Slashdot Mirror

We already know where the zombies are. Hard working volunteers collect and publish (among other things) zombies, an ever growing list of the nodes used to carry out spam runs, DoS attacks, and other mischief.

cbl, sorbs, uceprotect, wpbl, and others all publish this info in near realtime

That's where the info is. A responsible ISP has to search the lists for their hosts and then go from there.

I use this:
http://www.pc-tools.net/unix/renattach/

I just put it in the system wide procmailrc file and it runs for everyone.

It will rename files based on a file extension list that you designate. In addition it changes the MIME type headers. This forces the user to save and rename the file before launching it.

The author indicates it's no longer maintained, but it works quite well nonetheless.

If you're running windows, there's a freeware program called popurl that will show you the HTTP headers for URLs you copy to the clipboard. You can see the X- headers in there

Grab copies of public spam blacklists, and run the IPs through grepcidr to see if any IPs from your network(s) are blacklisted. Nice that Microsoft is providing additional data, letting us know where spam comes from. With the information known by Hotmail alone (being made public) we should be able to easily locate the majority of worldwide spamming IPs.

This is an appeal to network admins working at ISPs, whether large or small. You have a responsibility to make sure that spam/attack zombies don't exist on your networks. These days it's a trivial task to check to make sure you're not part of the problem. This can be scripted so that you receive periodic reports of problem hosts on your system, which you can then firewall, disconnect, or restrict access to.

There are so many blacklists these days, so just use rsync to grab fresh copies of AHBL, CBL, DSBL, SORBS, whatever. Then run through grepcidr to see if any IPs from your network(s) are on the blacklists. So easy, and you'll be protecting both yourself and others from malicious zombies.

A quick way to handle the situation you describe is to detect the infection from outside and then shut down (or limit) service to the affected hosts. Sniffing network traffic to assess infections is the most accurate way, but here's another technique. Most viruses are involved with spamming in one way or another, and as such, infected hosts are detected out on the Internet.

What you should do is routinely grab (rsync) a full listing of blacklisted hosts from CBL, DSBL and elsewhere... and then use the grepcidr program to hunt for IP addresses from your network inside those huge lists.

This can be totally scripted. If you locate infected hosts, you can then revoke or cripple service to them one way or another. Examples of crippling would be to reduce available bandwidth (tarpit on a linux router), blocking all but the most essential outbound ports at the firewall. Or you could be more brutal and just revoke their IP connectivity.

I have no idea what outlook does. I use jbmail (it's for windows though) and when you save messages from the inbox, or copyself they become individual ASCII files named intelligently to reflect the address and subject involved. So future filing is just a matter of dealing with text files, which will be around forever and easily identified.

it won't work under NT-stream windows (i.e. anything recent). Back in the DOS days there were some cool ways to reboot though, check out the RE-BOOT program in this package (assembly).

For a similar discussion, but from the perspective of an OpenOffice.org user, check out this article (even though it's really talking about OO.org, there is a section where it goes into the advantages of open formats for data interchange and longevity/archival). The XML format discussed there is I believe the same as OpenDocument

The problem is that most people fail to use descriptive directory and file names. If you use very descriptive file names, you will find that you can efficiently locate any file you need without resorting to a nasty/expensive file content cataloging operation. I'm working on a cross platform file search tool that is optimized for finding files by file name; faster than any of these 'desktop search' programs of course.

My solution to this is pretty damn simple (and platform independent)... I archive all my emails to individual files where the file name is composed of the Subject, To/From address, and time stamp. So I can search for any of my communications, on any platform, just by looking through a directory listing. Efficient, fast. This is also the format used by the jbmail mail client for archiving emails.

If you're running low on space by the time you hit thunderbird, you could also try jbmail which similarly is a secure mail client that can be run straight off removable media (but is very small, 1 mb). but it doesn't share data with firefox. Hell, it doesn't do HTML either (displays as text) which may be a shortcoming or a feature depending on how paranoid you are...

I grabbed it, used md5sums (link found here), got the md5:

237ee99dc7f35d2e2c0a8640086167bf

looks like the exe is safe, but as said, you can md5 it yourself.

My hosting service tried to filter all the viruses with clamav, but they got so many viruses that it was too much of a CPU load

Because your Windows account has non admin privileges, of course. A low privilege user can't overwrite the hosts files, or screw around with the HKLM registry. And personally, my own mail client doesn't even try to support HTML or script-like thingies. Too difficult, too weird, unnecessary, dangerous.

...knowing that my mail client doesn't even load images -- it just strips down all that HTML mess to plaintext. I never trusted pretty emails.

Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.

