The virus writers are certainly busy these days.
One of the latest of the mass-mailing worms is sober.x. This is a variation of the earlier sober.c worm that hit email inboxes during 2003.
sober.x usually claims to be from a 'Steve Allison' who supposedly works for a government agency such as FBI or CIA, and warns the reader that the agency has been tracking visitors to illegal websites. The message goes on to say that the recipient has been tracked visiting a number, usually 30, of these websites and demands that the recipient answer a list of questions. Needless to say, the message itself is pure, unmitigated BS. The aim is to get the recipient to open an attached ZIP file and allow the virus to install on their PC.
Once the little beast has made a nest for itself, sober.x may attempt to disable security and firewall programs, replicate itself by sending messages to contacts found in e-mail address books, block access to various security web sites, and open security holes that allow outsiders to gain unrestricted access personal information stored on the PC.
The FBI has issued a warning about sober.x:
"The FBI today warned the public to avoid falling victim to an on-going mass e-mail scheme wherein computer users received unsolicited e-mails purportedly sent by the FBI. These scam e-mails tell the recipients that their Internet use has been monitored by the FBI and that they have accessed illegal web sites. The e-mails then direct recipients to open an attachment and answer questions."
"The e-mail appears to be sent from the e-mail addresses of mail@fbi.gov and admin@fbi.gov. There may be other similarly styled addresses. The recipient is enticed to open the zip attachment which contains a w32/sober.jen@mm worm. The attachment does not open and its goal is to utilize the recipient's computer to garner information. Secondly, the virus allows the e-mail to be forwarded to all those listed in the recipient's address book."
There are a variety of Subject Lines that are used in the delivery package including:
* hi, ive a new mail address
* Mail delivery failed
* Paris Hilton & Nicole Richie
* Registration Confirmation
* smtp mail failed
* You visit illegal websites
* Your IP was logged
* Your Password
As is all too often the case, only PCs running any flavor of Microsoft's Windows can be infected. (One must wonder how much longer consumers will put up with Windows truly horrendous security track record. It also begs the question "why would anyone trust any Microsoft product to be secure?")
Most anti-virus products are either able to detect this beast now or will be able to very soon. As always folks, keep those definition files up to date and NEVER open an attachment unless you are positive about what it contains and where it came from!
Acouple of things to keep in mind. First, if you are like most folks connected to the internet you are using a dynamic IP address. This means each time you connect, you get a different IP address which makes it pretty darned tough to track anything that you do. Second, no government agency will ever send a message like this. If they really are concerned about your activities, you are much more likely to receive a personal visit.
Most of our clients are Windows users. Despite grave misgivings about the security of Windows, we do understand that many, if not most, folks, there really is no other viable option. All operating systems contain security concerns. But this should not deter people from using the internet. Simple precautions such as using anti-virus software and/or firewalls, will go a long way towards providing reasonable security. Dealing with service providers who include frontend anti-virus and anti-spam filtering is another good precaution.
But in the end folks, your online security is your responsibility. It is up to you to make sure that reasonable precautions are in place, that anti-virus products are up to date and that you are not opening any attachments.
Rich
Dogsoldier.com LLC
Friday, December 02, 2005
Wednesday, November 30, 2005
Fancy New Phish Surfaces
There is a new and sophisticated Paypal phish scam starting to spread on the internet. The information that follows has come from various folks who share information regarding phishing (thanks Peter).
Paste starts here...
The complete URL is:
http://www.google.pt/url?sa=U&start=4&q=http://dns1.n-kiso.co.jp/.checking/.
www.paypal.com/index.php.
Which goes to:
http://dns1.n-kiso.co.jp/.checking/.www.paypal.com/index.php
When the link "Click here to go to our main page "
It will open a javascript: "java script: Start('sysdll.Php')"
When opened it will construct the fraudulent website according to your
default browser.
I've tested with:
- Firefox
- Internet Explorer
- Opera
All latest versions with all relevant patches.
The fake adressbar used may trick someone into thinking that they are
actually on https://www.paypal.com. Watch and observe. This is indeed tricky
done.
Paste ends here ...
Folks, as always, never open a link in an email UNLESS you know what you are doing and you know where it will go. No reputable financial institution or government agency will ever send you emails requiring you to visit any site and verify personal information.
Surf smart, surf safe
Rich
Dogsoldier.com
Paste starts here...
The complete URL is:
http://www.google.pt/url?sa=U&start=4&q=http://dns1.n-kiso.co.jp/.checking/.
www.paypal.com/index.php.
Which goes to:
http://dns1.n-kiso.co.jp/.checking/.www.paypal.com/index.php
When the link "Click here to go to our main page "
It will open a javascript: "java script: Start('sysdll.Php')"
When opened it will construct the fraudulent website according to your
default browser.
I've tested with:
- Firefox
- Internet Explorer
- Opera
All latest versions with all relevant patches.
