Gustav Web Site Warnings

The Internet Storm Center (http://isc.sans.org/ ) has the usual warnings of bogus domain names related to the Gustav hurricane. These always crop up during high-visibility events.

Don’t go there. If you want to help out with donations, use the Red Cross or similar known organizations.

And ignore those ‘news alerts’ about the hurricane (or anything else). Clicking in those links will add your computer to the computer bot list. Along with probable damage to your bank account.

(9/2/08: fixed typo in post title – changed ‘wen’ to ‘web’. what the heck is a ‘wen’ anyway?)

News Alerts are Not Your Friends!

Don’t click on links in those CNN or MSNBC “news alerts”! Or similar ones that will appear in your mailbox.

Bad viruses and spyware will happen, along with possible identity and financial theft. Don’t even try the “unsubscribe” links.

If you think you have problems with spyware, then a great resource is the “Hijack This” folks. Start with their tutorial here to get the HijackThis! software, and to submit your results. Make sure you carefully follow the tutorial. Those guys really know how to get rid of malware. I use them after the anti-virus and anti-spyware software can’t do anything.

You might also try the Microsoft on-line scanner (www.microsoft.com/protect ) and their Windows Defender program (both free).

And don’t forget your updates of all software (not just Microsoft).

Olympics Spam Warning

Watch out for email messages about the Olympics that ask you to click on a link to watch a video or get more info. They will probably look a lot like that CNN spam that you might have seen earlier this week. The links in the CNN spam resulted in installation of viruses/spyware and keystroke loggers on computers. The Olympics spam will try to do the same.

When (not if) you get those “Olympic” emails, don’t click on the links! Just click on the Trash icon to delete the message.

If you want updates on the Olympics, just go to the usual mainstream news sites.

Unless you really want to have a keystroke logger on your computer, or be a spam relay, or a victim of identity theft.

Olympic Spam Warning

Watch out for email messages about the Olympics that ask you to click on a link to watch a video or get more info. They will probably look a lot like that CNN spam that you might have seen earlier this week. The links in the CNN spam resulted in installation of viruses/spyware and keystroke loggers on computers. The Olympics spam will try to do the same.

When (not if) you get those “Olympic” emails, don’t click on the links! Just click on the Trash icon to delete the message.

If you want updates on the Olympics, just go to the usual mainstream news sites.

CNN Top Ten Spam

New malware’d email with subject of “CNN.com Daily Top 10”, or something similar. The emails come from random users, probably nobody you would recognize. The message provides links to the ‘top 10’ CNN videos, many with ‘attractive’ titles.

But the links will send you to a page that only looks like CNN’s video site. The page is actually hosted on a compromised web site. The page name is usually ‘index2.html’. A ‘redirect’ command on that page will, after about 12 seconds, pop up a message about a ”Flash Player Update” that is required to view the videos.

And clicking on that will get your computer compromised with a downloader trojan, that will allow the attacker to download any program they want. Including spyware, password grabbers, spam mail relaying, and more.

As usual, Safe Computing works. Unsolicited emails with “attractive” content are usually not good.

And if you have a web site, you might want to check for an ‘index2.html’ file. That would mean that your site was successfully attacked with a SQL injection attack, writing pages on you web server, and putting modified content in your web pages.

That’s never good

LRN 2 TXT

The recent earthquake in LA showed that the phone network will probably get overloaded in any localized emergency.

One of the things that you want to do in emergency preparedness is to be able to contact you family. You establish a central meeting place, or a way to communicate with your family. Most people will automatically reach for their cell phones. And they’ll probably get a busy signal, because all the circuits are busy.

Smart people will reach for their cell phone, but will send a text message to their family members or other contacts. Text messages, because they are transmitted differently, will get through when a cell phone call won’t.

So, you may want to ensure all members of your family know to use text messaging during an emergency. We know that your older children probably know how to text message (and you’ve probably got the cell phone bills to prove it).

If you don’t know, ask your children to teach you.

LRN 2 TXT.

(originally appeared on Digital Choke )

Spam Blacklists and Peter G

I was reading Peter Glaskowsky‘s blog (Speeds and Feeds here) where he posits that some of his mail sent through Comcast (his ISP) is being blocked because his Comcast IP is on a blacklist.

