Outbound SPAM has been affecting companies and organization for years. But solutions available in the industries offer mainly solution for inbound SPAM. Not to say that inbound SPAM protection are no longer needed. What I am trying to say here is that it is time for the Email security provider to do a lot more for SPAM going outbound.
We all know that inbound SPAM come mainly from SPAMMERS harvesting email addresses for sales product marketeers and of course BotNets! But what about outbound SPAM?
Outbound SPAM are normally sent by;
1) ISP' MTA
2) Compromised Computers in your network
3) Unsecured Mail server being used as relay
Now that we have identified the common source of outbound spam but what is the impact on YOU? if the compromised computer or mail server happen to be in your network? Or the ISP'MTA sending out SPAM is the ISP that you are using?
The consequences of sending out SPAM is as disastrous or worse then receiving SPAM. Why? Let me list out some reasons for you.
Result of sending out SPAM:
1) Domain/IP reputation affected
2) Domain/IP blacklisted resulting in email not being delived
3) Lawsuit
4) Network bandwidth affected
5) Decrease in work efficiency
6) And many more!
Let me elaborate more on the above in my next post...
Wednesday, November 19, 2008
Tuesday, May 20, 2008
DKIM SIMPLIFIED ( Part 2 – Technical View)
DKIM SIMPLIFIED ( Part 2 – Technical View)
What I will be writing here is to explain DKIM in the most simplified technical way. I won’t be explaining on encryption algorithm but I will be telling you what algorithm is used, etc. Ready? Let’s roll!
Key function of DKIM.
The different of DKIM compare to many other authentication method is that it is using public key cryptography. According to my research, at the present only RSA algorithm is defined. Below is a diagram of the process overview.
2) 2) The sending Mail server digitally signed the out-going mail message. Lots of work happened here. Let’s look into it a little bit more in details.
- 1) The signature is protected by conformance the body of the message to a specification to prevent transmission modification then hased using default SHA-256.
- 2) The signer chooses the message header fields to be included in the signature.
- 3) A new header called “DKIM-Signature” is created. This header contain information of the specification the body message is conformance to, the message header field choosen by the signer, name of the signing domain, the body hash, and a selector . (Selector enable a domain to have multiple keys to be use for authentication.)
- The header fields being signed and the DKIM-Signature field itself are then canonicalized and hashed.
- An RSA signature is computed on that hash, and the signature is inserted back into the DKIM-Signature field.
- The full DKIM-Signature field is then added to the header of the message, and the modified message is sent.
3) The verifier gets the public key from the alleged signer using a DNS lookup based on the domain and selector name in the DKIM-Signature header field, and uses that to verify that the signature in the message is legitimate.
4) If the authentication is successful, the MTA deliver the message to the end user mailbox.
Isn’t it nice to know that there is such a simple and cool technology around?
DKIM SIMPLIFIED Part 1 of 2
DKIM SIMPLIFIED ( Part 1 – Introduction/Functional understanding)
Hope you guys have a good understanding on the video posted previously. I am also hoping that I had understanding it well so as not to mess it up on a summary write up here. I will do a summary with Introduction, the functional & technical overview.
Introduction
Domain Key Indentified Mail (DKIM) is a signature/cryptography based authentication technology based on Yahoo!s DomanKeys e-mail authentication technology and Cisco’ Identified Mail. DKIM provide recipient of mail a better way of checking the authenticity of the source of the mail. Beside DKIM, there are also Sender Policy Framework (SPF), Sender ID, etc. But SPF and SenderID are path based and DKIM is the main cryptography based authentication method. DKIM used private and public key for verification which is the key different to the other technology. With the usage of private key, it is not possible for spammer or unauthorized personnel to steal the identity of a particular domain. It is important to know that DKIM work on the domain portion and doesn’t verify on who is sending the mail behind the domain.
Functional Overview
It is relatively simple to understand how DKIM work. Taking the below example;
John sent Mary a mail. In the mail, he attached a public key. When Mary received the mail, she would use the public key to verify against the private key. Since it is a private key, only John has it and only if the two key matches each other, then it is proven that the mail had indeed been sent by John. If during transition, the mail has been tamper or if the public key do not match the private key the receiving MTA checking for DKIM signature will discard the mail.
The benefit of deploying DKIM is huge and one important reason that explains the rapid increase of use in DKIM is that it is free! With the increasing number of organizations and companies using DKIM, user are able to see less spam in their inbox as these would be drop before being process by the mail server. These also help improve the performance of the mail server and network traffic. With DKIM, spammer would have a hard time spoofing the identity of a sender domain and the integrity of the mail received is also maintained.
(End Part 1 of 2)
Hope you guys have a good understanding on the video posted previously. I am also hoping that I had understanding it well so as not to mess it up on a summary write up here. I will do a summary with Introduction, the functional & technical overview.
Introduction
Domain Key Indentified Mail (DKIM) is a signature/cryptography based authentication technology based on Yahoo!s DomanKeys e-mail authentication technology and Cisco’ Identified Mail. DKIM provide recipient of mail a better way of checking the authenticity of the source of the mail. Beside DKIM, there are also Sender Policy Framework (SPF), Sender ID, etc. But SPF and SenderID are path based and DKIM is the main cryptography based authentication method. DKIM used private and public key for verification which is the key different to the other technology. With the usage of private key, it is not possible for spammer or unauthorized personnel to steal the identity of a particular domain. It is important to know that DKIM work on the domain portion and doesn’t verify on who is sending the mail behind the domain.
Functional Overview
It is relatively simple to understand how DKIM work. Taking the below example;
John sent Mary a mail. In the mail, he attached a public key. When Mary received the mail, she would use the public key to verify against the private key. Since it is a private key, only John has it and only if the two key matches each other, then it is proven that the mail had indeed been sent by John. If during transition, the mail has been tamper or if the public key do not match the private key the receiving MTA checking for DKIM signature will discard the mail.
The benefit of deploying DKIM is huge and one important reason that explains the rapid increase of use in DKIM is that it is free! With the increasing number of organizations and companies using DKIM, user are able to see less spam in their inbox as these would be drop before being process by the mail server. These also help improve the performance of the mail server and network traffic. With DKIM, spammer would have a hard time spoofing the identity of a sender domain and the integrity of the mail received is also maintained.
(End Part 1 of 2)
Sunday, May 18, 2008
DKIM - Explained..
Come across this video when i was browsing the net. Posted by googletechtalks in YouTube. I think it is nice so thought of sharing.
Understanding DKIM
Take your time to view the video. I will be doing a summary write up on DKIM in my next write up.
Understanding DKIM
Take your time to view the video. I will be doing a summary write up on DKIM in my next write up.
Monday, May 12, 2008
Backscatter .... the silent weapon of spammer....
I had just did a report for one of the organisation, show the mail traffic and they were impress by the amount of volume passing through their mail server. With just a user size of 200 +/-, the MTA are processing 11000 mail in a day! Now this is a very busy company, or is it?
The answer is "NO". Infact, out of this 11000 mails, approximately 8500 of them are backscatter mail and additional 500 of them are spam that slip past their anti spam appliance and only 2000 are legitimate mails. So what is this backscatter mail about?
Backscatter mail are basically bounced mail cause by an failure in delivery. It can also be named as "Delivery Failure Notification" or "DFN". At this point, i can see that the system and network administrator are showing a face of worried. They are probably thinking if the network been "hacked" or has the network been part of an zombie network blasting out thousand of mails a day and therefore resulting in such number of "DFN". Indeed the next question that came from them is that what is causing the large number of "DFN" and can they see who is the user that is sending out those mail? I am sure my reply had make them felt at ease.
These "DFN" are not caused by mail sending out through their network. These "DFN" are casued by spammer spoofing their emails and blasting out to thousand and thousand of users out in the world where internet exist. Take for example;
Spammer A sent a mail from to "Invaliduser@yourdomain.com" then at the "from" line of his messages, he put "spoofemail@yourdomain.com".
What happen is that, when the email reached "Invaliduser@yourdomain.com" network, high chances is that it will reply with a message to tell that the user is invalid. When that happen, instead of returning the mail to the spammer, the mail will be return to the MX record of "youremail@yourdomain.com" domain.
