Slashdot Mirror
Fortune 1000 Companies Sending Spam, Phishing
An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"
Once you consider how many americans are supposedly still on dial-up it stands to reason that some portion of the zombie bot-nets will be hosted on corporate americas computers instead of in the home.
My humor is probably your flamebait
Isn't it a lot more likely that their Windows boxe(s|n) just got zombified?
Apology to Ubuntu forum.
Yes, I didn't read the article but I wonder if this is from in-network computers for these major companies or if it included the computers that traveling business men and women tote around. It's been my experience that the laptop users often have more freedom on their mobile computers to download and install any junk they can find. This means that they are more likely to be targets of bots that will setup this type of crap. Also, a couple of the companies that were mentioned were more tech based. I would imagine that those corporations might have a higher percent of power-users that they allow to have Admin rights on their workstations. Of course, just because your a power-user doesn't mean that you are going to take the best of care of your work box. My 2 cents.
Well laws havent stopped spammers or botnets yet, maybe big companies suing them for millions (or billions) in damages will, couldn't hurt.
Libertarian Leaning Political Discussion Forum.
Yeah, home users aren't the whole problem.
But why aren't these companies correctly firewalled? Why do they allow machines other than their email servers to make outbound port 25 connections?
Why aren't their logs monitored? Wouldn't this be easy to spot?
Even with the resources of the biggest companies, their people cannot keep their machines clean or even stop them from sending spam. Who knows what else. A spam zombie can just as easily log network traffic, passwords and anything else on their wires.
finding stock spam being pumped from ExxonMobile
This is no spam, this is an actual stock push you insensitive clod!
Virtual Betting on Facebook for non-geeks.
Why would you NOT allow outbound port 25? Thats a ridiculous restriction. The office I work at has plenty of people who *GASP* check their personal email from work. When they send replies, their SPF/DomainKeys/Whatever-using ISP requires them to use the proper SMTP server. As it should be.
Those are the biggest companies that should be able to afford the best security measures.
You know what? With a couple of old boxes and Linux you could setup a smaller company so that this would never happen.
Use Linux as your firewall and restrict any outbound SMTP connections to your email server.
Use Linux and Snort to monitor crap on your network.
Use Linux as your DHCP/DNS server and lock down the IP addresses by the MAC addresses. Yes, this is labour intensive. But it will allow you to keep all your regular machines on one sub-net and all other machines (laptops and such) on a different sub-net. That way you can put a few more restrictions on those machines. And a bit more monitoring.
That way you have multiple points at which you can become aware of a problem. And multiple points where an attack will fail.
Could it be that most users can't seem to understand that surfing to porn sites leads to malware being installed? How about clicking on random attachments leads to compromised computers?
Perhaps computers meant to be used as email appliances should really be email appliances rather than general purpose programmable (and repurposeable) computers.
The alternative to this is to figure out a way to make sure that it is impossible for users to ever install anything on their computer that will compromise it. Sounds impossible to me. Making an idiot-proof email application is just a stopgap until someone comes along with a better idiot.
Port 25 is usually for server to server SMTP transmissions.
If you're an end user, you should have a username/password and be using port 465 or 587 (or whatever your email admin setup).
That is why companies should block outgoing port 25 connections from everything except there own mail servers.
My cable ISP requires all port 25 mail to go through their own SMTP server. It's a pretty effective spambot solution (and it's fast sending, since the server is close). But of course, GMail doesn't user port 25 (I love Google's trendbucking).
The government can't save you.
Well boo hoo for them. If I set network policy, I wouldn't allow people to download foreign e-mail. If the user's just getting e-mail froma POP connection, you lose the ability to check it for viruses, spam, phishing schemes, etc. Basically, you might as well let people plug laptops right into the enterprise LAN (you're NOT doing that, right?). If they want to receive e-mail at work, they should have it sent to their work address (perhaps via auto-forwarding).
Scan every e-mail at the SMTP server. Scan every download at the proxy server. Protect your network. A little bit of latency isn't going to kill anyone.
It's always a long day... 86400 doesn't fit into a short.
I admit I am not an expert on the subject of web-based e-mail, but checking your yahoo, gmail, comcast webmail, whatever is done through the web, which uses port 80, which most likely won't be blocked by your employer. Port 25 should be restricted to a company owned e-mail server.
