Over the summer Zbot showed up in spam that was made to look like a critical update to Microsoft Outlook. Once downloaded, it unleashed a keylogger that captured log in credentials when the computer visited a banking or credit card website. The Trojan also scans infected computers for financial information and is programmed with a long list of sites to steal log ins from including Facebook, Bank of America, Paypal, Amazon.com, and eBay.

Most recently it is being delivered in a new campaign featuring fake IRS and shipping spam. The IRS spam attempts to scare the recipient by telling them they were discovered as having underreported their income and are now under investigation for fraud. An included link claims to direct them to the IRS site where they can review their tax return. Instead it downloads Zbot. The shipping spam involves a fake shipping confirmation and label from UPS. The label is supposedly located in the attached Excel file but that file is really a hidden executable that downloads Zbot.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ZBot Trojan Not Detectable By Anti-Virus Programs

It’s not yet known who’s responsible for this latest wave of malicious spam, but experts are warning people to be very cautious. Only 13 out of 41 virus scanners caught the virus, meaning that having an up to date virus program may not be enough to protect you. Obviously if you or your company hasn’t inquired about a car for sale on Craigslist you should immediately delete any such messages.

This is only one of several new viruses discovered recently, including one that targets AutoCAD software, and experts say the amount of malware found on the net is only going to rise.

          “Criminals see a better bottom line with more files,” security researcher Sean-Paul Correll said, adding that there are more viruses because the malware writers have automated the creation of virus variants. They are releasing polymorphic engines to distribute a massive number of unique samples… They hope to subvert antivirus lab technology by releasing a large number of samples.”

This has led some virus researchers to proclaim that virus signatures, which are currently the best way to classify threats, will soon be useless. If that happens researchers will have to come up with new ways to find and fight threats.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Malicious Spam Exploits Craigslist

False positives can affect important business emails and can have a very high cost to the organisation if the email was time sensitive.  False negatives can have a similar impact on the business by annoying or offending end users who receive unwanted spam.  Both situations can also erode the confidence the end users have in the organisation’s email system.

To combat these issues many organisations configure whitelists or blocklists on their anti-spam systems.

What is a Whitelist?

A whitelist is a list of known safe email senders.  Whitelists can be made up of IP addresses, domain names, or email addresses.  In most cases businesses will choose to whitelist domain names of highly trusted customers or suppliers, or email addresses that are the source of critical emails.

As a real world example in one customer I worked with the email address that was the sender of voicemail attachments from the external voicemail system was whitelisted to ensure that the anti-spam system never blocked a voicemail message as a false positive.

Whitelists carry some risks.  For example some domains such as hotmail.com, ebay.com, and paypal.com are frequently forged by spammers sending commercial spam or phishing emails.  If ebay.com was whitelisted it would cause eBay phishing scams to pass through the anti-spam system to end users.

What is a Blocklist?

A blocklist (also sometimes called a blacklist) is the opposite of a whitelist.  Blocklists can also be made up of IP addresses, domain names, and email addresses.  Businesses will choose to blocklist domains or email addresses that are found to always be the source of spam yet sometimes slip through the anti-spam system as a false negative.

In some customer environments I have worked in, the email administrators have chosen to block entire top level domains such as .ru (Russia) and .tw (Taiwan) because the company did no business with anyone in those countries yet constantly received spam, viruses, and phishing emails from those domains.

Blocklists carry some risks as well.  For example even though hotmail.com is often used by spammers blocking the entire hotmail.com domain would prevent any customers or legitimate senders who utilise Hotmail from emailing your business.

How does Exchange Server 2007 manage Whitelists and Blocklists?

Exchange Server 2007 can apply whitelists and blocklists on Edge Transport servers and Hub Transport servers that have the Exchange Server 2007 Anti-Spam components installed.

Whitelists are configured in two places.  Whitelisted IP addresses (or the IP Allow List) are handled by the Connection Filter agent but are not configured at the organisation level.  Instead they are configured on the Edge Transport or Hub Transport servers.  Typically the IP address whitelist is configured on any Transport server that accepts email from the internet.