The fake adressbar used may trick someone into thinking that they are
actually on https://www.paypal.com. Watch and observe. This is indeed tricky
done.
Paste ends here ...
Folks, as always, never open a link in an email UNLESS you know what you are doing and you know where it will go. No reputable financial institution or government agency will ever send you emails requiring you to visit any site and verify personal information.
Surf smart, surf safe
Rich
Dogsoldier.com
Monday, November 28, 2005
Personal Filtering Tools and RBLs
One thing that is certain every Thanksgiving and Christmas season is that mail traffic will significantly increase both in terms of numbers of messages and the average size of messages. Part of this traffic increase is due to folks sending seasonal greetings and e-cards but a large part of the increase is due to increases in spam and spyware/malware messages (phishing, etc.)
What also increases is the number of "false positives", messages rejected or marked as spam that should have been accepted as valid. For instance, the e-card sent to you by Grandma that keeps getting bounced as spam or spyware.
Many of these false positives come not from commercial mail servers equipped with filtering technology but from the millions of filtering products in use on personal computers. Sadly, most of these products are not setup correctly which in term increases the number of false positives.
Installing a product such as MailWasher is usually very easy and clean; developers put a lot of thought into how to make their products "load and go". The problems begin post-install, the time when users are able to control the severity of the filtering. This is when you can add blocks for annoying messages from a former friend or instruct the filter product to not block messages from your favorite mail list.
Many of these products make use of one or more of the many Remote Blackhole Listing services, (RBL). In many cases the user is able to add or remove RBLs. Unfortunately, most users do not have the background to make these decisions based upon a thorough review of how a particular RBL functions. The end result is usually frustrated users and a flood of angry emails to the ISP/ASP's support folks.
The following material is the result of one of these 'angry messages'. The content has been cleaned up a bit to protect the identity of the sender and to fix a few spelling errors.
Hello XXXXX,
You want to be careful about relying upon the RBL lists. It is not unusual for a domain or ip to show up as blocked for a day or two and then clear up. Even the major services such as AOL have been listed by one RBL or another at various times.
[As of two minutes ago. On openrbl checking for 195.92.246.182 on 38 blacklists showed the ip is positively whitelisted on 4 lists, positive blacklist on two (spamcop and spambag), neutral whitelist on one and neutral blacklist on 29 lists.]
We each have to decide for ourselves what RBL lists to trust but for what it is worth, we stopped using spamcop with our commercial mail servers due to far too many false positives. After a lot of testing, tweaking and client feedback, we have found a set of RBLs that seem to work fairly well: sbl.spamhaus.org, relays.ordb.org, and
relays.mail-abuse.org. These services place more importance on whether or not a domain mail server is an open relay or not since almost all spam flows through open relays.
It is also important to remember that each RBL service has a different set of criteria for listing someone. Some of these lists are known to be very lenient, others are known to overly sensitive. Some go through a very thorough investigation, others merely react to a report from a disgruntled reporter. Some accept and act upon content complaints, others only react to open relays.
The bottom line is that there are a ton of RBL lists, each with it's own philosophy on how to filter and it is important that you understand their processes and criteria if you are going to use them.
Our advice to our email clients is to not do any RBL checking on their local machine (we do that at the frontend as well as spam assassin and bayesian filtering). If you want to filter, which is not a bad thing since no frontend filtering system is 100% foolproof, do so based upon content. For instance, the Thunderbird email client has an excellent Junk mail filter component that is completely within the control of the user. You decide what is junk and what isn't. I don't use Outlook but my understanding is that it has something similar.
If it is any consolation, over the last 3.5 years, we have seen Smartgroups listed and delisted so many times that I stopped counting. ;>
Rich
Dogsoldier.com, LLC
What also increases is the number of "false positives", messages rejected or marked as spam that should have been accepted as valid. For instance, the e-card sent to you by Grandma that keeps getting bounced as spam or spyware.
Many of these false positives come not from commercial mail servers equipped with filtering technology but from the millions of filtering products in use on personal computers. Sadly, most of these products are not setup correctly which in term increases the number of false positives.
Installing a product such as MailWasher is usually very easy and clean; developers put a lot of thought into how to make their products "load and go". The problems begin post-install, the time when users are able to control the severity of the filtering. This is when you can add blocks for annoying messages from a former friend or instruct the filter product to not block messages from your favorite mail list.
Many of these products make use of one or more of the many Remote Blackhole Listing services, (RBL). In many cases the user is able to add or remove RBLs. Unfortunately, most users do not have the background to make these decisions based upon a thorough review of how a particular RBL functions. The end result is usually frustrated users and a flood of angry emails to the ISP/ASP's support folks.
The following material is the result of one of these 'angry messages'. The content has been cleaned up a bit to protect the identity of the sender and to fix a few spelling errors.