The second reason that the MTA is processing 8500 of DFN is also because that when the DFN came in to inform "spoofemail@yourdomain.com" that the mail fail to be sent, the anti spam appliance didn't drop the DFN mails. This is an architecture error.
What should happen here is that both the recipient and sender network should have drop the mail for invalid user instead of processing it. When the mail first reached "Invaliduser@yourdomain.com" network, the MTA should reply with an "5XX" error code and reject it. Same for the MTA at "spoofemail@yourdomain.com" domain. When the DFN came it for the user "spoofemail", the MTA should reply with an "5xx" error code to the anti spam appliance and drop/reject the mail without processing. It should be highly encourage that MTA should reject a mail for invalid recipient instead of giving out reply of "4xx", etc. This will help not only your network but also many others network in the world.
I hope this simple write up could help some administrators out there clear their doubts on backscatter mails.
The answer is "NO". Infact, out of this 11000 mails, approximately 8500 of them are backscatter mail and additional 500 of them are spam that slip past their anti spam appliance and only 2000 are legitimate mails. So what is this backscatter mail about?
Backscatter mail are basically bounced mail cause by an failure in delivery. It can also be named as "Delivery Failure Notification" or "DFN". At this point, i can see that the system and network administrator are showing a face of worried. They are probably thinking if the network been "hacked" or has the network been part of an zombie network blasting out thousand of mails a day and therefore resulting in such number of "DFN". Indeed the next question that came from them is that what is causing the large number of "DFN" and can they see who is the user that is sending out those mail? I am sure my reply had make them felt at ease.
These "DFN" are not caused by mail sending out through their network. These "DFN" are casued by spammer spoofing their emails and blasting out to thousand and thousand of users out in the world where internet exist. Take for example;
Spammer A sent a mail from to "Invaliduser@yourdomain.com" then at the "from" line of his messages, he put "spoofemail@yourdomain.com".
What happen is that, when the email reached "Invaliduser@yourdomain.com" network, high chances is that it will reply with a message to tell that the user is invalid. When that happen, instead of returning the mail to the spammer, the mail will be return to the MX record of "youremail@yourdomain.com" domain.
The second reason that the MTA is processing 8500 of DFN is also because that when the DFN came in to inform "spoofemail@yourdomain.com" that the mail fail to be sent, the anti spam appliance didn't drop the DFN mails. This is an architecture error.
What should happen here is that both the recipient and sender network should have drop the mail for invalid user instead of processing it. When the mail first reached "Invaliduser@yourdomain.com" network, the MTA should reply with an "5XX" error code and reject it. Same for the MTA at "spoofemail@yourdomain.com" domain. When the DFN came it for the user "spoofemail", the MTA should reply with an "5xx" error code to the anti spam appliance and drop/reject the mail without processing. It should be highly encourage that MTA should reject a mail for invalid recipient instead of giving out reply of "4xx", etc. This will help not only your network but also many others network in the world.
I hope this simple write up could help some administrators out there clear their doubts on backscatter mails.
Wednesday, April 30, 2008
Ways to tell a phishing email...
Sorry for the delay in the second part of this Anti phish Blog. Been real busy these weeks. Well here it goes...
Now that you have got the basic knowledge of protecting yourself against Phishing. How do you tell a real mail from a phishing email? There are three important factor we can focus on in this blog.
1) Objective of Mail
2) SMTP header ( I hope you did some read up as mention by my earlier blog)
3) The hyperlink in the email and URL cloaking
Objective of Mail
If the objective of the email is to obtain your password and other confidential personal informations by bringing you to a link and entering your ID and password, such email have high chance of being a spoof mail. Thought not 100%, almost all mails that i had encounter that asking for such informations over the electronic format are spoof mails. Call the relevant organisation to verify the authenticity of the mails. **Please do not click on the hyperlink and call the number shown on the website, the number can be FAKE.
SMTP Header
This is a little more technical, but i will make it simple and hope you people can understand from it.
To see the email header, you'll need to view the properties of the email. To do this in MS Outlook 2007 for instance, you can right click the email (before opening), then select 'Message Option' from the 'drop down' menu. You will see an "Internet Header" box which shows the header.
**Example shown below:
Here is a comparison between the headers of a spoofed and a genuine eBay email.
The spoof header:
Return-Path:
Delivered-To: webmaster@millersmiles.co.uk
Received: (qmail 21262 invoked from network); 6 Jun 2003 21:21:49 -0000
Received: from unknown (HELO mail.almtal.net) (217.16.118.12)
by server16.donhost.co.uk with SMTP; 6 Jun 2003 21:21:49 -0000
Received: from localhost (mail.almtal.net [127.0.0.1])
by mail.almtal.net (8.11.6/8.8.7) with SMTP id h56LRD008495
for; Fri, 6 Jun 2003 23:27:16 +0200
Message-Id: <200306062127.h56LRD008495@mail.almtal.net>
From:
To:
Subject: ebaY Contest
Date: Fri, 6 Jun 2003 23:27:13 +0200
X-Mailer: sendEmail-1.40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
The genuine header: (see a copy of this email)
Return-Path:
Delivered-To: millersmiles-auctions@millersmiles.co.uk
Received: (qmail 36907 invoked from network); 9 Jun 2003 10:22:29 -0000
Received: from unknown (HELO mx5.smf.ebay.com) (66.135.209.200)
by server16.donhost.co.uk with SMTP; 9 Jun 2003 10:22:29 -0000
Received: from miami.smf.ebay.com (miami.smf.ebay.com [66.135.215.166])
by mx5.smf.ebay.com (8.12.3/8.12.3) with ESMTP id h59AMQG9000488
for; Mon, 9 Jun 2003 03:22:26 -0700
Received: from rhv-kas-03.corp.ebay.com (rhv-kas-03.corp.ebay.com [64.68.79.239])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h59AMfZ10198
for; Mon, 9 Jun 2003 03:22:41 -0700 (PDT)
Message-Id: <200306091022.h59AMfZ10198@miami.smf.ebay.com>
Date: Mon, 09 Jun 2003 03:22:28 -0700
To: millersmiles
Subject: Re: (KMM72404455V54089L0KM)
From: eBay United Kingdom Customer Support
Reply-To: eBay United Kingdom Customer Support
MIME-Version: 1.0
Content-Type: text/plain; charset = "us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Kana 6.0
See the differences .....
The 'Received: from Unknown (HELO xxx.xxxx.xxx) part tells us the details of the machine that the email was sent from. In this case, the spoof shows a machine with the ID 'mail.almtal.net' with IP address 217.16.118.12, whereas eBay's genuine email has come from a machine with the ID mx5.smf.ebay.com and IP address 66.135.209.200. When querying a whois lookup (aka DNS look up, or reverse look up) it is clear that the genuine email has originated from eBay's mail server at IP 66.135.209.200 (eBay, San Jose, CA), whereas the spoof has come from a different machine at an IP address that is owned by someone in Wien, Austria.
The handling mail server has further added an identifier for the sending server, in the case of the spoof, Received: from localhost (mail.almtal.net [127.0.0.1]) which is either an internal mail server, or a mail server running on the same machine. Whereas, eBay's genuine email, correctly shows that the sending server was identified as miami.smf.ebay.com [66.135.215.166 (which again proves to be owned by eBay when conducting a whois lookup).
The email server and mail software version are shown by the handling server as the email is relayed from ISP to ISP, and the spoof shows by mail.almtal.net (8.11.6/8.8.7), which is again NOT eBay's mail server which is shown correctly in the genuine email as by mx5.smf.ebay.com (8.12.3/8.12.3). ** ( Example lifted from http://www.millersmiles.co.uk)
The hyperlink in the email and URL cloaking
Now how many can tell which of the hyperlink below is real just by looking?
1)http://www.arofanatics.com/forums/showthread.php?t=316662
2)http://www.arofanatics.com-securitycheckw8grhgakdj-jd7788-accountmaintenace-4957725-s5982ut-aw-ebayconfirm-secure/
3)http://www.clubhyundai.org
Out of the three link above, only one of it will lead you to where it show as it is. Hyperlink can be easily spoof and often user are trick to website looking similar or 99% the same as the usual website. This phishing site are hosted at different servers and the organsation being spoof would take sometime to bring down the spoof site or to notifiy their customers. Therefore it is important to know about such tricks being used and know how to avoid them. When you move your mouse cursor over the link it will show you the actual website you will be brought to.