Whitelisted domains and email addresses are configured on the Content Filtering agent at the organisation level.

Blocklists are also configured in two places.  Blocklisted IP addresses (or IP Block Lists) are similar to whitelists in that they are configured on the individual Transport servers where appropriate.

Blocklisted domains and email addresses are configured on the Sender Filtering agent at the organisation level.

Exchange Server 2007 Safelist Aggregation

Although whitelists and blocklists can be managed at the Exchange organisation and server level there is an additional level of configuration that can be applied.

Outlook clients from version 2003 onwards contain Junk Email controls including the ability to specify safe senders and safe recipients.  This safelist information is stored in the user mailbox and can be optionally pushed to the Active Directory user object.

The Exchange administrator can enable Safelist Aggregation on the Exchange servers, which aggregates all of the safelist information stored in user objects into one list that Transport servers can apply to the entire organisation.  In short this means that if user John added the email address peter@fabrikam.com to his safelist, the Transport server’s Content Filtering agent would consider emails sent by peter@fabrikam.com to be trusted and pass them through to the recipients within the organisation.

Disadvantages of Exchange 2007 Safelist Aggregation

Although Safelist Aggregation may help reduce the number of false positives it carries some disadvantages.

Firstly the default configuration of the Update-Safelist cmdlet on the Exchange servers includes both safe senders and safe recipients data, even though safe recipients data is ignored by the Content Filtering agent.  This can lead to unnecessary replication traffic and storage bloat on the Transport servers.

Also the update process is cumbersome and requires a scheduled task be created on the Exchange server to run the Update-Safelist cmdlet.  There is no functionality within the Exchange management tools to create or manage this schedule.

Finally the default configuration of the Update-Safelist cmdlet includes domain names that end users have marked as safe.  For example, John may have intended to add jane@hotmail.com to his safelist but instead added @hotmail.com as a safe domain.  When this information is aggregated to the Transport servers any spam emails from forged @hotmail.com email addresses will not be blocked by the Content Filtering agent.

Alternatives to Exchange Server 2007 whitelists and blocklists

Despite the value of whitelists and blocklists they can become an administrative burden over time as they are manually managed by the Exchange administrators.  Even though the Exchange Server 2007 Safelist Aggregation feature seeks to alleviate some of this burden it also carries disadvantages and risks.

Dedicated third party email anti-spam solutions feature similar whitelist and blocklist capabilities but present them in a more effective and manageable way.  When considering an anti-spam solution that will provide these capabilities you should look for products that allow end users to participate in the whitelist and blocklist process but also permit administrators full control of the organisation-wide whitelist and blocklist behaviour.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Managing whitelists and blocklists for Exchange Server environments

What is the Connection Filter agent?

The Connection Filter agent is a Transport server feature that performs filtering actions based on the IP address of the remote server that is making a connection to the Exchange server.  The Connection Filter agent checks whether the remote IP address is on an IP Allow list, an IP Block list, or on neither and takes action based on the result.

When the Connection Filter agent is enabled it is the first anti-spam agent that assesses any incoming SMTP communication.

This preserves system resources on the Transport server by avoiding the need to accept the entirety of the email message data and perform more thorough content scanning of the message for spam.  The Transport server simply assumes that an email coming from an IP address on an IP Block list is almost certainly going to be spam and terminates the SMTP session before the DATA command is issued.

What is an IP Allow/Block list?

An IP Allow/Block list can be made up of an administrator-defined list of IP addresses or it can come from a third party provider.

Administrator-defined lists typically are used when an Exchange administrator needs to explicitly allow or block a specific IP address, and are assessed first before any third party IP Allow/Block lists.  For example, if a customer’s network has been blacklisted for some reason you can override that by adding their IP address to your IP Allow list.  Similarly if you are receiving spam from an IP address that has not yet been blacklisted you can add the IP address to your IP Block list.

