Spam Blacklists and Peter G

I was reading Peter Glaskowsky's blog (Speeds and Feeds here) where he posits that some of his mail sent through Comcast (his ISP) is being blocked because his Comcast IP is on a blacklist.

I was going to add a comment, but it was getting long, so I thought I would explain my theory here. So, first, go read his blog entry. I'll wait. Then come back here for my theory.

Welcome back.

I don't think that Peter's problem is with his Comcast IP being on a blacklist. I think that the problem is with one of the mac.com mail servers being on a blacklist.

As I mentioned before on a private list, at the office I have one external user with a mac.com address who has problems with *some* of his mail being blocked by our web filter. Whenever his mail goes through a particular mac.com server, that mac.com mail server's IP address is on our vendor's mail filter blacklist (we use the Websense/Surfcontrol mail filter product). They have a database of known spam IP addresses that they build with an automated process. If their sensors detect 99%+ of mail from a particular IP address as spam, they put that IP address on their blacklist. We use that blacklist to block about 80% of the spam attempts we get (about 500,000 a day).

If I take the mail header from one of Peter's mail messages, using the excellent Email Header Analyzer here http://www.mxtoolbox.com/EmailHeaders.aspx , I see that his mail comes from one of the mac.com servers (asmtp020.mac.com). His email address domain name (that's the part after the "@" in your email address) is at mac.com, not comcast.net. The mac.com mail server is sending out his email. The IP address of that mac.com mail server is the IP address that will be used by the blacklists to determine if that mail server is a spammer.

In my external user's case, his email (from mac.com) is randomly assigned to one of many mac.com mail servers. Usually, that works fine. But one of the mac.com mail servers is on our blacklist. And therefore any message he sends that is randomly assigned to that 'bad' mail server will get blocked.

Again, this is a random problem that only happens when his message is assigned to a 'bad' mail server. And that's what I think is randomly happening to Peter's email.

A computer that is infected with a 'spam bot' will send out mail using the mail server that was installed on the user's computer when the spam bot was installed via malware. The spammer will then 'relay' messages through the spam bot computer using the spam bot's internal mail server. The result is that the mail will appear to come from a 'mail server' at the computer's IP address.

If the computer has Comcast (or anyone else) as their Internet Service Provider, then the user's Comcast-assigned IP address will be seen as the IP address of the mail server (the spam bot) sending out the spam. And that IP address will eventually get on a black list. That's why you would see lots of Comcast IP addresses on spam lists.

Peter's mail is not coming from a Comcast email address. It is coming from a mail server at mac.com. And one of those mac.com mail servers is on the blacklist.

Now, it could be that Peter's Comcast IP address is within an IP range on a blacklist. So if Peter has his own mail server at his place, his mail would be coming from that Comcast IP address. (Although he would have a dedicated IP address with the MX - Mail Exchange - record for his domain name.)

But Peter's mail is coming from mac.com. It has to, the domain name of his email address is mac.com. It may be that the messages that aren't being delivered are coming from a 'bad' email server at mac.com. And that mac.com mail server is the one on the blacklist.

That's my theory. You are welcome to discuss it in the comments.

Locked Out

So, who has the passwords to your network? Is it possible that this could happen to you?

From the San Francisco Chronicle:

" A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. "

Story here .

If there is only one key, and the key is unavailable, how do you get in?

Money Backup

Do you have a good backup for your money? The story about the "IndyBank" takeover by the FDIC should remind you that you need to be careful about the insurance level of your bank deposits.

Deposited amounts over $100K (for single person) are not insured by the FDIC. Maybe it's a good idea to make sure that your deposited funds are insured for the full amount. If you've got over $100K in one account, perhaps it's time to do a little 'money backup.

Headline Prediction - "Paradise Lost"

Although it hasn't happened yet, it is inevitable that you'll see that headline soon. The town of Paradise has given 14,000 people immediate evacuation notices. On a map, that's almost all of the east side of that town.

The Chico Enterprise Record (nearby newspaper in Chico CA) has a great map of the fire and evacuation areas here . There's a great potential for damage if the fire gets into the 'green' (evacuation) areas.

And the weather is not helping. There is so much smoke that the fire retardant-dropping planes and water-dropping helicopters can't fly.

Not good.