There are many ways a email can be spoof and honestly there isn't much we can do about it. But knowing the threat is there and not protecting yourself against it is pure foolishness, isn't it?
Now that you have got the basic knowledge of protecting yourself against Phishing. How do you tell a real mail from a phishing email? There are three important factor we can focus on in this blog.
1) Objective of Mail
2) SMTP header ( I hope you did some read up as mention by my earlier blog)
3) The hyperlink in the email and URL cloaking
Objective of Mail
If the objective of the email is to obtain your password and other confidential personal informations by bringing you to a link and entering your ID and password, such email have high chance of being a spoof mail. Thought not 100%, almost all mails that i had encounter that asking for such informations over the electronic format are spoof mails. Call the relevant organisation to verify the authenticity of the mails. **Please do not click on the hyperlink and call the number shown on the website, the number can be FAKE.
SMTP Header
This is a little more technical, but i will make it simple and hope you people can understand from it.
To see the email header, you'll need to view the properties of the email. To do this in MS Outlook 2007 for instance, you can right click the email (before opening), then select 'Message Option' from the 'drop down' menu. You will see an "Internet Header" box which shows the header.
**Example shown below:
Here is a comparison between the headers of a spoofed and a genuine eBay email.
The spoof header:
Return-Path:
Delivered-To: webmaster@millersmiles.co.uk
Received: (qmail 21262 invoked from network); 6 Jun 2003 21:21:49 -0000
Received: from unknown (HELO mail.almtal.net) (217.16.118.12)
by server16.donhost.co.uk with SMTP; 6 Jun 2003 21:21:49 -0000
Received: from localhost (mail.almtal.net [127.0.0.1])
by mail.almtal.net (8.11.6/8.8.7) with SMTP id h56LRD008495
for
Message-Id: <200306062127.h56LRD008495@mail.almtal.net>
From:
To:
Subject: ebaY Contest
Date: Fri, 6 Jun 2003 23:27:13 +0200
X-Mailer: sendEmail-1.40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
The genuine header: (see a copy of this email)
Return-Path:
Delivered-To: millersmiles-auctions@millersmiles.co.uk
Received: (qmail 36907 invoked from network); 9 Jun 2003 10:22:29 -0000
Received: from unknown (HELO mx5.smf.ebay.com) (66.135.209.200)
by server16.donhost.co.uk with SMTP; 9 Jun 2003 10:22:29 -0000
Received: from miami.smf.ebay.com (miami.smf.ebay.com [66.135.215.166])
by mx5.smf.ebay.com (8.12.3/8.12.3) with ESMTP id h59AMQG9000488
for
Received: from rhv-kas-03.corp.ebay.com (rhv-kas-03.corp.ebay.com [64.68.79.239])
by miami.smf.ebay.com (8.11.6+Sun/8.11.6) with SMTP id h59AMfZ10198
for
Message-Id: <200306091022.h59AMfZ10198@miami.smf.ebay.com>
Date: Mon, 09 Jun 2003 03:22:28 -0700
To: millersmiles
Subject: Re: (KMM72404455V54089L0KM)
From: eBay United Kingdom Customer Support
Reply-To: eBay United Kingdom Customer Support
MIME-Version: 1.0
Content-Type: text/plain; charset = "us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Kana 6.0
See the differences .....
The 'Received: from Unknown (HELO xxx.xxxx.xxx) part tells us the details of the machine that the email was sent from. In this case, the spoof shows a machine with the ID 'mail.almtal.net' with IP address 217.16.118.12, whereas eBay's genuine email has come from a machine with the ID mx5.smf.ebay.com and IP address 66.135.209.200. When querying a whois lookup (aka DNS look up, or reverse look up) it is clear that the genuine email has originated from eBay's mail server at IP 66.135.209.200 (eBay, San Jose, CA), whereas the spoof has come from a different machine at an IP address that is owned by someone in Wien, Austria.
The handling mail server has further added an identifier for the sending server, in the case of the spoof, Received: from localhost (mail.almtal.net [127.0.0.1]) which is either an internal mail server, or a mail server running on the same machine. Whereas, eBay's genuine email, correctly shows that the sending server was identified as miami.smf.ebay.com [66.135.215.166 (which again proves to be owned by eBay when conducting a whois lookup).
The email server and mail software version are shown by the handling server as the email is relayed from ISP to ISP, and the spoof shows by mail.almtal.net (8.11.6/8.8.7), which is again NOT eBay's mail server which is shown correctly in the genuine email as by mx5.smf.ebay.com (8.12.3/8.12.3). ** ( Example lifted from http://www.millersmiles.co.uk)
The hyperlink in the email and URL cloaking
Now how many can tell which of the hyperlink below is real just by looking?
1)http://www.arofanatics.com/forums/showthread.php?t=316662
2)http://www.arofanatics.com-securitycheckw8grhgakdj-jd7788-accountmaintenace-4957725-s5982ut-aw-ebayconfirm-secure/
3)http://www.clubhyundai.org
Out of the three link above, only one of it will lead you to where it show as it is. Hyperlink can be easily spoof and often user are trick to website looking similar or 99% the same as the usual website. This phishing site are hosted at different servers and the organsation being spoof would take sometime to bring down the spoof site or to notifiy their customers. Therefore it is important to know about such tricks being used and know how to avoid them. When you move your mouse cursor over the link it will show you the actual website you will be brought to.
There are many ways a email can be spoof and honestly there isn't much we can do about it. But knowing the threat is there and not protecting yourself against it is pure foolishness, isn't it?
Sunday, April 20, 2008
Basic defence you should have on Phishing!
Phishing … the dangerous scam. So how do we protect ourselves from it?
Before I go on to explaining how we detect a phishing email, there are a few things that we have to keep in mind when dealing with emails.
1) Read carefully all details/contents of official email sent to you by organizations or personnel requesting information from you.
2) Never click on link in Email to bring you to the sites. Cut on paste the link on the Internet Explorer/ Firefox address bar instead.
3) No organization will request you to send your confidential information such as banking ID and password through email.
4) Update your software and browser to anti phishing supported module. Most browser now support anti phishing capablilty.
5) Update your anti virus with anti spoof/phish capability
Now that you have equipped yourself with the basic defence, prepare yourself on the tactics of spotting the phishing mail in my next blog.
** Will be more technical. Good to understand a bit on SMTP header before reading my follow up blog on spotting of phishing mail.**
Before I go on to explaining how we detect a phishing email, there are a few things that we have to keep in mind when dealing with emails.
1) Read carefully all details/contents of official email sent to you by organizations or personnel requesting information from you.
2) Never click on link in Email to bring you to the sites. Cut on paste the link on the Internet Explorer/ Firefox address bar instead.
3) No organization will request you to send your confidential information such as banking ID and password through email.
4) Update your software and browser to anti phishing supported module. Most browser now support anti phishing capablilty.
5) Update your anti virus with anti spoof/phish capability
Now that you have equipped yourself with the basic defence, prepare yourself on the tactics of spotting the phishing mail in my next blog.
** Will be more technical. Good to understand a bit on SMTP header before reading my follow up blog on spotting of phishing mail.**
Saturday, April 19, 2008
Phishing or Fishing??
Phishing or Fishing??
It is kinda irritating to received mail from a person or organization that claim to be another person or organization. BUT, for those who received and actually believe the sender, the damaged is gonna be more then just being irritated.
“Phishing” that sound like “Fishing” is the act of pretending/ impersonating to be someone or some organizations with the intention of tricking someone into leaking/giving out confidential informations. Common example will be phishing email of banks sent out by spammers/hackers with the intention of “fishing” for confidential informations. Victims of phishing would lose their whole entire bank balance if they are not careful and the person or organizations being phished would suffer more then just monetary lost.
Though there are many anti spam companies out in the market that claim to be able to detect phishing mails, it is important to know that many of these engines used by these companies uses definitions/database to detect phishing/spoof mails. Therefore there will always be a windows period that we are at risk when there is a new phishing mails or sites launched to fish out new victims.
There are few ways to keep ourselves better protected and also to detect phishing mails and act. I will be filling in the ways to protect ourselves and how to detect these phishing act in the follow up blogs. Stay close…stay tight.. stay protected! :)
It is kinda irritating to received mail from a person or organization that claim to be another person or organization. BUT, for those who received and actually believe the sender, the damaged is gonna be more then just being irritated.
