I discovered after fighting to kill off the processes generating these connections that there were seven more "critical updates".
So you got a worm that uses non IE exploits? So was the infection vector MS04-012 or MS04-011? Changing browsers won't help. In fact unless you are vigilant and manually download and install patches you are likely to require IE and windowsupdate.microsoft.com to get critical patches.
The particular problem being discussed here and why CERT recommends a different browser is that there are unpatched vulnerabilities in IE which can be exploited to compromise machines. Changing browsers will protect against these exploits, but it won't protect against other non IE Windows flaws.
yeah but does explorer use IE to render htm files when they are being previewed? it actually appears to be the mshtml.dll but does this have exploit vectors such as these xss flaws? ie if I click on a malicious htm file in Windows using explorer and it draws a little preview can this exploit the system or is the entire IE framework required and not just the HTML renderer?
Does installing Firefox stop IE from being used for all HTML rendering? I know you can set it as the default browser but it appears that Outlook continues to make use of IE to render HTML emails and not Firefox - time to look for the registry setting.
Also when Explorer does a preview of an HTML file in a folder view which renderer is it using, IE or the default browser?
It looks like there are still vectors available for this exploit even if you install Firefox as its pretty well impossible to totally remove IE from a Windows system isn't it?
Have you ever used IE with scripting turned off or even worse set it to prompt you to run scripts? Its a friggin nightmare. Too many sites require scripting to even half function and there is no granularity on this setting so its either break heaps of sites or set it to prompt you and then click OK and/or Cancel buttons hundreds of times as goddam "Scripts are usually safe, do you want to allow scripts to run?" windows keep popping up.
According to lots of people you don't know what you are talking about.
There are two issues here and the IE compromise that infected IIS servers are serving to browsers is an UNPATCHED ADODB.STREAM bug coupled with an UNPATCHED CODE IN CHM FILES EXECUTING IN THE LOCAL SECURITY ZONE bug. "patch it with MS04-11" really doesn't cut it.
You may wish to make sure MS04-013 is installed and look at this for some registry settings which supposedly fix the exploit. BUT. As others have said the only real fix is to use a different browser as it is not 100% guaranteed that these are the unpatched IE flaws which are being exploited in all cases.
Damn I clicked your link and lo and behold lots of the google results point to archives of my post to the incidents list about an IE/WMP exploit that happened to my machine on 31st of May and installed msits.exe!
Conjecture was that it was a ADODB.stream exploit coupled with the ms-its exploit (execution of code in compiled HTM help files in the local security zone which allows overwriting of local files).
I patched my system with Firefox and its better now.:) - but not until I sniffed *all* the traffic from my machine and was happy that no unknown/malicious connections were happening as a result of trojaned apps or rootkits.
"Honey pots" are fake proxies run by the people who are attempting to frame bulkers by using those fake proxies for logging traffic through them and then send complaints to ones' ISPs.
Frame? WTF? F'ing spammers who the hell is "framing" them? the goddam lumber cartel? Geezus. I think the word they are grasping for is FUCK. ie "Honey pots" are fake proxies run by the people who are attempting to FUCK dirty spammers.
"If that mail server accepts the connection, the spam mail will be sent and a credit will be deducted from the spammer's account. If the mail server does not accept the connection because the IP of the open proxy is blacklisted, the e-mail will not be sent and no credit wil be deducted."
All mail admins out there take note. Rejecting connections from blacklisted open relays saves spammers money! Whereas accepting mail from blacklisted relays means the spammer has to pay!
Don't block China, accept all the mail you get from there and stream it to/dev/null! Same goes for Taiwan. Simply accepting all mail sent from blacklisted open relays would destroy the business model of these send-safe.com leeches.
A hardware firewall inspects packets and determines whether they should be routed from one physical (hardware) interface to another physical (hardware) interface.
A software firewall inspects packets and determines whether the packet should be passed between different layers of the TCP/IP stack (software) on a single machine.