The link, however, looks like it is an image file:

Well, I learned something. Apparently, for some time now, Windows XP has been completely willing to execute executables that do not have an executable file extension. For example, if you rename notepad.exe to notepad.gif, you can "CMD /C NOTEPAD.GIF" and it will pop right open. Not sure yet if explorer will do this the same way: One test I ran (notepad.exe -> notepad.xxx) prompted for a program, while another program (nestor.exe -> nestor.xxx) just ran normally. Maybe it has something to do with the origin of the file, or whether the file extension is registered or not. I noticed that Windows replaced notepad.exe with a new copy a few seconds after I renamed it.

The point?

Those of us using RENATTACH on our mail servers to filter out malware and viruses now have another hole to plug.

Thanks, Microsoft.

Dorks.

Here's the beta version of my freeware program popURL (for Windows, sorry!). You can copy a URL to the clipboard (Copy Link Location) then click the tray icon, and popURL will pop up an info box on the URL telling you the software running on the remote server (IIS, Apache, whatever); the MIME type of the document, and its size if available. Potentially useful for safe, IIS-free browsing :) On UNIX you can get the same info using wget -S though somewhat less convenient.

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
Content-Length: 0

By the way, here's a neat program that sends only HEAD requests to web servers and shows you the response headers. ViewHEAD runs on Windows; on UNIX you can use wget -S. Useful for seeing what's at a web page, without having to download it. Also tells you what server is running, MIME type of the file, etc.

I have been using spamprobe for some time, with the webfilt front-end, and I'm very pleased with the speedy spamprobe program (written in C++).

I receive approximately 10 legit emails/day and about 300 spam/day. I have only had 2 false positives overall (that's 2 out of about 100,000 total emails received) and on average only 2 spams/day split past the filter. Now I'm testing Spambayes on one of my most spammed accounts, but it's definitely much slower than spamprobe and not more accurate as far as I can tell.

Yes, you will see something like this on Linux. I will bring it to you.

I'm working on developing an efficient, fast, local search tool that will be cross-platform. There's a beta version sitting on my desktop that I have been using for months, and I use it several times daily.

Unlike Google, I have no interest in monopolies, advertising, web-integration or anything that complicated. I like standalone, uncomplicated things.

from which a spammer can clearly see that you have opened their messages and validate your address...

I recently configured a 200 MHz Pentium host (with slow IDE drives etc.) as an ISP's mail server. It handles over 10,000 emails daily and the load average hangs around at 0.10 -- it's using Postfix with the renattach attachment filter as a content filter (catches all those windows viruses). I was pretty impressed that Postfix performed so well on such an ancient machine :)

If you're using dialup pop, then you should be retrieving only headers, and your email client should download individual messages for you instead of grabbing all of them up front. This will let you eliminate obvious spams (based on header contents.) The more thoughtful email clients put notes on attachments in the header...

I don't know of a single pop client that does this by default, and don't know if pop can do this at all. Typically imap is used for things like this.

JBMail supports POP and does just that...

Even if you're on Windows, you can still use something like JBMail to view emails in plaintext (it strips HTML). If the mail client has no mechanism to execute scripts etc. then obviously you can't get infected in this fashion.

You're right about extra hardware. However:

• http://www.pc-tools.net/unix/renattach/
• http://www.amavis.org/
• http://www.clamav.net/
• http://www.sng.ecs.soton.ac.uk/mailscanner/

ClamAV seems to have the best reviews.

I snarfed all this out of a /. comment or two a little while back, and mailed the links to my boss, who was recently complaining about the high cost of email server antivirus software. I haven't tested any of them because I don't have a colocated server and comcast does not offer static IP addresses for love nor money (or at least, I haven't found the right person to make the offer to yet) so I don't run a mail server these days.

It's time to just block all E-mail attachments.

I use renattach and procmail. THis allows me to rename the attachments instead of deleting them. Then if you get an .exe or .zip that you really want you save it and rename it from myproggy.exe_bad to myproggy.exe before you can execute it. Works well, and its faster than all of the slow perl code out there for doing the same thing.

Can anyone do is a favour and list some other applications that might be affected... for example, other Windows mail clients or web browsers that use SSL?

BTW, my SSL mail client (jbmail) is not affected since it uses OpenSSL.

Oh, come on. Once it's going through a known good computer, it's easy to deal with assuming the sysadmins are competent.

I thought this was very interesting when I saw the article. I started learning computer programming with assembly language in the 1980's. In my case, I was too cheap to purchase any proper language (like C etc.) so I settled with playing around with DOS's DEBUG (this is an interactive assembler). I gained an understanding in x86 assembly fundamentals which along the way taught me plenty about interrupts, timing, device and memory use of course the fundamentals of CPUs.