“Phishing” that sound like “Fishing” is the act of pretending/ impersonating to be someone or some organizations with the intention of tricking someone into leaking/giving out confidential informations. Common example will be phishing email of banks sent out by spammers/hackers with the intention of “fishing” for confidential informations. Victims of phishing would lose their whole entire bank balance if they are not careful and the person or organizations being phished would suffer more then just monetary lost.
Though there are many anti spam companies out in the market that claim to be able to detect phishing mails, it is important to know that many of these engines used by these companies uses definitions/database to detect phishing/spoof mails. Therefore there will always be a windows period that we are at risk when there is a new phishing mails or sites launched to fish out new victims.
There are few ways to keep ourselves better protected and also to detect phishing mails and act. I will be filling in the ways to protect ourselves and how to detect these phishing act in the follow up blogs. Stay close…stay tight.. stay protected! :)
Monday, April 14, 2008
Magnet, Nets, MegaNet or Botnet??? Part 2 of 2
So now that you have an idea of what is botnet, are you part of it?
Botnet computer are computer infected with Trojan or malicious code design to allow remote control of the infected computer. Many still have the traditional thinking that botnet are controlled using Internet Relay Chat (IRC) which is a dying trend. But the actual fact is that botnet are very much alive as hackers are using a mixture of protocol and stealth technique to infect and control infected machines. According to researched, as many as 1.5 million botnet have been found and the number are growing.
Botnet computer are not immune from detection. There will be signs and trails of infection and prevention can be practiced. Simple task will be looking out for unusual running of services, process and going through the log files. If you suspect that your computer had been infected, do the following;
1) Update your operating system and internet application to prevent as much vulnerabilities as possible
2) Install a different anti-virus on your operating system and do a full updated scan. Your existing anti-virus are most likely to be compromised and by updating it and doing a full scan won’t help most of the time.
3) Install and run a updated malware/spyware application. There are lots of freeware in the Internet. “Spybot – Search & Destroy” is one of my favourite.
4) Go through the services and spot unusual services.
Once you have done the above and you are pretty sure that you are free from being a botnet, install a personal firewall. Firewall wall normally closed all unnecessary ports and this make your computer a difficult for the hacker.
All these actions won’t guarantee that you won’t be part of a botnet someday. But no prevention is 100% and by making your computer a difficult target, chances of you being part of the botnet network is being narrow down by a great margin!
As the saying goes. “The only way not to make mistake is not to do anything. But in today’s world, that would probably be the biggest mistake” - Sun Tze
Botnet computer are computer infected with Trojan or malicious code design to allow remote control of the infected computer. Many still have the traditional thinking that botnet are controlled using Internet Relay Chat (IRC) which is a dying trend. But the actual fact is that botnet are very much alive as hackers are using a mixture of protocol and stealth technique to infect and control infected machines. According to researched, as many as 1.5 million botnet have been found and the number are growing.
Botnet computer are not immune from detection. There will be signs and trails of infection and prevention can be practiced. Simple task will be looking out for unusual running of services, process and going through the log files. If you suspect that your computer had been infected, do the following;
1) Update your operating system and internet application to prevent as much vulnerabilities as possible
2) Install a different anti-virus on your operating system and do a full updated scan. Your existing anti-virus are most likely to be compromised and by updating it and doing a full scan won’t help most of the time.
3) Install and run a updated malware/spyware application. There are lots of freeware in the Internet. “Spybot – Search & Destroy” is one of my favourite.
4) Go through the services and spot unusual services.
Once you have done the above and you are pretty sure that you are free from being a botnet, install a personal firewall. Firewall wall normally closed all unnecessary ports and this make your computer a difficult for the hacker.
All these actions won’t guarantee that you won’t be part of a botnet someday. But no prevention is 100% and by making your computer a difficult target, chances of you being part of the botnet network is being narrow down by a great margin!
As the saying goes. “The only way not to make mistake is not to do anything. But in today’s world, that would probably be the biggest mistake” - Sun Tze
Sunday, April 6, 2008
Magnet, Nets, MegaNet or Botnet??? Part 1 of 2
Do you know that your computer would be compromised and be part of a group of computer used to sent out spam mail or carry out attack on others computer without your knowing?
Which of the terms below represent a group of compromised system used for malicious activities??
1) MegaNet
2) Botnet
3) Nets
4) Magnet
Read on if you are clueless about this. I will be explaining Botnet and how to prevent your computer from being part of it.
Basically botnet are a group of compromised system normally infected by Worms or Trojans control by hackers to carry out malicious operation such as Spamming, Distributed Denial of Services attack, etc The common questions on Botnet are such as I have anti virus do I still get infected?, I am behind a firewall, so I should be safe right? And how do I know if I am part of a botnet?
Anti Virus software would normally do a pretty good job in keeping out the viruses, worms, Trojan, etc. But between the time when a new malicious code was found flooding the internet and the virus definition file was release by the vendors, there would be a window period that your system could be compromised. Unlike virus, worms are autonomous. They have their own transport and mechanism and are independence and could self replicate themselves to other system in the network. Often when a PC has been compromised, a install or update of virus definition files would also not detect the worms as it would return a false call to the scan from the anti virus software. This explain why often you heard of people saying why their latest anti virus software are not detecting the virus.
Trojan often come in disguised, remember the “Trojan Horse” event? Trojan often come in the form of a useful software that the user could use and is lured into downloading it from the internet. I am sure many of you have experiences a pop up from your anti virus detecting a Trojan after downloading a program from the Internet. But what happen if it is not detected? The answer is your system is probably a member of an xzy botnet.
Ask yourself, can your firewall detect what you sent from your email? Traditionally, your firewall can’t do so. Firewall act as a gate between your system/network and the Internet. It only work on ports. And this gateway doesn’t work for email ports, else if it does, no mail can be sent out of the network. This also explain the reason why companies need separate anti spam appliance or Unified threat Machine (UTM) for their SMTP port. So can your firewall wall protect you from being a botnet spammer? I guess the answer is obvious.
End Part 1 of 2
Which of the terms below represent a group of compromised system used for malicious activities??
1) MegaNet
2) Botnet
3) Nets
4) Magnet
Read on if you are clueless about this. I will be explaining Botnet and how to prevent your computer from being part of it.
Basically botnet are a group of compromised system normally infected by Worms or Trojans control by hackers to carry out malicious operation such as Spamming, Distributed Denial of Services attack, etc The common questions on Botnet are such as I have anti virus do I still get infected?, I am behind a firewall, so I should be safe right? And how do I know if I am part of a botnet?
Anti Virus software would normally do a pretty good job in keeping out the viruses, worms, Trojan, etc. But between the time when a new malicious code was found flooding the internet and the virus definition file was release by the vendors, there would be a window period that your system could be compromised. Unlike virus, worms are autonomous. They have their own transport and mechanism and are independence and could self replicate themselves to other system in the network. Often when a PC has been compromised, a install or update of virus definition files would also not detect the worms as it would return a false call to the scan from the anti virus software. This explain why often you heard of people saying why their latest anti virus software are not detecting the virus.
Trojan often come in disguised, remember the “Trojan Horse” event? Trojan often come in the form of a useful software that the user could use and is lured into downloading it from the internet. I am sure many of you have experiences a pop up from your anti virus detecting a Trojan after downloading a program from the Internet. But what happen if it is not detected? The answer is your system is probably a member of an xzy botnet.
Ask yourself, can your firewall detect what you sent from your email? Traditionally, your firewall can’t do so. Firewall act as a gate between your system/network and the Internet. It only work on ports. And this gateway doesn’t work for email ports, else if it does, no mail can be sent out of the network. This also explain the reason why companies need separate anti spam appliance or Unified threat Machine (UTM) for their SMTP port. So can your firewall wall protect you from being a botnet spammer? I guess the answer is obvious.
End Part 1 of 2
Friday, April 4, 2008
SPAM BUSTER! Part 4 of 4
Crytography – “zpv dbou tff nf!”
The most commonly use form of crytography used in Anti spam would probably be DomainKeys Indentify Mails (DKIM). Similary to SPF, DKIM is interested in indentifying the sender. But on top of that, DKIM also help in protecting the integrity of the mail content. DKIM does it by using a set of keys and by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content allowing messages to be checked to verify that they are from purported senders (authentication) and have arrived unaltered (message integrity).