This isn't simply a matter of semantics. Just because hardware firewalls run software doesn't make them software firewalls. duh.
YES!!! Unpatched flaws in IE are actively being exploited to install this cruft on machines.
The only real way to slow it down is to block access to spyware/adware/hijacker domains using a http proxy (such as squid) and to block all URLs which could be malicious content such as.exe,.cab, etc, etc. This has stopped it on my network. Its amazing how many of these drive-by Active X hijackers are blocked when people browse somewhat innocent sites - but the dodgy websites are beyond belief.
This one of Elle McPherson should wreck havoc on a normal fully patched Windows/IE computer with standard settings. DON'T CLICK THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING!!
If you really must click the link using IE make sure that you have a backup of Windows Media Player or the WMP installer, SpyBot S&D, Hijack This and sundry other tools available to repair the damage.
That clicking on a link can 0wn your computer must have something to do with Windows. PS The link worked 4 days ago and consistenly ruined Windows machines by using a malicious WMP file - sorry if its not still 0wning Windows I don't have a spare one to test it on
Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates.
- Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB832894)
- Cumulative Security Update for Internet Explorer 5.5 SP2 (KB824145)
- Security Update for Windows 2000 (KB828741)
- Security Update for Windows 2000 (KB835732)
- Security Update for Microsoft Windows (KB828749)
And why don't the US spammers relay through US servers, choosing HK ones instead? Sounds like your ISP's need to change their attitudes, as most of the US ones have.
Yeah it sucks to have your server blocked because of the country you live in. Unfortunately blocking by country actually works and is an easy option. Blocking HK Cable, China, Korea and Comcast would reduce my spam load by heaps - unfortunately its not an option:(
Actually I am currently receiving spam from Singapore companies (I am in Singapore) which is being relayed via zombies in the USA - usually on comcast broadband! So it cuts both ways.
TCO on n Windows machines + 1 SUS server = (x(n+1)) + (z(n+1))
Where n = number of machines, x = price of hardware/software, y = TCO sans SUS and z = TCO with SUS.
z will always be significantly lower than y.
Um.... OK my math is wrong, so lets go for the simple case using your equations and some bogus (but not unreasonable) numbers I've plucked out of the air.
We've got one machine (n = 1)
It costs $1000 per machine for hardware + software
We've got a fixed yearly cost of $10000 per year for a part time admin (our admin can handle a few machines) and its $1000 per machine per year for warranty, depreciation, upgrades, etc, etc.
TCO sans SUS over 5 years = 56000 = (1 x 1000) + (5 x 10000) + (5 x (1 x 1000))
TCO with SUS over 5 years = 62000 = (2 x 1000) + (5 x 10000) + (5 x (2 x 1000))
z will always be significantly lower than y? I guess so.
I know these numbers are bogus, but your conclusion that SUS decreases TCO isn't really so simple. If by installing a SUS server you are
reducing the cost of the resources required to manage and install patches by an amount that is greater than the TCO of the SUS server then yes the TCO of your entire setup will decrease, BUT many small businesses won't get any obvious or measurable cost benefit. Unless they are only paying for patching resources as required then they will still pay fixed yearly costs (ie a couple of staff members) and if the patching of Windows boxes becomes too burdensome the cost will be in lost time that these staff members could be spending on useful projects rather than on patching Windows boxes.
SUS is free? The SUS software itself may be free but the platform you run it on is not. Windows Server 2000 and/or Windows Server 2003 are not free. And the hardware you run it on is not free.
How can this be construed to be a reduction in TCO? I get no value from the SUS server, its just a required resource because of problems with the Windows software which I've paid for and which is installed on other computers.
n Windows machines = $$$ n Windows machines + 1 SUS server = $$$$
cost per machine without SUS = $$$/n cost per machine with SUS = $$$$/n (ie its more)
Obviously the installation and management of patches is now a fact of life and your TCO has to include provision for this. But thats the whole point. When people bought into the Windows world they didn't expect to be burdened with the amount of patch management which is required. TCO has no doubt increased due to the number and frequency of patches which have to be installed and the need to install exrta systems such as a SUS server.
