Security researchers have discovered that the Zbot Trojan is undetectable by most anti-virus programs because it is continually morphing. Zbot is one of the most widespread banking Trojans on the net and has been around since 2006. It uses a rootkit to penetrate deep within operating systems. A recent study of Zbot infected computers revealed that only 14% had outdated or no anti-virus software. The rest were running fully updated software

Over the summer Zbot showed up in spam that was made to look like a critical update to Microsoft Outlook. Once downloaded, it unleashed a keylogger that captured log in credentials when the computer visited a banking or credit card website. The Trojan also scans infected computers for financial information and is programmed with a long list of sites to steal log ins from including Facebook, Bank of America, Paypal, Amazon.com, and eBay.

Most recently it is being delivered in a new campaign featuring fake IRS and shipping spam. The IRS spam attempts to scare the recipient by telling them they were discovered as having underreported their income and are now under investigation for fraud. An included link claims to direct them to the IRS site where they can review their tax return. Instead it downloads Zbot. The shipping spam involves a fake shipping confirmation and label from UPS. The label is supposedly located in the attached Excel file but that file is really a hidden executable that downloads Zbot.

A new malicious spam attack is exploiting the popular site Craigslist. The messages arrive with the subject line “Re: Car For Sale on Craigslist” and with a message that look like a reply to an inquiry about a car for sale on the site. A link within it claims to direct the recipient to photos of the vehicle on Picasa. The link instead leads to a malicious site that downloads a Trojan on to the visitor’s computer.

It’s not yet known who’s responsible for this latest wave of malicious spam, but experts are warning people to be very cautious. Only 13 out of 41 virus scanners caught the virus, meaning that having an up to date virus program may not be enough to protect you. Obviously if you or your company hasn’t inquired about a car for sale on Craigslist you should immediately delete any such messages.

Continue reading New Malicious Spam Exploits Craigslist»

Most organisations that have deployed an email anti-spam solution will at some stage encounter a situation in which a false positive (legitimate email blocked as spam) or a false negative (spam email allowed to pass through) causes a problem for their business.

False positives can affect important business emails and can have a very high cost to the organisation if the email was time sensitive.  False negatives can have a similar impact on the business by annoying or offending end users who receive unwanted spam.  Both situations can also erode the confidence the end users have in the organisation’s email system.

To combat these issues many organisations configure whitelists or blocklists on their anti-spam systems.

What is a Whitelist?

A whitelist is a list of known safe email senders.  Whitelists can be made up of IP addresses, domain names, or email addresses.  In most cases businesses will choose to whitelist domain names of highly trusted customers or suppliers, or email addresses that are the source of critical emails.

As a real world example in one customer I worked with the email address that was the sender of voicemail attachments from the external voicemail system was whitelisted to ensure that the anti-spam system never blocked a voicemail message as a false positive.

Whitelists carry some risks.  For example some domains such as hotmail.com, ebay.com, and paypal.com are frequently forged by spammers sending commercial spam or phishing emails.  If ebay.com was whitelisted it would cause eBay phishing scams to pass through the anti-spam system to end users.

What is a Blocklist?

A blocklist (also sometimes called a blacklist) is the opposite of a whitelist.  Blocklists can also be made up of IP addresses, domain names, and email addresses.  Businesses will choose to blocklist domains or email addresses that are found to always be the source of spam yet sometimes slip through the anti-spam system as a false negative.

In some customer environments I have worked in, the email administrators have chosen to block entire top level domains such as .ru (Russia) and .tw (Taiwan) because the company did no business with anyone in those countries yet constantly received spam, viruses, and phishing emails from those domains.

Blocklists carry some risks as well.  For example even though hotmail.com is often used by spammers blocking the entire hotmail.com domain would prevent any customers or legitimate senders who utilise Hotmail from emailing your business.

How does Exchange Server 2007 manage Whitelists and Blocklists?

Exchange Server 2007 can apply whitelists and blocklists on Edge Transport servers and Hub Transport servers that have the Exchange Server 2007 Anti-Spam components installed. Continue reading Managing whitelists and blocklists for Exchange Server environments»

Exchange Server 2007 includes integrated anti-spam features that run on Edge Transport servers and can optionally be enabled on Hub Transport servers.  In this blog post I will discuss the Connection Filter agent and how IP block list providers can be used to protect Exchange servers from spam.

Continue reading Using IP Block List Providers and the Connection Filter agent in Exchange 2007»