There are 3 main important keys in DKIM.
1) Digital Signature
2) Definittion of the field over which the digital signature was calculate
3) Sending Domain
The public key was published to the public Domain Name Server (DNS). When the receiver received the mail, it checked the DKIM signature against the sender’s public key through the DNS. If the incoming message cannot be verified then the receiving server knows it contains a spoofed address or has been tampered with or changed. A failed message can then be rejected, or it can be accepted but have it tagged according with “certainly spam”, “probably spam”, etc.
Email is an important form of communication in our lives and because of the heavy usage of email, spam are here to stay. Spam evolved quickily making it very difficult to stop them forever. Therefore we need different combination of anti spam technologies to put up an effective fight against spam. Hope this set of blogs would give you a better insight of anti spam technologies.
End of Part 4
The most commonly use form of crytography used in Anti spam would probably be DomainKeys Indentify Mails (DKIM). Similary to SPF, DKIM is interested in indentifying the sender. But on top of that, DKIM also help in protecting the integrity of the mail content. DKIM does it by using a set of keys and by providing positive identification of the signer’s identity along with an encrypted “hash” of the message content allowing messages to be checked to verify that they are from purported senders (authentication) and have arrived unaltered (message integrity).
There are 3 main important keys in DKIM.
1) Digital Signature
2) Definittion of the field over which the digital signature was calculate
3) Sending Domain
The public key was published to the public Domain Name Server (DNS). When the receiver received the mail, it checked the DKIM signature against the sender’s public key through the DNS. If the incoming message cannot be verified then the receiving server knows it contains a spoofed address or has been tampered with or changed. A failed message can then be rejected, or it can be accepted but have it tagged according with “certainly spam”, “probably spam”, etc.
Email is an important form of communication in our lives and because of the heavy usage of email, spam are here to stay. Spam evolved quickily making it very difficult to stop them forever. Therefore we need different combination of anti spam technologies to put up an effective fight against spam. Hope this set of blogs would give you a better insight of anti spam technologies.
End of Part 4
Thursday, April 3, 2008
SPAM BUSTER! Part 3 of 4
Authentication – “Are you real?”
Normally sender won’t be sending thousands of emails per day, therefore authentication or challenge method won’t be hindering their flow of production. But for spammer sending bulk mails in thousands, this method would definitely slow down their rate of successful sending and most spammer don’t even provide a valid return address!
The most common form of authentication method is as the method itself called “Self Authenticate”. This method is effective and would have zero or little false positive.
Example would be, Calvin sent Philip a email. Philip’s Anti spam appliance hold on to the email and sent a authentication mail back to Calvin asking him to verify his “Sending”. Once Calvin had verified by a return mail, his email address will be automatically added to the “Permitted sender” list and no further authentication mail will be send to him in future. The questions are “What happen if he didn’t reply the mail? Or if Calvin Anti spam appliance after receiving the Challenge mail from Philip’s Anti spam appliance sent the same challenge back to Philip? Normally for anti spam appliance with self authentication features, would parked these mail that was unauthenticated in various places. These could include “Certainly Spam”, “Probably Spam” or “Maybe Spam”. Depending on the features and functions used by the anti spam appliances, various different scenarios could happen here. Therefore for user choosing self authentication as their spam fighting tool, it is important to know and understand the nature and behaviour of the anti spam appliance against un-authenticated mails.
Greylisting is another form of challenge that is popular in many anti spam appliance. Unlike Self authentication that required user intervention, what is does is that it rejected the mail with a "450 temporary rejection". Most servers will try again after receiving the error. But for spammer that send thousands of mails a day would not do so. Therefore it greatly cut down the numbers of spam in the process.
Such methods would help in prevent spam but can never stop spam completely. Self authentication or Greylisting method can be an additional form of load for the appliance as well. Therefore when considering usage of this method, we have to take into the consideration of the numbers of users and load of the mails.
End of Part 3
Normally sender won’t be sending thousands of emails per day, therefore authentication or challenge method won’t be hindering their flow of production. But for spammer sending bulk mails in thousands, this method would definitely slow down their rate of successful sending and most spammer don’t even provide a valid return address!
The most common form of authentication method is as the method itself called “Self Authenticate”. This method is effective and would have zero or little false positive.
Example would be, Calvin sent Philip a email. Philip’s Anti spam appliance hold on to the email and sent a authentication mail back to Calvin asking him to verify his “Sending”. Once Calvin had verified by a return mail, his email address will be automatically added to the “Permitted sender” list and no further authentication mail will be send to him in future. The questions are “What happen if he didn’t reply the mail? Or if Calvin Anti spam appliance after receiving the Challenge mail from Philip’s Anti spam appliance sent the same challenge back to Philip? Normally for anti spam appliance with self authentication features, would parked these mail that was unauthenticated in various places. These could include “Certainly Spam”, “Probably Spam” or “Maybe Spam”. Depending on the features and functions used by the anti spam appliances, various different scenarios could happen here. Therefore for user choosing self authentication as their spam fighting tool, it is important to know and understand the nature and behaviour of the anti spam appliance against un-authenticated mails.
Greylisting is another form of challenge that is popular in many anti spam appliance. Unlike Self authentication that required user intervention, what is does is that it rejected the mail with a "450 temporary rejection". Most servers will try again after receiving the error. But for spammer that send thousands of mails a day would not do so. Therefore it greatly cut down the numbers of spam in the process.
Such methods would help in prevent spam but can never stop spam completely. Self authentication or Greylisting method can be an additional form of load for the appliance as well. Therefore when considering usage of this method, we have to take into the consideration of the numbers of users and load of the mails.
End of Part 3
Wednesday, April 2, 2008
SPAM BUSTER! Part 2 of 4
Reverse Lookup – “Hello, who are you?”
Spamming is illegal in almost every countries, therefore almost all spammer used forged “From” address. Such forged addresses normally appear to be from trusted domain such as XX@yahoo.com, XX@gmail.com , etc. Another reason that Spammer forge email addresses is that most ISP have clauses that prevent spamming. Therefore forging of email address prevent ISP from locking down their network. So if we could prevent spammer from forging the “from” address, we would greatly reduce the numbers of spam. So how do we do that?
Reverse lookup basically is a process that associated a Host with a given IP address/ IP address revolve to a given host name. Spammer forgery address normally would not have a pointer record (PTR) to fulfill this requirement. Sender Policy Framework (SPF) is one of the methods used in reverse lookup to prevent email address forgery. SPF is a process where dedicated host are specified in the SMTP transaction stating the allow hosts to be allow to sent mail out of the domain. With SPF enforced, spammer would not be able to forge an email address undetected and action would be taken against forge mail accordingly.
In my earlier blog explaining how email is send, I mention about mail server searching for the assigned email server to received the mail based on the MX record associated with the recipient domain name. Similarly, the reversed lookup communicated with the DNS associated with the re-verse-MX record (RMX) to determine if the email from that particular domain is send by a permitted host. Reverse lookup seem like a good solution, but it is not without its own limitation.
One important thing that we must take into consideration when activating reverse lookup is that the sender's IP address may not be in the reverse DNS lookup record, or the sending server may have multiple names for the same IP, not all of which may be available from the reverse DNS lookup record. An example of such will be users in host-less or vanity domain.
End of Part 2
Spamming is illegal in almost every countries, therefore almost all spammer used forged “From” address. Such forged addresses normally appear to be from trusted domain such as XX@yahoo.com, XX@gmail.com , etc. Another reason that Spammer forge email addresses is that most ISP have clauses that prevent spamming. Therefore forging of email address prevent ISP from locking down their network. So if we could prevent spammer from forging the “from” address, we would greatly reduce the numbers of spam. So how do we do that?
Reverse lookup basically is a process that associated a Host with a given IP address/ IP address revolve to a given host name. Spammer forgery address normally would not have a pointer record (PTR) to fulfill this requirement. Sender Policy Framework (SPF) is one of the methods used in reverse lookup to prevent email address forgery. SPF is a process where dedicated host are specified in the SMTP transaction stating the allow hosts to be allow to sent mail out of the domain. With SPF enforced, spammer would not be able to forge an email address undetected and action would be taken against forge mail accordingly.