The whole point of the article is that worms increase the TCO of Windows. If using Windows requires the installation (and maintenance) of a Windows 2000/2003 SUS server then of course that is an added cost burden and the TCO increases.
Just like all those other things which any sane IT department would consider a requirement when protecting a Windows environment:-
centralised automated virus updating. virus scanning of all email. attachment blocking on email. blocking/scanning of malicious web content. IDS on default route from Windows machines. firewalling of Windows LAN segments. etc.
They all cost money to install and maintain and increase the TCO of using Windows.
Not a Windows Nazi? But I'd guess you are a Windows apologist. You keep rolling out these hackneyed arguments about Linux being a toy used by kids. This doesn't bear scrutiny - do you have any idea how many LARGE companies use Linux on their back end systems?
If you use the system that "gets you there faster", how much Linux do you have installed? It works, its stable and if you are competent it is MUCH easier to control and maintain than Windows. There are no valid technical reasons not to use it for critical back end functions, such as DNS, DHCP, SMTP, HTTP, port proxying, packet filtering, etc, etc.
We bought Windows because it was CHEAP, not because of its utility. Replacing friggin Wang word processors, and IBM midframes with NT and 95 was a great cost saver. Now when these functions are being commoditised, the Microsoft equation is a lot less compelling.
I'd like to believe "security issues start to dwindle in the near future". But unless you are an insider then you really aren't privy to any information which would support this, are you? What are you basing it on? Wishful thinking? Or do you have concrete evidence that the number of critical Windows flaws in the installed base of millions of 95, 98, ME, NT, and 2000 systems is decreasing? Personally I think it will get MUCH worse before it starts to gets better.
PS I couldn't give a damn what I purchase and install - as long as it works (and gives me less headaches). These Windows exploits and worms increase my workload and stress and really are starting to piss me off.
And only today they told me how well they do it with the informative blurb below, Secure by Design, Secure by Default, Secure in Deployment, indeed. If it is so f'ing secure why do we find ourselves in the present Sasser worm hell? What worm won't MS be responsible for next week - remember MS04-011 isn't just a LSASS vulnerability, its many flaws all rolled up into one helpful patch and security bulletin:-
LSASS Vulnerability - CAN-2003-0533
LDAP Vulnerability - CAN-2003-0663
PCT Vulnerability - CAN-2003-0719
Winlogon Vulnerability - CAN-2003-0806
Metafile Vulnerability - CAN-2003-0906
Help and Support Center Vulnerability - CAN-2003-0907
Utility Manager Vulnerability - CAN-2003-0908
Windows Management Vulnerability - CAN-2003-0909
Local Descriptor Table Vulnerability - CAN-2003-0910
H.323 Vulnerability - CAN-2004-0117
Virtual DOS Machine Vulnerability - CAN-2004-0118
Negotiate SSP Vulnerability - CAN-2004-0119
SSL Vulnerability - CAN-2004-0120
ASN.1 "Double Free" Vulnerability - CAN-2004-0123
Anyway for your reading pleasure here is Microsoft's take on the situation:-
Microsoft is committed to enabling every customer to work, communicate, and transact business more securely. Behind the global security mobilization announced in October 2003, we will continue toward that goal by working closely with customers, partners, and the industry. We measure our efforts using the SD+C Framework:
Secure by Design: Implementing threat modeling and other key security considerations in design and development stages. These considerations include: mandatory training in writing secure code; code reviews and penetration testing; automated code diagnostic tools; and redesigned architecture to maximize software resilience.
Secure by Default: Maximizing security in default configurations of shipped software. To reduce risk of attack, Microsoft has changed default configurations so that service settings are not enabled at delivery.