Though to many people this seemed to be a weird way to learn, I was very happy with it and it was nice and challenging to code entire applications in assembly language. My freeware is still posted, actually :)

Since then I've learned C++, Java, etc. but I've really settled on C. It makes the most sense to me from a power and efficiency point of view, since I'm mainly concerned with applications where performance is critical.

Neither of these methods work at the network layer; they all rely on fancy Application-layer 'features', none of which my mail client uses. HTML can never reveal that I'm reading messages, and there certainly is no receipt/confirmation enabled. Look ma, I'm invisible

If you're using renattach on your server to filter attachments, just use the following in your renattach.conf to bitbucket this virus:
banned_files = wendy.zip/k

• MIMEDefang
• renattach
• Anomy sanitizer
• amavis

But that also makes things like this possible. IIRC, the virus comes to you as a zipped MIME/html file. You unzip the file and double-click it and it extracts the virus binary from a base64 encoded section of the document.

This was the SOB that forced me to add ZIP and HTML files to the RenAttach bad list on our mail server.

One idea is to store the MD5 sums of all data files somewhere, possibly on the CD itself. Then you can know if the files On CD have been corrupted.

This is the best MD 5 calculator I've found for Windows: MD5sums 1.1. It's very fast and also does batch command-line calculations.

Maybe a better idea is to store all data meant to be written to CD in Zip files. Archive files have a CRC stored for every file. The unarchiving software will complain if the CRC does not match the file.

However, the CRC in a zip file is only 32 bits. I put 2**32 into Google and Google Calculator answered: 2 ** 32 = 4 294 967 296. So there is one chance in 4 billion that a file is different but a CRC is the same.

MD5s are far more unlikely to be identical if the files are different. I put 32 ** 16 into Google and it answered: 32 ** 16 = 1.20892582 x 10**24. Them is good odds. (There are 32 hexadecimal digits in an MD5.)

WinZip 9 beta has a command-line option to encrypt with AES. Encryption acts as a checksum that can be even more secure than an MD5.

Unfortunately, the design of archiving software like WinZip is still primitive. Archiving software should be able to prepare archive files of a given size, and span to a new archive file when adding another folder (or, optionally, a file) would make an archive too large. Then you would be able to retrieve the files easily, since each CD would have a complete archive stored on it. At present the spanning option of archiving software is stupid; it is necessary to put all the spanned archive files back together to retrieve any information.

If you have network access you may also benefit from jbmail (ok, I wrote it...) but this little mail app will do POP3 and SMTP including full SSL (provided by OpenSSL), all in about 500 KB. I run it on 90 MHz Pentiums connected over slow links, great for pulling mail with minimum frills.

Not everyone is in your position. It is not about mental capacity, but about time and money. When I check my mail on a dialup connection, and if I haven't checked it for a day or two, I have to download large amounts of spam. So much, in fact, that it drowns the e-mails I actually want to read.

You could try jb Mail to delete mail from the server (you'll see the headers) without downloading msg bodies.. saves bandwidth. It has filtering too.

In my testing (over the last 30 mins) I discovered that filtering is employed when the POP3 "RETR" (retrieve entire message) command is used but no filtering is done when the equally useful "TOP" (show me the headers and X lines of the body) command is issued by a client.

A huge advantage of also doing the filtering for the TOP command would be that mail clients such as The Bat, Pimmy, JBMail and PocoMail will let you preview all headers while leaving mail on the server (or deleting it, whatever) but without actually downloading the full message bodies.

If you're a windows user, you can automate this process by using ViewHEAD (freeware). Just enter a URL and view the server response codes.

in other words, pretty much give it away for free.

Strange thing here, this is more or less what I've been doing from my software site and it's been working quite well. I find that there are lots of honest people who will pay for software they find useful!

I like the idea of simple and secure myself. I wrote a small, free win32 mail client called JBMail with the primary purpose being simple, direct access to mail. You can delete mail directly from the POP3 server, and this is undoubtedly the safest way to deal with viruses and large attachments.

No scripting vulnerabilities, no HTML, yet still has address books, spam filtering, etc. How about 140 KB for small ;)

• Notify
  
• ProtectX
  
• X-NetStat
  

These utilities, when used together, would offer a defence, using a slightly different technique. Here, you'd be warned, the moment any intruder attempts to connect to your machine, OR your machine mysteriously attempts to connect to someone else. You also get the warning on when a file is changed.

(By relying on only one verifier, you're not quite so secure, but it was the best I could find in a short time. Apologies for that.)