In my earlier blog explaining how email is send, I mention about mail server searching for the assigned email server to received the mail based on the MX record associated with the recipient domain name. Similarly, the reversed lookup communicated with the DNS associated with the re-verse-MX record (RMX) to determine if the email from that particular domain is send by a permitted host. Reverse lookup seem like a good solution, but it is not without its own limitation.
One important thing that we must take into consideration when activating reverse lookup is that the sender's IP address may not be in the reverse DNS lookup record, or the sending server may have multiple names for the same IP, not all of which may be available from the reverse DNS lookup record. An example of such will be users in host-less or vanity domain.
End of Part 2
SPAM BUSTER! Part 1 of 4
Let’s get back to the corporate world on spam fighting. Fortunately for many users sitting behind the computer screen, the jobs of fighting spams are left to the IT departments.
The problems here is that there are many companies in the markets providing anti spam solutions comprising of many difference package of solutions. So who do we choose? Many IT department brought anti appliance based on Sales talk. That is the greatest mistake, as a wrong appliance in place will cause much inconvenient on lost of emails, denial of services and lots of false positives. This blog is to help IT department on deciding the technologies best suitable for their environment.
I will not be listing the product brands and company names. Rather, I will list down the technologies available in the market, explain each of them and tell you which combination of the technologies is best in my point of view.
4 Type of key technologies uses in fighting Spam.
Filter – The old school method
Filter is commonly used by most anti spam appliances as one of their tools in blocking spam. Types of filters includes “Word list” or “Spam Dictionary”, “Black List” and “White list” of IP address, “Hash-Table” and “Bayesian spam filtering”. In my personal point of view, filter system are dangerous as it often result if high level of false positive rate especially in the early stage of implementation. It also required high level of user intervention due to the fast evolving changes in spam content and therefore need to fine tune the spam filter rules frequently.
Why did I say high level of false positive? Imagine that we use the word “SEX”. In most cases, “sex’ will be classified as a spam word. But if in the email that contain “Hi Joe, did you catch the show “Sex in the city” last night? This email will be block even though it is a harmless email between two friends. This are just one example, but you will be surprise to see common words listed in a default “spam dictionary” and you can imagine the numbers of mails to be blocked without an intensive level of fine tuning the “word list”.
While we are smart in adding in the key words appearing in the spam mail, Spammer are as good at modifying the words as well. I am pretty sure you people had seen “Viagra” to appear as “V1agr@”, ‘Vi@gra” or “V!agra”, etc. These words escape the “spam dictionary” and therefore result in false negative.
Filter system is effective with frequent fine tuning of the filtering system use. “Word list’, “Black list” of IP, etc must be updated frequently. Bear in mind that filter do not stop spam, it merely stop what you highlighted in your system. Even so, checking of misclassified email frequently is important to avoid missing of important mails.
End of Part 1
The problems here is that there are many companies in the markets providing anti spam solutions comprising of many difference package of solutions. So who do we choose? Many IT department brought anti appliance based on Sales talk. That is the greatest mistake, as a wrong appliance in place will cause much inconvenient on lost of emails, denial of services and lots of false positives. This blog is to help IT department on deciding the technologies best suitable for their environment.
I will not be listing the product brands and company names. Rather, I will list down the technologies available in the market, explain each of them and tell you which combination of the technologies is best in my point of view.
4 Type of key technologies uses in fighting Spam.
Filter – The old school method
Filter is commonly used by most anti spam appliances as one of their tools in blocking spam. Types of filters includes “Word list” or “Spam Dictionary”, “Black List” and “White list” of IP address, “Hash-Table” and “Bayesian spam filtering”. In my personal point of view, filter system are dangerous as it often result if high level of false positive rate especially in the early stage of implementation. It also required high level of user intervention due to the fast evolving changes in spam content and therefore need to fine tune the spam filter rules frequently.
Why did I say high level of false positive? Imagine that we use the word “SEX”. In most cases, “sex’ will be classified as a spam word. But if in the email that contain “Hi Joe, did you catch the show “Sex in the city” last night? This email will be block even though it is a harmless email between two friends. This are just one example, but you will be surprise to see common words listed in a default “spam dictionary” and you can imagine the numbers of mails to be blocked without an intensive level of fine tuning the “word list”.
While we are smart in adding in the key words appearing in the spam mail, Spammer are as good at modifying the words as well. I am pretty sure you people had seen “Viagra” to appear as “V1agr@”, ‘Vi@gra” or “V!agra”, etc. These words escape the “spam dictionary” and therefore result in false negative.
Filter system is effective with frequent fine tuning of the filtering system use. “Word list’, “Black list” of IP, etc must be updated frequently. Bear in mind that filter do not stop spam, it merely stop what you highlighted in your system. Even so, checking of misclassified email frequently is important to avoid missing of important mails.
End of Part 1
Saturday, March 22, 2008
Spam Prevention - Home User
Someone had asked me to post some tips for home users that doesn’t have the luxury of protection from a anti spam appliance. These users probably won’t have the need to know about greylisting, SPF, DKIM, etc as well. So before I go on to blog about the methods used in anti spam technology, I will do a simple write up on how home user can prevent themselves from being a spam victim and some ways to control it.
Firstly, I think many home users received spam because they do not have a good email discipline. Most people that received spam have registered their email on commercial websites, sign up for some out of the blue marketing promotion, registered as members as they download software, etc. The problem here is that many of these sites do not have a privacy policy that they follow. Emails are sold or leaked to the marketing world.
Spammers even make money by selling their email database to other spammer and the cycle goes on. Therefore you will received more and more spam emails. End user has to be careful about giving away their email. Honestly this is the most important basic of all. I will list down a few steps on what you can do and how you can cut down on your existing spam.
Prevention
1) Don’t reply to unsubscribe spam mail! Please do not click on any link on the spam mail to unsubscribe the spam. If you did not sign up for it, don’t click to unsubscribe it. The moment you click on the link, you are basically telling the person that sent you the spam that, “ Hey, yes. I am a active user. Go ahead and spam me in future!” But of course if it come from a reputable company, then there is probably no harm in clicking on that link.
2) Don’t forward an email from someone you don’t know to a list of people. They are perfect for spammers to harvest email addresses.
3) Try using a complicated email username when signing up for email address. Email such as jenny76@hotmail.com” are easily havest by Spammers' software.
4) Camouflage your email address. Putting your email address in plain text on your web site is easy for spammer spider to harvest email addresses. Best is to disguise your email address by stripping out periods and "@" symbols. For example, "YOURNAME AT YAHOO DOT COM." You can also make the "@" an image, this will prevent crawlers from identifying it.
5) Get a desktop anti virus with anti spam filter. There are many desktop virus software that comes with anti spam features. Example would be Kaspersky, Sophos, etc. Such anti virus software are normally affordable and effective.
Control
If you are using outlook express or outlook to download your mails, you can also set rules to filter your mails to the junk folders. I will take outlook express as an example and list down the step below. I will use the word “Viagra” as an example.
1) Open up Outlook Express
2) Go to Tool --> Message Rule --> mail
3) Click "New"
4) Select the condition for the rules to take effect and the action to it. I will choose words contain in the message body as it is normally more effective compare to the others and i will choose moved mail to junk email then delete as even if it turn out to be detect wrongly, i will still have the mails.
5) I will fill in the specify words that i have decided and select the folder.
6) Voila!!!!! The rule has been created. Any new message with the word viagra in the mail body will be moved to the junk folder.
Above is just a simple steps to filter out potential spam mails. But such rules are tedious and may need to be find tune along the ways. Try the desktop anti virus with anti spam features. It will probably be easier, less time consuming and more effective.
Firstly, I think many home users received spam because they do not have a good email discipline. Most people that received spam have registered their email on commercial websites, sign up for some out of the blue marketing promotion, registered as members as they download software, etc. The problem here is that many of these sites do not have a privacy policy that they follow. Emails are sold or leaked to the marketing world.
Spammers even make money by selling their email database to other spammer and the cycle goes on. Therefore you will received more and more spam emails. End user has to be careful about giving away their email. Honestly this is the most important basic of all. I will list down a few steps on what you can do and how you can cut down on your existing spam.
