1,507 PCs were compromised via that vulnerability.
There is only so much that we, as computer professionals, can do to protect people from themselves. Sooner or later every computer owner has to take responsibility for their own PCs, for their own security, and for their own education.
We’re having an interesting discussion in a security focused mailing list at the moment about reports that Windows Vista’s outbound firewall abilities will be disabled by default because the corporate end of town want it that way.
Some of the reasons given for why the decision is ok are, to me at least, staggering – for example:
1. The average user is not going to be interested or will freak out;
2. Stuff may get through anyway;
3. If you force them to learn they’ll start using another OS;
4. The public doesn’t want to be educated;
5. Computer manufacturers/ISPs won’t like the cost of supporting confused users.
So…. computer manufacturers/ISPs won’t like having to wear the cost of support calls – big deal. Let’s think about cost. How much money do you think is spent fighting, for example, spam? Spam that comes from compromised home computers? How much money has been and continues to be spent by corporations and private citizens paying for the bandwidth absorbed by said spam? How many corporations have had to spend money on various attempts to ward off spam whether it be software or hardware solutions. How many have had to upgrade their hardware to cope with the demand? How much money do you think has been spent is fighting denial of service attacks from compromised home machines? How much money is spent fighting to take down phishing sites on compromised home machines? How much money has been lost to the criminals behind phishing sites? (the last report I read mentioned losses running into the millions).
Users who are not willing to educate themselves are a risk to themselves and other internet users. Their compromised machines pump out spam; their compromised machines are used for denial of service attacks; their compromised machines are used to host phishing websites.
I am a finite resource; my associates are a finite resource; sooner or later we have to say “listen, you’re harming the community at large, get with it or get out’.
Therefore, if forcing users to ‘get educated’ ends up with their choosing a different operating system, then I’ll show them the way and shut the door behind them. Its one less thing to worry about. If forcing users to learn about and use things like firewalls and patching leads them to choose a different operating system – there’s the door.
If home users are not educated – if they will not take responsibility for their own machines – then spam will not go away, denial of service attacks will not go away, phishing web sites will not go away. That’s the reality folks.
Another article at Eweek from earlier this month noted that “recovery from malware [is] becoming impossible:
I have met Mike Danseglio (the guy who was interviewed for the article) - I attending training sessions that he held back in April 2005 in Singapore and still have his business card on my desk. I remember how we left his sessions thinking “we’re screwed”. I also remember that we wanted to cancel all the other sessions for the rest of the day so that we could continue working with and learning from Mike.
When I look at the risk to the internet community at large from compromised machines spewing crap I wonder how the heck people can say that not pushing for user education is ok.