If your employer is allowing you to check your home e-mail through a client (outlook, thunderbird) then that is asking for trouble.
I got nothin'
If corporates host boxes that pump out spam, sue them! Their firewalls shouldn't allow emails to flow out of their networks except from one of their approved mail gateways, which should require user authentication before accepting mail, and which should apply reasonable limits like 300 emails sent per source IP address per day, except for the corporate's own spam machine (a.k.a. marketing). Corporates should be held accountable for choosing cheesy software that allows viruses to take over their boxes, and for failing to protect them with their own firewalls, to the extent that this is possible with cheesy software. Let's share the pain, and over time it will percolate back to the prime source of cheesy software.
As long as it wasn't the computer controlling the inanimate carbon rod, we should all be okay, right?
What?
You are correct. All of those paths could lead to a workstation on your network being compromised. And you have great suggestions on how to protect them.
But I wasn't originally talking about inbound connections. Blocking the outbound connections would cut off the spam coming from your network.
How those machines got infected in the first place is a whole other series of discussions. And one that we really should have sometime. Preferably involving Linux and Free software at the critical points (allowing for Windows workstations).
Yep, that's what I came here to say. Outbound port 25 blocking is a standard for any firewall config I do. It helped me out the one time a mail server I admin got incorrectly added to a RBL, I simply told them that my outbound 25 was restricted to the one host and asked them to run a scan on it, once it came back as not being an open relay them removed me immediately. I have never had someone give me a legitimate business reason for not restricting it, and I really can't imagine one. Contractors and consultants should be using their corporate solution, better yet they should have cellular cards so they don't have to traverse my network at all.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
In the old days, they used to mail it to you. Yeah, on paper. And then you had to throw it out, and 800 billion tons of it are rotting in a landfill somewhere. The Fortune 1000 contains some of the people least concerned about the environment, or your spam-free virgin mailbox.
Anti-Globalism, Traditionalism, and FreeBSD.
I seriously hope you are being sarcastic. If I ran across a firewall admin on any corporate network allowing outbound 25 from anything but the corporate email servers I would suggest canning their asses in a heartbeat. It is just stupid on so many levels. First of all checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this", beyond that, outbound 25 has precious little to do with that anyways, unless they are running an email server on the corporate network in which case that should be #0 on the list since #1 assumes that your employees aren't stupid enough to use your corporate resources to run personal servers, either way a good firing would fix that in a hurry. Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network. A good admin will have a secured relay be it part of the firewall or a sun box or something other than allowing the win/exchange boxes from talking directly to the net.
You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases. The enterprise network exists for the sole benefit of the enterprise. Personal email, instant messages, myspace, what the hell ever, has a risk that FAR outweighs any potential benefit. If your employees can't leave their email/myspace/im friends for 8hrs a day you should probably find employees who can. There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive. If the company is paying you so little that you can't afford your own internet access you should probably find a new job.
The only change I can believe in is what I find in my couch cushions.
The PC hadn't been turned on in about 6 months. Apparently the dude who I was replacing was into Russian brides and err, certain types of ethnic pr0n, and had got the sack for various dodgy reasons 6 months prior to my instalment. Anywho, in the 6 months that this computer was un-manned, my company installed Norton across all other PC's.
My 2nd day was interesting, when I first turned on the computer. EVERYONE who had the Norton running detected all sorts of network worms and virusiis's (:P) the second I'd booted into Win XP. I thought,
"Oh crap, here we go. Time to clean up this mess..."
and began a search for *.jpg. Kapow, tonnes of hairy pr0n, selected all and shift deleted.
Next, it was time to install the company antivirus software, which was Norton. The next couple of days were spent trying to free my infected system of all sorts of goodies. I started by enabling the Norton Mail Monitor, and oh my, how funny!
"Scanning out going mail, Scanning out go-Scanning out going mai-Scaning out g-Scan"
The WHOLE screen filled up with Norton "scanning out going mail" boxes, like, 100's of them. This was my first job outside of the IT industry, and a big WELCOME TO THE REAL WORLD for me. So yes, what's the point of my story? Well, Russian brides are hairy. OH, and not all companies have IT departments, let alone competent IT staff who can source and cease zombie machines from operating.
D'oh!
Corrupt
Corrupt: Remaking Modern Society
Admins who don't secure corporate PCs are just lazy, stupid or both...