Prevention
1) Don’t reply to unsubscribe spam mail! Please do not click on any link on the spam mail to unsubscribe the spam. If you did not sign up for it, don’t click to unsubscribe it. The moment you click on the link, you are basically telling the person that sent you the spam that, “ Hey, yes. I am a active user. Go ahead and spam me in future!” But of course if it come from a reputable company, then there is probably no harm in clicking on that link.
2) Don’t forward an email from someone you don’t know to a list of people. They are perfect for spammers to harvest email addresses.
3) Try using a complicated email username when signing up for email address. Email such as jenny76@hotmail.com” are easily havest by Spammers' software.
4) Camouflage your email address. Putting your email address in plain text on your web site is easy for spammer spider to harvest email addresses. Best is to disguise your email address by stripping out periods and "@" symbols. For example, "YOURNAME AT YAHOO DOT COM." You can also make the "@" an image, this will prevent crawlers from identifying it.
5) Get a desktop anti virus with anti spam filter. There are many desktop virus software that comes with anti spam features. Example would be Kaspersky, Sophos, etc. Such anti virus software are normally affordable and effective.
Control
If you are using outlook express or outlook to download your mails, you can also set rules to filter your mails to the junk folders. I will take outlook express as an example and list down the step below. I will use the word “Viagra” as an example.
1) Open up Outlook Express
2) Go to Tool --> Message Rule --> mail
3) Click "New"
4) Select the condition for the rules to take effect and the action to it. I will choose words contain in the message body as it is normally more effective compare to the others and i will choose moved mail to junk email then delete as even if it turn out to be detect wrongly, i will still have the mails.
5) I will fill in the specify words that i have decided and select the folder.
6) Voila!!!!! The rule has been created. Any new message with the word viagra in the mail body will be moved to the junk folder.
Above is just a simple steps to filter out potential spam mails. But such rules are tedious and may need to be find tune along the ways. Try the desktop anti virus with anti spam features. It will probably be easier, less time consuming and more effective.
Friday, March 21, 2008
Spam! How did it get into me!!!!
It is so irritating when i have to spent 10 minutes every morning while eating breakfast in front of my computer clearing Spam. Haha, kidding. Since the day i am involved in doing IT security, i hardly see them in my mails anymore. Let me share with you what is spam and slowly how we can prevent it.
A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. "UCE" refers specifically to "unsolicited commercial e-mail." According A Gartner report in TechWeb News, Spam has cost the world a lost of $50 billion in lost of productivity and other expenses.
The questions often come to the user mind when they received spam email is how the spammer got their email address? E-mail spammers do not get their address because they are on the company distribution list or legitimate e-mail publications. In today’s world, legitimate mailing list is normally secured and is unlikely possible for spammer to got hold of their email address. But the problems start when user subscribes to unknown website or newsletters. Emails subscribes to unknown website or newsletters were often leak out intentionally or unintentionally resulting with the users receiving high amount of spam emails. User subscribing to newsletters or registering on unknown website should always check on the privacy policy. The policy should state clearly that the email or informations provided by the user will never be release to another party or use for other purpose other then stated.
Directory Harvest Attack or DHA is another a technique used by spammers in an attempt to find valid and existing e-mail addresses at a domain by using brute force attack. When under a directory harvest attack, the massive volume of attempts with different addresses sent by the spammer will consume a mail server's resources. At worse, the mail server may be prevented from receiving legitimate email if all available resources are exhausted. Organization should have in place Anti spam appliance that can detect any form of DHA conduct against it’s mail server. Today’s Anti spam appliance would normally have combination of features such as “Real Time Blacklist” (RBL), Domain key Authentication” (DKIM), “Sender Policy Framework” (SPF), “Greylisting”, “Bayesian filter” and many more other features.
Take a little time to digest this blog of "SPAM" ... i will fill you in on the different methods used to fight spam in the on coming blogs.
A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. "UCE" refers specifically to "unsolicited commercial e-mail." According A Gartner report in TechWeb News, Spam has cost the world a lost of $50 billion in lost of productivity and other expenses.
The questions often come to the user mind when they received spam email is how the spammer got their email address? E-mail spammers do not get their address because they are on the company distribution list or legitimate e-mail publications. In today’s world, legitimate mailing list is normally secured and is unlikely possible for spammer to got hold of their email address. But the problems start when user subscribes to unknown website or newsletters. Emails subscribes to unknown website or newsletters were often leak out intentionally or unintentionally resulting with the users receiving high amount of spam emails. User subscribing to newsletters or registering on unknown website should always check on the privacy policy. The policy should state clearly that the email or informations provided by the user will never be release to another party or use for other purpose other then stated.
Directory Harvest Attack or DHA is another a technique used by spammers in an attempt to find valid and existing e-mail addresses at a domain by using brute force attack. When under a directory harvest attack, the massive volume of attempts with different addresses sent by the spammer will consume a mail server's resources. At worse, the mail server may be prevented from receiving legitimate email if all available resources are exhausted. Organization should have in place Anti spam appliance that can detect any form of DHA conduct against it’s mail server. Today’s Anti spam appliance would normally have combination of features such as “Real Time Blacklist” (RBL), Domain key Authentication” (DKIM), “Sender Policy Framework” (SPF), “Greylisting”, “Bayesian filter” and many more other features.
Take a little time to digest this blog of "SPAM" ... i will fill you in on the different methods used to fight spam in the on coming blogs.
Tuesday, March 18, 2008
So who is the Postman sending the Email??
It is interesting to know that many email server administrator do not know how emails work. They can be configuring the servers and creating users but doesn’t know what happen when the user click on the “SEND” button. Therefore I decided to blog on how exactly email works as one of my beginning blog.
For out-going emails, Simple Mail transfer Protocol (SMTP) port 25 will be use. For in-coming mails, Post Office Protocol (POP) port 110 or Internet Message Access Protocol (IMAP) port 143 will be use.
1) When John click “Send”, his email client send the email to his MTA using port 25.
2) The Email server at philsecure.com will received the address of the sender and the address of the recipient, as well as the body of the message. It will consider the email address as two parts: the recipient name (
3) Here, the email server will look up to the domain name server (DNS) for the IP address of the email server of philblog .com. The DNS replies with the IP address of the SMTP server that philblog.com operates. This IP referring to the Mail Exchanger (MX) IP address.
4) The email server of philsecure.com then send the mail to philblog.com according to the MX record it got from the DNS.
5) The email server of philblog.com received the email and send it to the server running POP3 or IMAP and it will then be deliver to the user’s account.
6) The user log on to its mail client depending on if it is using POP3 or IMAP to download the email.
That’s it! Email a simple yet wonderful technology.
Monday, March 17, 2008
Basic of Inforcomm Security (Part 2)
This is a topic covered by tonnes of network security professional. A trip to the nearby library would probably stuff with more then enough knowledge to handle your network. That is if you can absorb everything you read from the books. What i will list now here are some of the common practices.
Firewall is one of the basic need in a company network. Unless you are an network guru or some Cisco geeks, depending on your router to protect your network will not be your best bet. A firewall would normally come in default as closing all ports. That mean you will only need to open what is needed for your operation to function. Be careful not to open more then what is enough. A quick search to your existing application documentation would tell you what ports is needed and these ports are just what you need to open. Using Network address translation (NAT) is also necessary to protect your servers or application from being exposed to the external network. NAT is safe and it save you the cost of purchasing static IP.
Intrusion Prevention System (IPS)
IPS is an additional protection to the network. For company dealing to large amount of sensitive data and with the budget, IPS is definitely the way to go. As we know that conventional Firewall block unwanted attack and data from coming into the network, but we also know that Firewall ignore what that has gotten into the network! IPS scan and constantly listen to the traffic in the network. Abnormal behaviour of the network traffic and immediately detected and notification can be sent out instantly. There are some Firewall appliance that act as unified threat machine (UTM). Such machine would normally have IPS module in it. Administrator that is looking for IPS together with Firewall and having limiting budget might want to consider such appliance.
Anti Spam appliance.
Normally also sitting in the parameter, Anti spam appliance is often use to safeguard the companies emails. These anti spam appliance normally come with anti virus built in. It is highly important to do a evaluation test of the appliance before purchase it. In fact, during the evaluating period it is very important to ensure the reliability of the appliance even before running it in the production environment.