Hello XXXXX,
You want to be careful about relying upon the RBL lists. It is not unusual for a domain or ip to show up as blocked for a day or two and then clear up. Even the major services such as AOL have been listed by one RBL or another at various times.
[As of two minutes ago. On openrbl checking for 195.92.246.182 on 38 blacklists showed the ip is positively whitelisted on 4 lists, positive blacklist on two (spamcop and spambag), neutral whitelist on one and neutral blacklist on 29 lists.]
We each have to decide for ourselves what RBL lists to trust but for what it is worth, we stopped using spamcop with our commercial mail servers due to far too many false positives. After a lot of testing, tweaking and client feedback, we have found a set of RBLs that seem to work fairly well: sbl.spamhaus.org, relays.ordb.org, and
relays.mail-abuse.org. These services place more importance on whether or not a domain mail server is an open relay or not since almost all spam flows through open relays.
It is also important to remember that each RBL service has a different set of criteria for listing someone. Some of these lists are known to be very lenient, others are known to overly sensitive. Some go through a very thorough investigation, others merely react to a report from a disgruntled reporter. Some accept and act upon content complaints, others only react to open relays.
The bottom line is that there are a ton of RBL lists, each with it's own philosophy on how to filter and it is important that you understand their processes and criteria if you are going to use them.
Our advice to our email clients is to not do any RBL checking on their local machine (we do that at the frontend as well as spam assassin and bayesian filtering). If you want to filter, which is not a bad thing since no frontend filtering system is 100% foolproof, do so based upon content. For instance, the Thunderbird email client has an excellent Junk mail filter component that is completely within the control of the user. You decide what is junk and what isn't. I don't use Outlook but my understanding is that it has something similar.
If it is any consolation, over the last 3.5 years, we have seen Smartgroups listed and delisted so many times that I stopped counting. ;>
Rich
Dogsoldier.com, LLC
Wednesday, September 21, 2005
It's Back, Again
The internet is without a doubt an extremely interesting thing to watch and study. For all the changes in technology and capabilities, some things seem to stay the same. Take for instance, email-borne hoaxes.
In 2004, an email started to circulate warning that Swiffer WetJet posed a general danger to household pets. Several variations surfaced claiming that someone's dog or cat or bird or gerbil or whatever had died due to licking something that had come in contact with a surface cleaned with a Swiffer WetJet. For instance, the dog walked on a freshly cleaned floor, licked it's paws and died. The variations were consistent
in claiming that the cause of death was liver failure and that when the grieving pet owner contacted Procter and Gamble, they were told that an ingredient used in the fluid was "one molecule away from antifreeze".
After circulating for awhile and causing countless pet owners to panic and forward the warning message to everyone in their Address Books, clogging mail servers and inboxes, the hoax faded away.
It is now September 2005 and the hoax is back for another round of silliness.
Folks, THIS IS WELL DOCUMENTED TO BE A HOAX [For the truth]. It is also a great example of how some things on the internet take on a life of their own.
When you receive these sincere sounding warnings, before rushing to send the warning to everyone you know, take a minute and visit Snopes.com. This is one of the best resources for helping to reveal what is or isn't a hoax.
Remember, just because it's on the internet, that doesn't make it true.
In 2004, an email started to circulate warning that Swiffer WetJet posed a general danger to household pets. Several variations surfaced claiming that someone's dog or cat or bird or gerbil or whatever had died due to licking something that had come in contact with a surface cleaned with a Swiffer WetJet. For instance, the dog walked on a freshly cleaned floor, licked it's paws and died. The variations were consistent
in claiming that the cause of death was liver failure and that when the grieving pet owner contacted Procter and Gamble, they were told that an ingredient used in the fluid was "one molecule away from antifreeze".
After circulating for awhile and causing countless pet owners to panic and forward the warning message to everyone in their Address Books, clogging mail servers and inboxes, the hoax faded away.
It is now September 2005 and the hoax is back for another round of silliness.
Folks, THIS IS WELL DOCUMENTED TO BE A HOAX [For the truth]. It is also a great example of how some things on the internet take on a life of their own.
When you receive these sincere sounding warnings, before rushing to send the warning to everyone you know, take a minute and visit Snopes.com. This is one of the best resources for helping to reveal what is or isn't a hoax.
Remember, just because it's on the internet, that doesn't make it true.
Wednesday, June 08, 2005
2005 Canadian Flatcoated Retriever Specialty
If you are into Flatcoated Retrievers, be sure to check out the Canadian Specialty, July 21 through 24 in ThunderBay. This will be a great time for anyone with an interest in Flatcoats.
2005 Canadian Flatcoated Retriever Specialty
In the interest of total disclosure - yes I am a Flatcoated Retriever admirer.
2005 Canadian Flatcoated Retriever Specialty
In the interest of total disclosure - yes I am a Flatcoated Retriever admirer.
Subscribe to:
Comments (Atom)