You're assuming two things here which aren't always true in corporate life:
1. Admins have control over all the machines on their network. That's a good theory, but even in the story above you'll find the problem to be unauthorised connections. In well managed setups that won't happen often, but it only takes one idiot to make a mess. Worse, sometimes you have an embedded system that is overlooked. Photocopiers, phone switchboards, they too have operating systems but the supplier doesn't always allow access to it as it's sold and maintained as a black box.
2. All updates can be applied immediately. Securing systems once doesn't help when the next problem comes along (with Windows, that safe timespan hovers somewhere between a few hours and a day max), but not all updates are very good for build stability. And in some cases, accreditation gets in teh way too. I have worked on Process Control systems (I'm actually at the root of a lot of teh Process Control security in a major oil company) and getting the manufacturers to agree to something like installing a simple anti-virus product is hard work (not in the least because such a beast can have a real impact on realtime performance).
Having said that, anyone jacking a laptop in without permission ought to get thrown out ASAP (it could also be considered a breach of, for instance, the UK Computer Misuse Act).
Insert
Maybe it's time for individuals and corporations to be held libel for what their computers spew. Got a botnet sending phishing emails from your business? Boom, big fine. Got an infected home machine sending out spam? Boom, a somewhat smaller fine.
That'll work fine until the CEO demands to know why he can't check his mail anymore or why there suddenly is "a little bit of latency" that wasn't there before. Don't overestimate your power to "set network policy" in the face of upper management.
butter the donkey
The latency wouldn't be when you check e-mail, it would be when e-mail is /delivered/. This is already a high-latency process, so adding a little more is negligible. Plus, users tend not to notice latency at that stage.
It's always a long day... 86400 doesn't fit into a short.
Actually, here's another thought for you: how many got pwned by other means, but are affraid that some "lusers are idiots" type will blame it on porn? I've only skimmed through the thread and I already see two blanket generalizations to the effect that, respectively, (A) infections come from porn surfing, and (B) the user is lying through his teeth if he's saying otherwise.
The fact is, there are so many ways to get pwned today, it's not even funny. Email attachments, trojan programs packed as some cutesy screen server or utility you can download, phishing-like schemes where you're sent to a page chock-full of IE exploits, warez sites (tend to be worse than porn as infection risk goes), spyware serving ads with exploits in them, or rarely a genuine site or ad provider getting pwned and helping spread exploits (don't assume that _only_ spam zombies can possibly ever get installed when security is breached), etc.
Yes, you can say that they should have known better, but it's still not porn. And it sometimes comes with the endorsement, real or faked by a trojan who took over a friend's address book, of someone they know. E.g., every company has a wiseguy or two setting up some jokes mailing list and forwarding there anything he receives, indiscriminately, including links to other sites. And by indiscriminately, I mean here one even managed to forward a couple of business emails to that list.
Then there are malicious insider jobs. There are cases of sheer idiocy on the part of some techie or programmer or PHB. (You can occasionally read advice even on
A polar bear is a cartesian bear after a coordinate transform.
1 - Is the entire corporation's IT department centralized? HP is a F1000 company - is HP and Compaq's computer networks fully merged? Or for Citigroup, is the old Citicorp network fully merged with the Travelers network? Or were Travelers Salomon Brothers and Smith Barney networks merged before that? And so forth. Wal-Mart's corporate network is probably standardized, but a lot of companies are the resut of many mergers over the years. Or some companies are just of a type where different divisions are very different so there is no or not much centralized corporate IT.
2 - Does the corporation have a global network? Global multi-national corporations have computers all over the world, and it can be hard to have a standard network in New York, Tokyo and London (etc.) New York and Tokyo may be solid, but London may be open to problems etc.
You don't need outbound access on port 25. Use a non-standard port for your mail server like the rest of the cool kids.
If you mod me down, I shall become more powerful than you could possibly imagine.
If you leave Port 25 open as a company, you're basically asking for trouble....
You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.
That's a classic example of IT narrowmindedness. If the employees no longer care, no technical measures will secure your data. Security is everybody's business, not just yours. People will naturally protect that which they care about. No morale = no security.
As you seem to be from the school of "a good firing will fix anything". Hopefully for your own sake your boss wises up and uses a 'good firing' to adjust your attitude, because I doubt anything else will penetrate that skull.