Anti Spam appliance are suppose to seat in-front of your company Mail transfer Agent (MTA). This mean that all emails will goes through your anti spam appliance before reaching your MTA. If the anti spam appliance is not reliable, it might jam up all your emails or causes your legitimate mails to be filter off unknowing to you. This might cause the administrator a big problem if the company directors' million dollars e-mails has been drop and no one knows about it.
There are several techniques used to detect spam and taking care of the email security. Greylisting, Content filtering, Sender Policy Framework, etc are just few of them. Be sure to understand them well before you engage the anti spam appliance in your company network.
This is a simple guide and understanding of the devices that can be use in the parameter security. Hope it help some of the administrators out there.
Firewall is one of the basic need in a company network. Unless you are an network guru or some Cisco geeks, depending on your router to protect your network will not be your best bet. A firewall would normally come in default as closing all ports. That mean you will only need to open what is needed for your operation to function. Be careful not to open more then what is enough. A quick search to your existing application documentation would tell you what ports is needed and these ports are just what you need to open. Using Network address translation (NAT) is also necessary to protect your servers or application from being exposed to the external network. NAT is safe and it save you the cost of purchasing static IP.
Intrusion Prevention System (IPS)
IPS is an additional protection to the network. For company dealing to large amount of sensitive data and with the budget, IPS is definitely the way to go. As we know that conventional Firewall block unwanted attack and data from coming into the network, but we also know that Firewall ignore what that has gotten into the network! IPS scan and constantly listen to the traffic in the network. Abnormal behaviour of the network traffic and immediately detected and notification can be sent out instantly. There are some Firewall appliance that act as unified threat machine (UTM). Such machine would normally have IPS module in it. Administrator that is looking for IPS together with Firewall and having limiting budget might want to consider such appliance.
Anti Spam appliance.
Normally also sitting in the parameter, Anti spam appliance is often use to safeguard the companies emails. These anti spam appliance normally come with anti virus built in. It is highly important to do a evaluation test of the appliance before purchase it. In fact, during the evaluating period it is very important to ensure the reliability of the appliance even before running it in the production environment.
Anti Spam appliance are suppose to seat in-front of your company Mail transfer Agent (MTA). This mean that all emails will goes through your anti spam appliance before reaching your MTA. If the anti spam appliance is not reliable, it might jam up all your emails or causes your legitimate mails to be filter off unknowing to you. This might cause the administrator a big problem if the company directors' million dollars e-mails has been drop and no one knows about it.
There are several techniques used to detect spam and taking care of the email security. Greylisting, Content filtering, Sender Policy Framework, etc are just few of them. Be sure to understand them well before you engage the anti spam appliance in your company network.
This is a simple guide and understanding of the devices that can be use in the parameter security. Hope it help some of the administrators out there.
Basic of Inforcomm Security ( Part 1)
Surprise is the word i will use often when i step into a customer organization and realized how lack of security knowledge the IT administrator is. I will start off my blog touching on the basic of security from the desktop to the parameter... Note that i will not be going in the details of security each point. This is just a guideline to the "newbie" administrators out there that probably do not know what is needed to be secured in their network.
To simplified things, I will break down the network into 2 parts.
-End Point refering to the Desktop/Servers (Part 1)
-Parameter refering to the line where it separate the internal network from the external internet. (Part 2)
**Mid level security such as usage of VLANs or Network access security will not be mention in this blog. It will be touch in my later entries.
End Point Security Guideline
Till these day, there people who think that risk only come from external factor and therefore spend thousands of dollar securing their parameter and leaving the desktop open to risk. This is a extremely wrong concept as today's risk doesn't come from external alone.
Desktop is open to various type of risk such as data theft, virus, hack tool, etc. In today modern technologies, IT gadget are getting smaller and cheaper. A USB flash drive coming in the form of a pen only cost SGD10.00 can is easily available off the shelves. Such device are brought easily into any corporate office and any system that is not secured would have its data downloaded into the devices easily. Issues about resigned employees stealing data is very real or unhappy employees injecting virus to the production environment is very common.
Desktop has to be installed with Anti virus to keep itself away from virus. I will not elaborate on the anti virus as i assume everyone know the important of having a updated anti virus on its desktop. I will instead elaborate on securing of endpoints ports (E.g USB, Bluetooth, Infra, etc) something that many administrator are unaware of. Desktop ports can secure with various method such as using registry to lock up the various physical port in the notebook or computer. This method is free as no third party software is needed. But the administrator doing it must have pretty good knowledge of the registry setting and keep a tidy and huge record of the computers that registry had been changed. Alternatively, there are third party software in the market that provide the administrator a cool and user friendly interface to do the job above.
Such software normally allow the administrator to decide what are the ports (E.g USB, Bluetooth, Infra, etc) to be allow for use. Informations transferred across the system to the external are also audited. This is to prevent employees from copying sensitive informations and deny doing it. A better End point security software will even encrypt the data leaving the system to the external device. This is to prevent data from falling to the wrong hand should the device be stolen or lost.
As a best practice, the administrator should only allow company register external device to be allow for use in the end point, all data transfer should be logged and all data leaving the system to the external device should be encrypted.
Hardening of Desktop/Servers
Beside the usage of Endpoint software to locked down the ports and control the usage of external devices, there are also some simple practices that we should look into;
1) Password control - Password policy should be in place to prevent un-authorized access.
2) Remote administration - should be disable to prevent un-authorizes access
3) Administrators rights - Proper rights should be assign to user of the workstation
4) Guest account - Guest account and additional account should be disable.
5) Unauthorized Notebook, workstation should not be allow access to the LAN
6) All security vulnerability should be patched
7) Unuse ports should be closed.
I hope this blog can be useful to some in the light of Desktop security..
To simplified things, I will break down the network into 2 parts.
-End Point refering to the Desktop/Servers (Part 1)
-Parameter refering to the line where it separate the internal network from the external internet. (Part 2)
**Mid level security such as usage of VLANs or Network access security will not be mention in this blog. It will be touch in my later entries.
End Point Security Guideline
Till these day, there people who think that risk only come from external factor and therefore spend thousands of dollar securing their parameter and leaving the desktop open to risk. This is a extremely wrong concept as today's risk doesn't come from external alone.
Desktop is open to various type of risk such as data theft, virus, hack tool, etc. In today modern technologies, IT gadget are getting smaller and cheaper. A USB flash drive coming in the form of a pen only cost SGD10.00 can is easily available off the shelves. Such device are brought easily into any corporate office and any system that is not secured would have its data downloaded into the devices easily. Issues about resigned employees stealing data is very real or unhappy employees injecting virus to the production environment is very common.
Desktop has to be installed with Anti virus to keep itself away from virus. I will not elaborate on the anti virus as i assume everyone know the important of having a updated anti virus on its desktop. I will instead elaborate on securing of endpoints ports (E.g USB, Bluetooth, Infra, etc) something that many administrator are unaware of. Desktop ports can secure with various method such as using registry to lock up the various physical port in the notebook or computer. This method is free as no third party software is needed. But the administrator doing it must have pretty good knowledge of the registry setting and keep a tidy and huge record of the computers that registry had been changed. Alternatively, there are third party software in the market that provide the administrator a cool and user friendly interface to do the job above.
Such software normally allow the administrator to decide what are the ports (E.g USB, Bluetooth, Infra, etc) to be allow for use. Informations transferred across the system to the external are also audited. This is to prevent employees from copying sensitive informations and deny doing it. A better End point security software will even encrypt the data leaving the system to the external device. This is to prevent data from falling to the wrong hand should the device be stolen or lost.
As a best practice, the administrator should only allow company register external device to be allow for use in the end point, all data transfer should be logged and all data leaving the system to the external device should be encrypted.
Hardening of Desktop/Servers
Beside the usage of Endpoint software to locked down the ports and control the usage of external devices, there are also some simple practices that we should look into;
1) Password control - Password policy should be in place to prevent un-authorized access.
2) Remote administration - should be disable to prevent un-authorizes access
3) Administrators rights - Proper rights should be assign to user of the workstation
4) Guest account - Guest account and additional account should be disable.
5) Unauthorized Notebook, workstation should not be allow access to the LAN
6) All security vulnerability should be patched
7) Unuse ports should be closed.
I hope this blog can be useful to some in the light of Desktop security..
Subscribe to:
Posts (Atom)
Posts