Secure in Deployment: Promoting more secure deployment and management of our software. These efforts include scanning tools, services-including patch management with configuration verification functions, and localized versions of security bulletins and tools, such as Software Update Services and Baseline Security Analyzer.
Communications: Keeping customers informed. These efforts include timely communication about software update releases and our worldwide Security Response Process. In addition, we are working with government, partners, and academia to deliver security education, offer security certification programs for IT professionals, and conduct consumer protection campaigns worldwide.
After noticing all the spam sent from machines using uppercase non qualified HELO names I hacked our SMTP listener to trap all the mail sent from them.
I did this in November and so far its trapped tens of thousands of spam mails and less than ten valid mailers. Of these valid mailers, two said they had no idea they were using these names and promptly changed them to FQDNs, one was not happy, and the others didn't respond to my messages so their mail is still trapped/refused - my users didn't want the mail from them anyway so its really no loss.
I'd recommend blocking HELO NETBIOS-NAME for incoming mail as it stops heaps of spam with very little impact on valid mail.
You willfully sent them 1000 spam messages that had nothing to do with them to their abuse role account, so they blocked you from mailing them. Sounds reasonable to me.
In the circumstances, blocking me was so hypocritical as to be unreasonable.
Because UUNet can't control their customer, I should suffer? They abused my domain. I got tens of thousands of bounces. My domain got added to local blocklists all over the Internet. I got hundreds of irate people saying stop sending them porno spam. etc, etc.
The other ISP was very pro-active and shut down this spammer immediately when I phoned them up.
But with UUNet it took threats of legal action before the spam stopped.
And UUNet can't cope with a few misdirected bounces?
1. In 2000 a spammer in Louisiana forges one of my domains in spam runs sent via UUNet - I get tens of thousands of bounces and hundreds of complaints.
2. I complain to UUNet - no action.
3. I phone UUNet security as the runs are being sent - no action.
4. Every weekend for 2 months this happens and I get sick of it.
5. I start to autobounce all this junk back to abuse@uunet.com.
6. Spammer sends a run using a different ISP.
7. UUNet gets really pissed that I bounce 1000 mails to abuse@uunet.com which didn't originate from their network (with some justification).
8. UUNet block all access from my class C to their servers.
9. The spam runs sent via UUNet continue....
Forward to 2004, I still can't send mail to uunet.com!
Sorry for the OT reply to my own message, but the link I posted to the image of the skimmer is now broken. Anyone know any good places to post pictures which can then be linked to? I googled for a free photo site, uploaded the picture and hoped it'd work for long enough, guess not.
So does anyone know a good place to post pictures? (I don't want to use my systems:)
Bayes is good but sometimes a regex is very useful to trap "special" spam signs:-
body Viagra1/\b(?!viagra)(?:v|\\\/).?[ili1\|\!].?[4aa\@].?g.?[ 4aa\@]?.?r.?[4aa\@]/i
score Viagra1 100
Averaging isn't really the right term is it? Its more like aiding and abetting the filter by adding and subtracting scores to get a total indication of the how spammy the message is - this allows you to setup rules specific to your circumstance to help the Bayesian classifier avoid FPs (and FNs).
The ones in Hong Kong use radio transmitters instead of flash cards. Here is a picture of one installed on an ATM. Pretty hard to see, huh? Also here is the police report:-
Crime Information : Skimming Device Installed in ATM (TW RN04000499)
Location : Two ATMs outside Hang Seng Bank, Tai Ho Road.
Facts: On 2004.01.05, ATM maintenance worker of Hang Seng Bank conducted a routine check and confirmed that 2 metal covers (of same design) were being 'fitted' onto the top ledges of two of the ATM machines.