Many viruses that send out spam use the MAPI interface (Outlook & Outlook Express) to use the mail settings on the local machine... So blocking the port doesn't help nearly so much... though why they don't have outbound mail flagged if a user sends more than say 10 emails an hour on average is beyond me...
Michael J. Ryan - tracker1.info
Why didn't anyone pick up his PC was spewing viri etc when he was still using it? I don't understand why they didn't just ghost his machine like most companies do? After all there can't have been much worth saving if the m/c hadn't been turned on in weeks. I also think this "surfing dodgy sites" == "malware" is a bit overplayed. First of all a good proxy could block a lot of this stuff, such as executing certain types of Javascript and secondly unless someone is installing stuff by clicking on pop-ups or whatever the sites would have to rely on browser exploits which is less straightforward.
I am reminded of my days at a certain large dot com company. (They still exist today and most people have always hated this particular company.) Anyway, the IT department required that all Windows boxes run antivirus software and that we never ever enable file sharing. (Which made my job interesting as I was developing software that made use of file shares!) Anyway, I constantly got notifications that such and such virus had attempted to infect one of my test machines. Occasionally I would get curious and look at where the attempted infection came from ... my favorite source being a distribution machine (you know, the machines clients download software from) nice! The IT department was very much loosing the war.
But I think my absolute favorite was the time the senior developer clicked on the infamous "AnnaKournikova.jpg.pif" email attachment which pretty well hosed his dev box. I still to this day have difficulty believing that a "smart guy" would do something so foolish. (In truth, I never thought he was that smart but he had the right attitude / company management liked him. You know how it is.)
How to make yourself look totally ignorant about the internet in one easy post.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
"No morale = no security."
Yes, but one of them came first. A company that has LAN problems does not get much done and if it happens regularly you will find your users wandering off on "LAN breaks", managers will attempt to charge the IT dept for down time, ect, frustration levels rise, experienced sysadmins are like rats on a sinking ship, and morale suffers.
Like it or not the GP is correct, IT policy is a matter of coporate "self preservation". LAN policy must be enforced from the top down with the same rigour as financial policy.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Wouldn't it have been quicker (not to mention more secure) just to rebuild the box?
At least that way there's no niggling question lurking in the back of your mind "Have we got everything? Or is there still some random trojan on there?"
No objections there. In fact, I wish I could mod you up, but then I've posted in this thread already. Very refreshing to see a sane attitude, in any case.
A polar bear is a cartesian bear after a coordinate transform.
port 25 is not used to check mail, it's used to send mail. port 110 (POP3) is used to receive email and there is little or no reason for a firewall to block it. Port 25 is what the spammers are interested in because that's SMTP for sending mail.
Both companies I work for get their internet service from a provider that blocks port 25 at the head end. If you want to send mail, you must send using their SMTP server, it is the only IP address exempt from port 25 traffic. If a spambot is dim enough to try to use the victim's own SMTP server as specified in their mail account, the ISP's filters spot it in an instant since it's going through their own servers, the customer's cable modem is remotely shut down, and they get a phonecall. They won't get internet back until they have cleaned up their computer. That's how it should work everywhere. While this is not a policy here, I have heard of ISPs that go a step farther and you have to request a tech come out and install antivirus software on your machine and certify it clean before they turn your service back on. That provides a financial responsibility to not get your computer owned, since you are paying for that service call every time it happens. I have also heard of a few ISPs that drop you as a customer if you hit your 3rd offense. I have no problem with any of these policies.
Now this is minorly annoying as if I read an email on my home account when at work, and I hit reply, I have to change the SMTP address from my home server's to the internet provider's here at work or it will timeout. Though considering it's blocking 98% of the spam zombies on their networks from pumping spam, I think it's an excellent tradeoff and it doesn't bother me so much.
I work for the Department of Redundancy Department.
Of course it would have, but second day on the job, I didn't know what was what... not to mention literally "no" IT deptarment insite. It turned out that that computer in particular stored about 6 years worth of very very VERY important data, so lucky I didn't format the thing, etc. >_
There are still thousands of companies out there in manufacturing and mining industries that have been doing what they've been doing for the past 50-100 years. For such workplaces, a lot of them wing it when it comes to IT and security, as the companies them selves still remember 10 years ago, before computers exsited in their workplace.
Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network.
I seriously hope you are being sarcastic. Exchange? Every serious company I have ever known uses Lotus.