Third party list providers such as SORBS and SpamHAUS provide a service that you can use to look up an IP address and determine whether it is on one of the IP Allow or IP Block lists.  These providers maintain lists of IP addresses of known and suspect spam sources based on actual spam reports, proactive open relay scans, and other likely sources such as ISP customer IP ranges.

Using IP Allow/Block list providers with Exchange Server 2007

Exchange Server 2007 can be configured to query one or more of these lists when the Connection Filter agent is assessing an SMTP connection.  In fact it is recommended to configure more than one provider to improve coverage and ensure that if a list provider is not responding to queries that another provider is checked.

Using IP Block list providers has some disadvantages.  The IP address of a legitimate email server may be inadvertently added to an IP Block list even though they are not sending spam.  From time to time the Exchange administrator may need to explicitly allow one of these IP addresses so that email communication is not disrupted, or contact a list provider to get their own IP address removed from an IP Block list.

Another disadvantage is that each new SMTP connection requires a query sent to the list provider.  If the response is delayed for any reason it can slow down email traffic at the Transport server.  To reduce the impact of this the Exchange server will cache the results of a query for a short period of time so that an IP can continue to be blocked on subsequent attempts without another query being sent to the list provider.

IP Block lists are far more commonly used than IP Allow lists, but IP Allow lists are useful to prevent highly trusted IP addresses from being blocked.

How to configure an IP Block list with Exchange Server 2007

The Exchange anti-spam components are installed by default on Edge Transport servers but must be manually installed on Hub Transport servers by the administrator using the “install-antiSpamAgents.ps1″ script that is included with Exchange Server 2007.

The Anti-spam tab now appears in the Hub Transport section of the Exchange Management Console.  Open the properties of IP Block List Providers and select the Providers tab.

Click Add to configure a new provider.  Here we are configuring SpamHAUS as the IP Block list provider.  Note that you should review the SpamHAUS usage guidelines to verify that your organisation qualifies for free use of this service.

You can configure as many IP Block list providers as you wish and they will be queried in the order that they are listed.  You can also configure exceptions for email addresses within your organisation that you do not want to be filtered.  For example you may choose not to filter email to your postmaster@ email address so that an organisation that is being blocked by your email servers can still report the problem to your Exchange administrator.

Using IP Block list providers with internal Exchange servers

IP address filtering is most commonly applied at the internet-facing Exchange servers, but in some cases your Exchange servers may have another email server that receives internet email first.  The Exchange server must parse the email message headers to determine which IP address is the original source of the email message when performing IP Block list provider queries.

To ensure that the Exchange server can do this you must specify the IP addresses of any email servers within your organisation that would receive internet email before it reaches the Exchange servers.  This is configured in the Global Settings for your Exchange organisation.

Open the properties of the Transport Settings and select the Message Delivery tab.  Select Add and enter the IP address or IP range of the email servers.

Is the Exchange Connection Filter agent enough protection?

The Exchange Connection Filter agent does an acceptable job of blocking spam based on the sender’s IP address but it is by no means a complete anti-spam solution.  Connection filtering is best used in combination with other forms of spam protection such as content filtering.  An effective way to improve Exchange anti-spam protection is to combine inbuilt features of Exchange such as the Connection Filter agent with comprehensive third party email security products that include a greater degree of configurability and more advanced features such as detailed reporting.

Connection Filtering saves time and resources

A correctly configured Connection Filter agent saves the Exchange administrator a lot of time by avoiding the need to manually maintain a large list of blocked and allowed IP addresses.  The Connection Filter agent also reduces server load by rejecting likely spam before it has been transmitted to the Exchange server and without requiring resource-intensive content scanning of the email message.  It is recommended that you always configure the Connection Filter agent on your internet-facing Exchange Transport servers, and consider enhancing your anti-spam protection with third party email security products.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Using IP Block List Providers and the Connection Filter agent in Exchange 2007