The Skimming Device:-
i) the metal covers, 60cm x 4cm x 2cm in size, painted in the same colour as the ATM, were installed perfectly onto the top ledge of the ATM panel;
ii) a pinhole camera lens was installed inside the metal cover facing the screen panel with a view to reading the pin number. This was connected to a transmitter which has an emitting range of about 200M and could work for 9-12 hours with three 9-watt batteries, and
iii) a false card reader was believed to have been fixed to the card slot of the ATM but had been removed prior to being discovered.
iv) This is the first time that a device of this nature was placed in such a busy location. The device was first reported by a bank customer on 2004.01.04 but no action was taken by the bank until 2004.01.05. CCB will follow-up on this issue.
Slashdot Mirror
I discovered after fighting to kill off the processes generating these connections that there were seven more "critical updates".
So you got a worm that uses non IE exploits? So was the infection vector MS04-012 or MS04-011? Changing browsers won't help. In fact unless you are vigilant and manually download and install patches you are likely to require IE and windowsupdate.microsoft.com to get critical patches.
The particular problem being discussed here and why CERT recommends a different browser is that there are unpatched vulnerabilities in IE which can be exploited to compromise machines. Changing browsers will protect against these exploits, but it won't protect against other non IE Windows flaws.
yeah but does explorer use IE to render htm files when they are being previewed? it actually appears to be the mshtml.dll but does this have exploit vectors such as these xss flaws? ie if I click on a malicious htm file in Windows using explorer and it draws a little preview can this exploit the system or is the entire IE framework required and not just the HTML renderer?
Does installing Firefox stop IE from being used for all HTML rendering? I know you can set it as the default browser but it appears that Outlook continues to make use of IE to render HTML emails and not Firefox - time to look for the registry setting.
Also when Explorer does a preview of an HTML file in a folder view which renderer is it using, IE or the default browser?
It looks like there are still vectors available for this exploit even if you install Firefox as its pretty well impossible to totally remove IE from a Windows system isn't it?
Have you ever used IE with scripting turned off or even worse set it to prompt you to run scripts? Its a friggin nightmare. Too many sites require scripting to even half function and there is no granularity on this setting so its either break heaps of sites or set it to prompt you and then click OK and/or Cancel buttons hundreds of times as goddam "Scripts are usually safe, do you want to allow scripts to run?" windows keep popping up.
According to lots of people you don't know what you are talking about.
There are two issues here and the IE compromise that infected IIS servers are serving to browsers is an UNPATCHED ADODB.STREAM bug coupled with an UNPATCHED CODE IN CHM FILES EXECUTING IN THE LOCAL SECURITY ZONE bug. "patch it with MS04-11" really doesn't cut it.
You may wish to make sure MS04-013 is installed and look at this for some registry settings which supposedly fix the exploit. BUT. As others have said the only real fix is to use a different browser as it is not 100% guaranteed that these are the unpatched IE flaws which are being exploited in all cases.
Damn I clicked your link and lo and behold lots of the google results point to archives of my post to the incidents list about an IE/WMP exploit that happened to my machine on 31st of May and installed msits.exe!
:) - but not until I sniffed *all* the traffic from my machine and was happy that no unknown/malicious connections were happening as a result of trojaned apps or rootkits.
Conjecture was that it was a ADODB.stream exploit coupled with the ms-its exploit (execution of code in compiled HTM help files in the local security zone which allows overwriting of local files).
I patched my system with Firefox and its better now.
Frame? WTF? F'ing spammers who the hell is "framing" them? the goddam lumber cartel? Geezus. I think the word they are grasping for is FUCK. ie "Honey pots" are fake proxies run by the people who are attempting to FUCK dirty spammers.
All mail admins out there take note. Rejecting connections from blacklisted open relays saves spammers money! Whereas accepting mail from blacklisted relays means the spammer has to pay!
Don't block China, accept all the mail you get from there and stream it to
A hardware firewall inspects packets and determines whether they should be routed from one physical (hardware) interface to another physical (hardware) interface.
A software firewall inspects packets and determines whether the packet should be passed between different layers of the TCP/IP stack (software) on a single machine.