"Why has my submitted story been marked as "pending" for over 2 weeks now?"
You, too, eh? I have one that's been "Pending" since March 11. I suspect some sort of system glitch.
Well ... the GP did mention that they in the previous 6 weeks they had installed anti-virus software company wide, so perhaps they knew they had a problem, but couldn't track it down since his computer was off (and they might not have had an on-site tech support department, according to his email).
I bet most companies under 30 employees don't have a dedicated IT person, just someone who's job got made to include IT (if even that).
9 times out of 10, they either get consultants to cover the stuff they can't handle "in-house", or else they do without. For those people, it just doesn't pay to have an IT person who would have tracked this down and nipped it in the bud, and if you have to call a consultant that you pay by the hour (probably a high $$$ amount), then if you think the problem went away (the computer was off and everyone was using anti-virus software), you might not have thought you needed to call it an expert.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
IT narrowmindedness? Sure, whatever, I am so sick of users justifying the most insane bullshit on the network and then crying about the IT department being enforcing such harsh restrictions. Go buy your own internet access and expose your home network to whatever you want, not mine. Then on top of this its the IT departments fault when the secretary has installed 18 random mouse cursors and other malware crap and her computer runs like shit. While doing contract work I almost watched a woman get fired on the spot for that crap because they kept having to call my company in and send me out to bill them for something like $70/hr to come and fix this womans PC. Finally the boss asked me what it was and I told him she has all this garbage installed and every time I remove it she puts it back on and then I have to come back out and fix it. So...she was costing her company hundreds of dollars in support because she just HAD to have the puppy theme for IE and all the puppy cursors.
Further, since I have frequently worked on secure networks, if I catch you doing something stupid you are likely to get reprimanded and depending on the level of stupid fired, if higher up the chain catches you, or something bad happens due to your nonsense...you are looking at fired or jail. So in fact when dealing with sensitive networks that is the method because it isn't fun and games, its business, and the corporate network doesn't exist for your amusement. There is plenty you can do to kill time with a solid network with good policy, that doesn't involve installing a bunch of BS, or allowing IM/Email/etc. Unless you haven't been watching the news, data exfiltration is a major issue, and most problems are inside jobs.
I seriously don't understand this IT narrowmindedness crap that keeps coming up. Users expect their IT department to protect them. They follow the logic of "if I can do it then I must be allowed to do it and it must be ok" A good IT department lays down solid policy and enforces it. Security is everyones business, but its the IT departments job. You can bet your ass the first time something goes wrong the IT department is going to be answering alot of questions about "why didn't you have something in place to prevent this".
Exposing your network to user stupidity has nothing to do with morale. People cry this morale bullshit when trying to justify poor policy or poor behavior when its just a failure to do their job or take security seriously. We have had IPTV on the network for ages, you can watch any number of TV channels fed through the network. Live TV, and not sucking down precious internet bandwidth. But people will still bitch and moan about wanting streaming media so they can watch whatever stupid clips they find on myspace that have driveby malware installs and other such exploits and then when a good admin blocks myspace people like you will cry about how aweful and draconian it is to protect your network from threats when the users want to expose millions of dollars of equipment to risk.
I invite you to go deal with a melissa "virus" type cleanup, not even really a virus, user must interact with it and it still spread like wildfire and caused millions in damages on just the few networks I supported at the time. (In fact almost watched a guy get fired on that one too for causing the loss of 2GB of marketing images). Even better, go deal with a real virus that can spread on its own because some dumb bastard clicked on cool_mp3.scr from his webmail that he shouldn't have been using. A real outbreak costs an insane amount to contain and most of the time it could have been prevented by good policy and enforcing that policy.
My responsibility is to the security of the network, not the whim of the user.
The only change I can believe in is what I find in my couch cushions.
Security, as is much of IT, is a cost center. It's hard to get authorization for hiring enough employees and equipment to do a proper job and continue to do a proper job unless you have an expensive embarrassing incident. And then, to save face, cover ass (what's the difference), management brings in an expensive outside security consultant to do a little magic and save the day. The underequipped, understaffed fulltimers will be lucky to keep their jobs.
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
Somebody smart enough to install an email server on a company workstation, but dumb enough to think that it is okay, is dangerous to the company and should be fired.
I mostly am the IT department at a 30 employee company, so I have some experience with these issues from a somewhat different (non-Fortune 1000) perspective.
