When the Exchange Server 2010 anti-spam features are enabled and configured they take effect for all mailboxes within the organization.  But sometimes it is necessary to customize the settings for specific mailbox users.

Organization-Wide Anti-Spam Settings

At the organization level there are several anti-spam settings that can be applied.

SCLJunkThreshold – This is the Sender Confidence Level (SCL) score that will cause an email to be delivered to the Junk Email folder of a mailbox instead of the Inbox.  SCL is scored from 0-9 with 9 being the most likely to be spam.  By default the SCLJunkThreshold is set to 4.

[PS] C:\>Get-OrganizationConfig | fl SCLJunkThreshold

SCLJunkThreshold : 4

There are also a series of SCL thresholds configured on the Content Filter Agent.

[PS] C:\>Get-ContentFilterConfig | fl *SCL*

SCLRejectThreshold     : 7
SCLRejectEnabled       : True
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled   : False

With the default settings shown above a spam message that scores an SCL higher than 7 will be rejected by the Transport server.  A spam message that scores an SCL higher than 4 but not more than 7 will be sent to the mailbox Junk Email folder.

Mailbox-Level Anti-Spam Settings

These anti-spam settings can also be configured on a per-mailbox basis.

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL

AntispamBypassEnabled  : False
SCLDeleteThreshold     :
SCLDeleteEnabled       :
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

When configured at the mailbox level the settings take precedence over the organization-wide settings. Continue reading Configuring Exchange Server 2010 Anti-Spam Settings for Individual Mailboxes»

Security researchers have discovered that the Zbot Trojan is undetectable by most anti-virus programs because it is continually morphing. Zbot is one of the most widespread banking Trojans on the net and has been around since 2006. It uses a rootkit to penetrate deep within operating systems. A recent study of Zbot infected computers revealed that only 14% had outdated or no anti-virus software. The rest were running fully updated software

Over the summer Zbot showed up in spam that was made to look like a critical update to Microsoft Outlook. Once downloaded, it unleashed a keylogger that captured log in credentials when the computer visited a banking or credit card website. The Trojan also scans infected computers for financial information and is programmed with a long list of sites to steal log ins from including Facebook, Bank of America, Paypal, Amazon.com, and eBay.

Most recently it is being delivered in a new campaign featuring fake IRS and shipping spam. The IRS spam attempts to scare the recipient by telling them they were discovered as having underreported their income and are now under investigation for fraud. An included link claims to direct them to the IRS site where they can review their tax return. Instead it downloads Zbot. The shipping spam involves a fake shipping confirmation and label from UPS. The label is supposedly located in the attached Excel file but that file is really a hidden executable that downloads Zbot.

Ads for shady Internet pharmacies are partly responsible for a new spike in spam levels. The spam messages deliver the ads buried in image attachments and most of them hawk Viagra and other similar medications. The subject lines are random and not related to the contents of the messages but they all attempt to direct recipients into clicking on links that lead to various pharmacy websites-some of which could be fake ones. Such malicious sites look legit and offer a shopping cart and accept credit cards, but unlike legit sites, the orders are never sent.

The other type of spam uses a new technique-blank messages. Spammers are sending messages with no subject line or body with the sole purpose of finding out what addresses are valid, usually within specific domains and presumably to harvest those addresses for future spam and/or phishing attacks.

Additionally, malicious spam masquerading as delivery failure notices from Western Union continues to flood the net. This type of spam informs the recipient that a Western Union money transfer could not be completed and directs them to open the included attachment, print out the receipt and bring it to their local Western Union office to get the money back. The scammers are hoping to find a few greedy souls who think they’ve gotten a chance to receive some free money. The attachment actually contains a nasty Trojan.

It’s important to keep all anti-virus products up to date and make sure you have an effective spam filter installed on your network, and as always make sure your employees know to never click on links or open attachments in emails from people they don’t know.

A large scale attack on UK government websites has been discovered. Hundreds of sites for schools, government offices, universities and more have been compromised to include links and other references to porn sites or shady pharmacies. The hacks were likely carried out via SQL injection attacks or cross site scripting and the sites were obviously chosen because users would not think twice about trusting them. Visitors who click through are either redirected to sites selling drugs such as Viagra or sites displaying hardcore porn. Some of the compromised sites attempt to download malware.

The most disturbing part of the attacks is that many of the sites belong to elementary schools and are visited by students. The hackers behind the attack apparently have no problem directing children to porn sites. Even the search results for these sites have been changed to refer to porn and shady pharmacies.

It’s not known who’s behind the attack and the UK government has not yet had any comment. One thing is sure however, and that’s that they need to take a serious look at the security and software on their sites. It’s poorly designed software and careless security (such as not disabling unused FTP logins) that lead to these types of attacks. Experts warn that it’s possible that people who are infected by compromised sites may begin to file lawsuits against them for negligence.

However I’m not sure that’s the way to go-after all it is up to each of us to properly secure our computers and use up to date anti-virus software!

On Monday, users of Norton Internet Security and Norton Antivirus started seeing firewall alerts warning them that an executable named PIFTS.exe was attempting to connect to stats.norton.com. Conspiracy theories immediately started to spread like wildfire. What exactly was PIFTS? Were Symantec surreptitiously monitoring their users? Or was this something much more sinister?

The discussion raged on sites such as Slashdot and on forums across the internet. Symantec fanned the flames when they started deleting questions about PIFTS which had been posted to their web forum without explanation. What did they have to hide? To make matters worse, users searching for information on PIFTS found that they were being directed to malicious websites. Brian Krebs of the Washington Post noted:

          Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Symantec finally issued a statement which confirmed what had happened:

          Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue. Continue reading The PIFTS.exe Conspiracy»

A clever piece of social engineering appears at first to be something similar to the old-fashioned mass-mailing worms which were designed to annoy, but the MonaRonaDona virus actually goes much further than that.

Once infected, a pop-up will appear, stating, “Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it’s me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity.”

There have been over the years, many such emails, spam messages, viruses and worms which were designed as part of some social protest, and the perpetrators in their righteousness believe that they should be excused from their mischief because of their noble cause. Pure poppycock of course; an attack is an attack, regardless of the reason. But, this one only uses the “noble protest” as a ruse to sell useless anti-malware software.

Continue reading Beware of bogus anti-virus software»