This isn't simply a matter of semantics. Just because hardware firewalls run software doesn't make them software firewalls. duh.
Anyone else see this out there?
.exe, .cab, etc, etc. This has stopped it on my network. Its amazing how many of these drive-by Active X hijackers are blocked when people browse somewhat innocent sites - but the dodgy websites are beyond belief.
YES!!! Unpatched flaws in IE are actively being exploited to install this cruft on machines.
The only real way to slow it down is to block access to spyware/adware/hijacker domains using a http proxy (such as squid) and to block all URLs which could be malicious content such as
This one of Elle McPherson should wreck havoc on a normal fully patched Windows/IE computer with standard settings. DON'T CLICK THE LINK UNLESS YOU KNOW WHAT YOU ARE DOING!!
If you really must click the link using IE make sure that you have a backup of Windows Media Player or the WMP installer, SpyBot S&D, Hijack This and sundry other tools available to repair the damage.
That clicking on a link can 0wn your computer must have something to do with Windows. PS The link worked 4 days ago and consistenly ruined Windows machines by using a malicious WMP file - sorry if its not still 0wning Windows I don't have a spare one to test it on
Source: Automatic Updates
Category: Installation
Event ID: 21
Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates.
- Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB832894)
- Cumulative Security Update for Internet Explorer 5.5 SP2 (KB824145)
- Security Update for Windows 2000 (KB828741)
- Security Update for Windows 2000 (KB835732)
- Security Update for Microsoft Windows (KB828749)
Yep 2000 doesn't need a reboot after patching...
And why don't the US spammers relay through US servers, choosing HK ones instead? Sounds like your ISP's need to change their attitudes, as most of the US ones have.
:(
Wasn't there just a story about comcast being a huge originator/relayer of spam?
Yeah it sucks to have your server blocked because of the country you live in. Unfortunately blocking by country actually works and is an easy option. Blocking HK Cable, China, Korea and Comcast would reduce my spam load by heaps - unfortunately its not an option
Actually I am currently receiving spam from Singapore companies (I am in Singapore) which is being relayed via zombies in the USA - usually on comcast broadband! So it cuts both ways.
Your math is wrong.
TCO on n Windows machines = (nx) + (ny)
TCO on n Windows machines + 1 SUS server = (x(n+1)) + (z(n+1))
Where n = number of machines, x = price of hardware/software, y = TCO sans SUS and z = TCO with SUS.
z will always be significantly lower than y.
Um.... OK my math is wrong, so lets go for the simple case using your equations and some bogus (but not unreasonable) numbers I've plucked out of the air.
We've got one machine (n = 1)
It costs $1000 per machine for hardware + software
We've got a fixed yearly cost of $10000 per year for a part time admin (our admin can handle a few machines) and its $1000 per machine per year for warranty, depreciation, upgrades, etc, etc.
TCO sans SUS over 5 years = 56000 = (1 x 1000) + (5 x 10000) + (5 x (1 x 1000))
TCO with SUS over 5 years = 62000 = (2 x 1000) + (5 x 10000) + (5 x (2 x 1000))
z will always be significantly lower than y? I guess so.
I know these numbers are bogus, but your conclusion that SUS decreases TCO isn't really so simple. If by installing a SUS server you are reducing the cost of the resources required to manage and install patches by an amount that is greater than the TCO of the SUS server then yes the TCO of your entire setup will decrease, BUT many small businesses won't get any obvious or measurable cost benefit. Unless they are only paying for patching resources as required then they will still pay fixed yearly costs (ie a couple of staff members) and if the patching of Windows boxes becomes too burdensome the cost will be in lost time that these staff members could be spending on useful projects rather than on patching Windows boxes.
SUS is free? The SUS software itself may be free but the platform you run it on is not. Windows Server 2000 and/or Windows Server 2003 are not free. And the hardware you run it on is not free.