First, you are confounding personal use of the network (e.g. personal email) with major security risks like people installing their own software. If people are even able to install their own software on the computers under your management, I have no idea why you still have a job -- restricted-rights user accounts exist for a reason. From a security perspective, allowing software installation is dumb. Allowing personal email is not.
That's because the company network exists for the benefit of the people keeping the company running -- people being the essential keyword. Allowing the minimum access rights required for the job and no more is good security policy for software, but it's crap for people. You're creating resentment and a blame-the-IT-department culture, as well as a major incentive for users to get away with whatever they can get away with. This type of policy is known to lower overall productivity, simply because it makes the employees unhappy and cynical.
Where I work, people care about the company and they naturally care about the network as an extension of the company. The company runs Linux Terminal Server Project-based terminals and a few Windows boxes under limited-rights user accounts. Technical measures disallow the installation of any software without it going through me first. But no one cares if people want to send a few emails to friends or check what the weather will be like over the weekend. I treat employees like people, not like security risks. I never get blamed for problems, I get thanked for solving them.
A good network manager's responsibility is to the user -- period.
This is the IT environment I work in and I've managed to survive. As long as your internet use is reasonable and you are getting your work done and on time they leave you be.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Believe it or not, blocking ports is a solution most would prefer to dropping their favorite (and the only one they ever knew) OS in favor of something that is not an excellent petri-dish for just about every digital disease known to man and machines.
http://www.dieblinkenlights.com
Speaking of Gmail, when I started at my new job I thought I was being good by keeping my personal email seperate from work on gmail and checking it from work. That was a no-no. Ok, I stopped checking it. I did however still have a gmail checker on my google portal page that showed new mail and only the subject. I didn't realize that this showed up on logs as an http access to gmail.com (I didn't even realize it was accessing gmail via a direct http request). No-no #2. So if they monitor for outside email access don't use google's gmail notifier.
Can I be hacker for a fortunie 500 company? Thank of the glamor (none) the babes (less then none) the sexy parties (ok mabye a few of those if your room mate is cool)
-Ours is the wisdom of Solomon, the magic of Merlyn, the fall of Icaris.
I know it's a pain to have an abuse department that has to answer to complainers all across the net when one of your customers is infected with some spam virus, but forcing all port 25 traffic through your own smtp server(s) is pretty sketchy. I'd be willing to bet your cable isp's backbone is on the AT&T network...
You're nothing; like me.
I sincerely hope you were being sarcastic. Lotus? What is this: 1995?
Say what you want about MS(personally, I don't much like em' and Vista is the most horrid thing to happen to the OS world since ME), but Exchange works and works well. And yes, most companies use it. Maybe a couple of holdouts or diehards use Lotus. But Exchange is definitely the dominant platform and is the great majority of MS's piggy bank.
Your statement would be like saying, "Most computer users I know run BeOS".
I can understand why you would say that. However, what about external visitors to your site ?
A large part of my job involves visiting other university departments and conferences, email (and Jabber IM) contact with my home department is vital for being able to respond to questions and problems raised by the people that I meet. Which is why I'm there in the first place.
I'm not suggesting that you should allow unrestricted outbound access. Obviously, any spam sent by a visitors laptop would appear to come from your network, which is a bad thing. What I'm looking for is suggestions on how to handle the problem without preventing visitors access to the external tools that they need.
My own solution is to run linux on my laptop (reducing the probability that it would be a spam sender in the first place) and using a ssh tunnel to route any emails that I do send via the mail server at my home institute (so any spam it did send would appear to come from my home institute, not from the site that I'm visiting). If I can't access my department account, then I fall back to using my GMail account.
However, this isn't a generic solution for two reasons.
So, has anyone got any practical suggestions on how to setup a system that allows guest machines to access their (legitimate work related) external email (and IM chat) systems from within a host network without leaving the host network open to being labelled a spam sender ?
Exactly. My first thought was - Jeez, He's part of the problem!
Don't check "personal" email, don't surf Slashdot, do nothing except work and do what you're told. Easiest way to have people to come in with a slave mentality. Do just enough to avoid getting beaten down but certainly not enough to actually make a difference.
I wonder how he reconciles his use of company resources to post to Slashdot with his attitude toward lusers. Oh, right, he's probably posting from home... and some lusers are more equal than others (mainly, those that have the Keys to the Kingdom).
You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.