I was going to add a comment, but it was getting long, so I thought I would explain my theory here. So, first, go read his blog entry. I’ll wait. Then come back here for my theory.

Welcome back.

I don’t think that Peter’s problem is with his Comcast IP being on a blacklist. I think that the problem is with one of the mac.com mail servers being on a blacklist.

As I mentioned before on a private list, at the office I have one external user with a mac.com address who has problems with *some* of his mail being blocked by our web filter. Whenever his mail goes through a particular mac.com server, that mac.com mail server’s IP address is on our vendor’s mail filter blacklist (we use the Websense/Surfcontrol mail filter product). They have a database of known spam IP addresses that they build with an automated process. If their sensors detect 99%+ of mail from a particular IP address as spam, they put that IP address on their blacklist. We use that blacklist to block about 80% of the spam attempts we get (about 500,000 a day).

If I take the mail header from one of Peter’s mail messages, using the excellent Email Header Analyzer here http://www.mxtoolbox.com/EmailHeaders.aspx , I see that his mail comes from one of the mac.com servers (asmtp020.mac.com). His email address domain name (that’s the part after the “@” in your email address) is at mac.com, not comcast.net. The mac.com mail server is sending out his email. The IP address of that mac.com mail server is the IP address that will be used by the blacklists to determine if that mail server is a spammer.

In my external user’s case, his email (from mac.com) is randomly assigned to one of many mac.com mail servers. Usually, that works fine. But one of the mac.com mail servers is on our blacklist. And therefore any message he sends that is randomly assigned to that ‘bad’ mail server will get blocked.

Again, this is a random problem that only happens when his message is assigned to a ‘bad’ mail server. And that’s what I think is randomly happening to Peter’s email.

A computer that is infected with a ‘spam bot’ will send out mail using the mail server that was installed on the user’s computer when the spam bot was installed via malware. The spammer will then ‘relay’ messages through the spam bot computer using the spam bot’s internal mail server. The result is that the mail will appear to come from a ‘mail server’ at the computer’s IP address.

If the computer has Comcast (or anyone else) as their Internet Service Provider, then the user’s Comcast-assigned IP address will be seen as the IP address of the mail server (the spam bot) sending out the spam. And that IP address will eventually get on a black list. That’s why you would see lots of Comcast IP addresses on spam lists.

Peter’s mail is not coming from a Comcast email address. It is coming from a mail server at mac.com. And one of those mac.com mail servers is on the blacklist.

Now, it could be that Peter’s Comcast IP address is within an IP range on a blacklist. So if Peter has his own mail server at his place, his mail would be coming from that Comcast IP address. (Although he would have a dedicated IP address with the MX – Mail Exchange – record for his domain name.)

But Peter’s mail is coming from mac.com. It has to, the domain name of his email address is mac.com. It may be that the messages that aren’t being delivered are coming from a ‘bad’ email server at mac.com. And that mac.com mail server is the one on the blacklist.

That’s my theory. You are welcome to discuss it in the comments.

Locked Out

So, who has the passwords to your network? Is it possible that this could happen to you?

From the San Francisco Chronicle:

” A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. “

Story here .

If there is only one key, and the key is unavailable, how do you get in?

Money Backup

Do you have a good backup for your money? The story about the “IndyBank” takeover by the FDIC should remind you that you need to be careful about the insurance level of your bank deposits.

Deposited amounts over $100K (for single person) are not insured by the FDIC. Maybe it’s a good idea to make sure that your deposited funds are insured for the full amount. If you’ve got over $100K in one account, perhaps it’s time to do a little ‘money backup.

Headline Prediction – "Paradise Lost"

Although it hasn’t happened yet, it is inevitable that you’ll see that headline soon. The town of Paradise has given 14,000 people immediate evacuation notices. On a map, that’s almost all of the east side of that town.

The Chico Enterprise Record (nearby newspaper in Chico CA) has a great map of the fire and evacuation areas here . There’s a great potential for damage if the fire gets into the ‘green’ (evacuation) areas.

And the weather is not helping. There is so much smoke that the fire retardant-dropping planes and water-dropping helicopters can’t fly.

Not good.