How can this be construed to be a reduction in TCO? I get no value from the SUS server, its just a required resource because of problems with the Windows software which I've paid for and which is installed on other computers.
n Windows machines = $$$
n Windows machines + 1 SUS server = $$$$
cost per machine without SUS = $$$/n
cost per machine with SUS = $$$$/n (ie its more)
Obviously the installation and management of patches is now a fact of life and your TCO has to include provision for this. But thats the whole point. When people bought into the Windows world they didn't expect to be burdened with the amount of patch management which is required. TCO has no doubt increased due to the number and frequency of patches which have to be installed and the need to install exrta systems such as a SUS server.
The whole point of the article is that worms increase the TCO of Windows. If using Windows requires the installation (and maintenance) of a Windows 2000/2003 SUS server then of course that is an added cost burden and the TCO increases.
Just like all those other things which any sane IT department would consider a requirement when protecting a Windows environment:-
centralised automated virus updating.
virus scanning of all email.
attachment blocking on email.
blocking/scanning of malicious web content.
IDS on default route from Windows machines.
firewalling of Windows LAN segments.
etc.
They all cost money to install and maintain and increase the TCO of using Windows.
Not a Windows Nazi? But I'd guess you are a Windows apologist. You keep rolling out these hackneyed arguments about Linux being a toy used by kids. This doesn't bear scrutiny - do you have any idea how many LARGE companies use Linux on their back end systems?
If you use the system that "gets you there faster", how much Linux do you have installed? It works, its stable and if you are competent it is MUCH easier to control and maintain than Windows. There are no valid technical reasons not to use it for critical back end functions, such as DNS, DHCP, SMTP, HTTP, port proxying, packet filtering, etc, etc.
We bought Windows because it was CHEAP, not because of its utility. Replacing friggin Wang word processors, and IBM midframes with NT and 95 was a great cost saver. Now when these functions are being commoditised, the Microsoft equation is a lot less compelling.
I'd like to believe "security issues start to dwindle in the near future". But unless you are an insider then you really aren't privy to any information which would support this, are you? What are you basing it on? Wishful thinking? Or do you have concrete evidence that the number of critical Windows flaws in the installed base of millions of 95, 98, ME, NT, and 2000 systems is decreasing? Personally I think it will get MUCH worse before it starts to gets better.
PS I couldn't give a damn what I purchase and install - as long as it works (and gives me less headaches). These Windows exploits and worms increase my workload and stress and really are starting to piss me off.
And only today they told me how well they do it with the informative blurb below, Secure by Design, Secure by Default, Secure in Deployment, indeed. If it is so f'ing secure why do we find ourselves in the present Sasser worm hell? What worm won't MS be responsible for next week - remember MS04-011 isn't just a LSASS vulnerability, its many flaws all rolled up into one helpful patch and security bulletin:-
LSASS Vulnerability - CAN-2003-0533
LDAP Vulnerability - CAN-2003-0663
PCT Vulnerability - CAN-2003-0719
Winlogon Vulnerability - CAN-2003-0806
Metafile Vulnerability - CAN-2003-0906
Help and Support Center Vulnerability - CAN-2003-0907
Utility Manager Vulnerability - CAN-2003-0908
Windows Management Vulnerability - CAN-2003-0909
Local Descriptor Table Vulnerability - CAN-2003-0910
H.323 Vulnerability - CAN-2004-0117
Virtual DOS Machine Vulnerability - CAN-2004-0118
Negotiate SSP Vulnerability - CAN-2004-0119
SSL Vulnerability - CAN-2004-0120
ASN.1 "Double Free" Vulnerability - CAN-2004-0123
Anyway for your reading pleasure here is Microsoft's take on the situation:-
Microsoft is committed to enabling every customer to work, communicate, and transact business more securely. Behind the global security mobilization announced in October 2003, we will continue toward that goal by working closely with customers, partners, and the industry. We measure our efforts using the SD+C Framework:
Secure by Design: Implementing threat modeling and other key security considerations in design and development stages. These considerations include: mandatory training in writing secure code; code reviews and penetration testing; automated code diagnostic tools; and redesigned architecture to maximize software resilience.