Easier said than done. When you consider that even the formidable Los Angeles CTU security defenses were breached by a simple remote-execution browser exploit planted on a web-page, what chances do normal businesses have?
port 25 is not used to check mail, it's used to send mail. port 110 (POP3) is used to receive email and there is little or no reason for a firewall to block it. Port 25 is what the spammers are interested in because that's SMTP for sending mail.
Maybe you missed the part where I said this:
"When they send replies, their SPF/DomainKeys/Whatever-using ISP requires them to use the proper SMTP server."
Now this is minorly annoying as if I read an email on my home account when at work, and I hit reply, I have to change the SMTP address from my home server's to the internet provider's here at work or it will timeout. Though considering it's blocking 98% of the spam zombies on their networks from pumping spam, I think it's an excellent tradeoff and it doesn't bother me so much.
Changing your SMTP server like that is exactly what you SHOULDNT do in terms of proper spam solutions. SPF (usually) says you have to send your bob@isp.com emails through smtp.isp.com, not smtp.workplace.com. If workplace.com is blocking outbound port 25, shame on them.
for the next couple years before either..
1) your ass is fired
2) your job is best shored and you collect cans to support your WoW addiction
3) your company is bought by a company with security sense (oh wait, see #1 and #2)
You are in the "reserves", buddy. When you get to the front lines (trenches) you will see the light.
It's an interesting topic because with todays work environment potentially being
in many different locations (I'm literally in a different office every day of the
work week) and people being allowed to have their own equipment on the network
with only Symantec corporate edition between them and the network it's a strange
experiment. The vast majority of infections I see coming onto our network is
from people surfing....unsavory sites....from home in their off hours.
But I wonder if this particular revelation will lead to interesting lawsuits
against the large corporations from those who dislike spam leading to increased
vigilance of the IT groups of those companies (firewalled subnet for guest
contractors or others who bring their own equipment onto the network).
Food for thought.
Em, it appears to be time-warner from the traceroute.
The government can't save you.
or something. TFAs are about security failures at large companies, not (as the title implies) companies voluntarily originating malicious e-mail.
Because I assume you don't understand the problem. Reading webpages at work is generally safe to do providing you have a good proxy and filtering to weed out the darker corners. I frequently read the news and slashdot and other sites during downtime at work. I don't visit popup ridden exploit havens like myspace or do webmail allowing a whole vector of nastiness in and the good proxy filtering stops the others from doing the same. The first thing I do with keys to the kingdom is break them up so noone has all the keys to the kingdom because its poor security to have one guy that can do everything. I have no problem with people surfing the web or otherwise finding entertainment (local IPTV) and such to make the day go by. Games can even be ok in some circumstances so long as they are legit and aren't interfering with mission stuff. But people start putting cracked games on the network and you have to drop the hammer. Unless of coarse you can read ASM and prescreen every crack to make sure it doesn't do anything but allow illegal use of software, but then you have that pesky illegal use of software thing...so bzzt wrong. Users running email servers on the corporate network and allowing outbound 25 is beyond stupid and any "security" guy that would allow that should be fired along with the people doing it.
:)
Oh and yes, I am posting from home
The only change I can believe in is what I find in my couch cushions.
Well allowing SSH out is kinda sketchy. I wouldn't allow SSH out except for specific approved machines/reasons. Primarily because you can tunnel all forms of nasty in and out of the network with it and nothing can peek in on the data to see what is going on.
:).
VPN maybe if the host network is setup to allow it, but I think probably the best solution (in terms of reliability at least) is to get bluetooth in on the action. Get a cellphone, pay the extra $10/month or whatever it is for unlimited net usage, and hook up the laptop via bluetooth (beats the hell out of those cellular modem things that cost so damned much). Sadly my phone is too old, but my supervisor does that with his while traveling and he says it works great. Lets you dodge all of the security issues involved in trying to get a foreign laptop onto the network.
As far as you being the owner of the network and allowing guest access to others visiting I think the first thing to do would be to corral the visiting machines off in their own VLAN and have it be treated as an external network by all your stuff. Sure they may be able to use your pipe to the world (again, push em through your firewall/proxy), but at least your stuff will treat them like the potentially dirty foreigners they are
The only change I can believe in is what I find in my couch cushions.