Microsoft Snapshot Viewer Attack

The Microsoft Snapshot viewer, which is part of all versions of Microsoft Access except Access 2007, has a vulnerability that is being actively exploited by rouge web pages (or web pages that were not secure to begin with). The vulnerability allows the attacker to run a program on your computer, like a keystroke logger, or other 'bot' software that gives the attacker full control of your computer.

More information here at the Internet Storm Center http://isc.sans.org/diary.html?storyid=4672 . Microsoft's advisory is here http://www.microsoft.com/TechNet/security/advisory/955179.mspx

Be careful out there!

Backing Up For Disasters via Carbonite

What are you doing about your backups of your home computer?

If your home computer is anything like mine, there are tons of pictures on there. Some (or perhaps most or all) of those are probably irreplaceable.

The events of the past couple of months (urban fires, earthquakes, tornados, floods) have gotten me thinking about what would happen if that computer 'went away'. All of those pictures gone. Not to mention some other important files.

In the past, I've tried several things. I've backed up files to CD (and DVD), but that takes a while. I bought an external hard drive (they are getting quite inexpensive), and copied files to it. I even got another computer and copying files to it. Those are good ways to back up important files.

If you remember to do it.

I probably have maybe two sets of DVD's. And only one backup to the external hard disk. And the computer thing never really worked out (partly because of my own inertia). So I don't really a good backup plan in case of disaster.

I figured I needed something that I could set up and forget. The backups needed to be stored off-site. It needed to be automatic. And it needed to happen regularly.

So I decided on using an on-line backup service. I looked at a couple, and settled on Carbonite (www.carbonite.com - which loads a bit slowly because they have this irritating movie that starts up). The cost was reasonable - $49.95/year. Files are backed up automatically over your Internet connection. The backups happen in the background, with a lower priority/load if you are surfing the net. They keep multiple levels of backups of a file - if you make changes to a file, then older backed up versions are still available. And the data is all encrypted.

So I signed up. Quite easy. Name, email, password (and hints), and a credit card number. Download some software, install it (the usual bunch of Next keys), minor configuration (you can specify what folders to back up), done. And the backups start happening.

A little icon in the task bar shows you that things are working. A double-click of that icon and you can see what's happening.

I don't have an exact figure of the amount of disk space it backed up. It did take about two weeks to do it on my cable modem connection. But you didn't notice any slowdown when the files were being copied.

Once the first backup happens, the program just watches for new stuff. Since my wife is constantly scanning pictures (she's really into scrapbooking) with one or both of our two scanners, those new files are automatically backed up to the Carbonite servers.

It all Just Works. The Carbonite web site (www.carbonite.com ) has all the details (although I wish they would get rid of the video that automatically loads when you go to the site). They do have a 15-day free trial. But I recommend that you just go for it.

The files on my computer are worth it.

Updates as Usual

Make sure that your MS updates have been installed. I've put them on several computers, no problems. They do require a restart.

But there are some active exploits out there for the problems fixed by these updates.

And remember to update your other programs (Adobe, Quicktime, etc). Some active exploits for those also.

Safe computing works.

Safari Bad Ju-Ju

Apple's Safari browser has a serious vulnerability that lets an attacker silently download items to your desktop. This happens in Windows and Mac versions. The result is a desktop full of malware program icons (on Windows) and a pile of malware programs in the Mac Downloads folder.

Apple's response? They have "decided to treat this as a normal product enhancement request and not a security problem".

Safari - not recommended here.

Security Dawg Reading

Found this on the State of California web site: "Maximum Search Relevancy : Webmaster Best Practices". Good information, especially if you run a web site or two (even just a blog).

Link is here (pdf) http://www.webtools.ca.gov/Search_Service/pdf/BestPractices.pdf .

The state's The Government Online for Responsible Information Management site has some other good info about Information Security here: http://www.oispp.ca.gov/government/go_rim/default.asp

Interesting reading for a Security Dawg.

Protecting Your Laptop Data From US Customs

Do any international travel? Bring along your laptop or cell phone? Got any trade secrets or private information on there? Trying to get back into the US?

Did you know that the US Customs and Border Protection guys can clone your hard disk or phone data, and you can't stop them?

Here's the first sentence from the Electronic Frontier Foundation: "The Ninth Circuit's recent ruling (pdf) in United States v. Arnold allows border patrol agents to search your laptop or other digital device without limitation when you are entering the country." Full story here: http://www.eff.org/deeplinks/2008/05/protecting-yourself-suspicionless-searches-while-t .

Another example of the erosion of our privacy here in the US.