Secure by Default: Maximizing security in default configurations of shipped software. To reduce risk of attack, Microsoft has changed default configurations so that service settings are not enabled at delivery.
Secure in Deployment: Promoting more secure deployment and management of our software. These efforts include scanning tools, services-including patch management with configuration verification functions, and localized versions of security bulletins and tools, such as Software Update Services and Baseline Security Analyzer.
Communications: Keeping customers informed. These efforts include timely communication about software update releases and our worldwide Security Response Process. In addition, we are working with government, partners, and academia to deliver security education, offer security certification programs for IT professionals, and conduct consumer protection campaigns worldwide.
After noticing all the spam sent from machines using uppercase non qualified HELO names I hacked our SMTP listener to trap all the mail sent from them.
I did this in November and so far its trapped tens of thousands of spam mails and less than ten valid mailers. Of these valid mailers, two said they had no idea they were using these names and promptly changed them to FQDNs, one was not happy, and the others didn't respond to my messages so their mail is still trapped/refused - my users didn't want the mail from them anyway so its really no loss.
I'd recommend blocking HELO NETBIOS-NAME for incoming mail as it stops heaps of spam with very little impact on valid mail.
You willfully sent them 1000 spam messages that had nothing to do with them to their abuse role account, so they blocked you from mailing them. Sounds reasonable to me.
In the circumstances, blocking me was so hypocritical as to be unreasonable.
Because UUNet can't control their customer, I should suffer? They abused my domain. I got tens of thousands of bounces. My domain got added to local blocklists all over the Internet. I got hundreds of irate people saying stop sending them porno spam. etc, etc.
The other ISP was very pro-active and shut down this spammer immediately when I phoned them up.
But with UUNet it took threats of legal action before the spam stopped.
And UUNet can't cope with a few misdirected bounces?
Boo hoo poor wittle uu net.
My experience with UUNet:-
1. In 2000 a spammer in Louisiana forges one of my domains in spam runs sent via UUNet - I get tens of thousands of bounces and hundreds of complaints.
2. I complain to UUNet - no action.
3. I phone UUNet security as the runs are being sent - no action.
4. Every weekend for 2 months this happens and I get sick of it.
5. I start to autobounce all this junk back to abuse@uunet.com.
6. Spammer sends a run using a different ISP.
7. UUNet gets really pissed that I bounce 1000 mails to abuse@uunet.com which didn't originate from their network (with some justification).
8. UUNet block all access from my class C to their servers.
9. The spam runs sent via UUNet continue....
Forward to 2004, I still can't send mail to uunet.com!
Sorry for the OT reply to my own message, but the link I posted to the image of the skimmer is now broken. Anyone know any good places to post pictures which can then be linked to? I googled for a free photo site, uploaded the picture and hoped it'd work for long enough, guess not.
:)
So does anyone know a good place to post pictures? (I don't want to use my systems
Averaging isn't really the right term is it? Its more like aiding and abetting the filter by adding and subtracting scores to get a total indication of the how spammy the message is - this allows you to setup rules specific to your circumstance to help the Bayesian classifier avoid FPs (and FNs).
- The bank needs a special express line for people who are under 50 years old, can speak English well, and have very simple transactions to make
They tried that, but all the old people who can't read English kept standing in it.Crime Information : Skimming Device Installed in ATM (TW RN04000499)
Location : Two ATMs outside Hang Seng Bank, Tai Ho Road.
Facts: On 2004.01.05, ATM maintenance worker of Hang Seng Bank conducted a routine check and confirmed that 2 metal covers (of same design) were being 'fitted' onto the top ledges of two of the ATM machines.
The Skimming Device:-