Personal mail IS just as much of a security risk as installing software. Let the users do non risky things, thats fine. But personal outside email is a huge damned risk, noone wants to believe it is, and I have actually bust people on this on networks that you can get sent to jail for screwing up. I'm not saying be draconian and horrible to users and not let them do anything, but personal mail is one of those things they had better not be doing. Its just too large of a vector for badness to come in. Do you control those mail servers? Are you able to scan the attachments? Are you able to disallow types of attachments? God forbid if you allow them to use outlook or some other such to access extermal mail, in that case you should be shot on sight. Webmail isn't quite as evil, but evil enough that it shouldn't be going on.
A good network manager's responsibility is not to the user. That's like saying an accountants responsibility is to the client when it isn't, the accountants responsibility is to the auditor. That is how you build trust, that is how you build stability, and that is how you build a reputation for being the best. Then the clients know you will keep them out of trouble by making sure there is no trouble, not by covering up some crap to try and hide it. A good network manager/security admin/whatever has a responsibility to the company, not the user. People say stupid shit like this, oooh poor users they are so downtrodden, but then are ready to execute people for losing thousands of social security numbers. Their security guy should have had much better policy, and enforced it much more clearly, and then generally the users go on their merry way without causing themselves or the company a world of hurt. Go try this attitude when you work on classified networks, or hospital networks, or any other network that has sensitive information and is subject to strict outside policy. I promise you don't want to be the guy in the crosshairs when something goes wrong on your watch.
The only change I can believe in is what I find in my couch cushions.
Should be quartered and their parts left in the corners of the building as a reminder for everyone else who thinks they should do something like that. Unfortunately the "civilized" world doesn't like that much.
The only change I can believe in is what I find in my couch cushions.
Exactly, for instance, browsing slashdot from your employer. =P
Judges and senates have been bought for gold; Esteem and love were never to be sold.
breeches == trousers worn by Ben Franklin, or the back ends of a number of modern cannon
I must admit, however, there IS a strange and awesome majesty to your original phrase ...
Hmmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.
Changing your SMTP server like that is exactly what you SHOULDNT do in terms of proper spam solutions. SPF (usually) says you have to send your bob@isp.com emails through smtp.isp.com, not smtp.workplace.com. If workplace.com is blocking outbound port 25, shame on them.
So you have a better, simple idea, that has a prayer of being implemented by anyone? Their policy of not allowing outside SMTPs completely solves the problem of open relays, and that's a powerful feature. It forces all outgoing mail to go through them, giving them a degree of control over the spam that no other solution offers. So with a minimum amount of dillgenece by your ISP, close to 100% of the zombies are unable to spam. Why is this a bad thing?
I suppose a better, although more expensive and complicated solution would be to transparently proxy any outbound traffic on 25. Any attempt to use an open relay (ie not authenticate) is dropped. That would eliminate even the minor inconvenience I am experiencing.
Even though this change must be made by a large number of uncoordinated ISPs, it's not like the system is totally useless until you approach 100% implementation. The more that implement it, the better it gets for all of us. So I'm glad to see there are some ISPs that are getting the ball rolling. Now we just need more to get on board, since THEY are presently the soure of spam. So many spam solutions try to prevent you from receiving spam, not preventing it from being sent. They are trying to treat the symptoms rather than the cause, and that's just not going to work.
I work for the Department of Redundancy Department.
I don't know why you assume it is "personal email" that is the root of the problem. I am generally stuck with a very visible email address because of my communications role within a company, and I get hit with so much spam it's outrageous. There have been times when I notice my computer is running very slowly and suddenly I get a bunch of bouncebacks ... I've begged and pleaded with IT to figure out what the problem is. It wasn't until I worked for an email security company that I realized I'd been zombied, and through no fault of my own. So before you go shooting people on the spot for their recklessness, dear IT folks, figure out how it happens in the first place. From reading these posts, it doesn't sound to me as though you have. And btw, how often do you hear an IT department counsel you to not use extended-absence notices on your computer that will confirm your email address when you're the info@xyz.com? How about never?
And the thing is, I really do WISH you guys knew it all! Would make life so much easier and more productive for the rest of us.
Yep, that protects your internal systems from attack by nasty things on visitors laptops while still allowing visitors to access their home systems. However, to the outside world, any spam sent from the visitors laptops appers to come from your network.
From the article :
There's a good article about Adobe's latest spam email campaign at: http://flymulu.blogspot.com/.