OOF spam suppression

I’m a member of a number of lists, and always get blasted with Out of Office replies when I post.
There’s a handy-dandy switch introduced in E2k3 that gets rid of this annoyance.

In Exchange 2003, it is now possible to modify the Out Of Office behaviour to help in these situations. A new registry key exists that prevents the sending of Out Of Office responses unless the recipient is explicitly listed in either the TO: or CC: fields of the message. Since mailing list posts aren’t addressed explicitly to list members, the suppression of Out Of Office responses to mailing list members is achieved.

To enable this feature, add the DWORD parameter SuppressOOFsToDistributionLists with a value of 1 into the following registry location:

HKLMSystemCurrentControlSetServicesMSExchangeISParametersSystem

More here.

Alex Eckelberry

Upcoming seminar on email archiving in New York

Sunbelt’s coming to the Big Apple.

You’re invited to free seminar on Email Archiving, hosted at the Microsoft office in Manhattan on Thurs, Dec. 6, from 9 – 12.

Join Mike Osterman, president and founder of Osterman Research, Inc., a leading analyst firm on messaging, for an engaging discussion on “Implementing an Effective Email Archiving Strategy for Exchange.”

Mike will be discussing how an effective email archiving strategy can help you deal with the issues resulting from growth in email storage, new e-discovery, and privacy requirements and explain the need for organizations to automatically archive content and make it readily accessible to anyone in the enterprise that needs it – all while reducing the cost of managing messaging-related storage.

Agenda:

  • Learn how to get a handle on growing email archiving and storage issues
  • Understand the importance of compliance, eDiscovery and legal readiness
  • Discover the cost-savings benefits to proper archiving, including faster backup/restore time, knowledge management and disaster recovery
  • See a live demo of Sunbelt Exchange Archiver in action: 80% message store reduction, end-user lost email self-service, improved performance and much, much more
  • When: Thurs., Dec. 6
    Time: 9:00 a.m. – 12:00 p.m. (Continental Breakfast Included)
    Cost: None
    Location: Microsoft
    1290 Avenue of the Americas, 6th Floor
    New York, NY 10104

    Click here to register.

    Alex Eckelberry

    The Kindle

    I have been a huge believer in the power of ebooks for a long time. Now, Amazon has released the Kindle.

    The technology is very cool, and it looks like it’s been well-implemented.

    However, it’s got to be the ugliest piece of hardware I’ve ever seen.

    If you’re interested, it’s worth reading the customer reviews. And watching the video.

    I’d push my wife to get it for me as a Christmas gift (even if it didn’t have a huge amount of content, the gadget pull might be strong enough), but its so ugly that the “tech-lust” factor is kind of ruined.

    Just compare the look of the ungainly Kindle to the sleek Sony Reader:

    Sonyreader129388

    Kindle12388888

    Curious to know your thoughts.

    Alex Eckelberry

    Another fake codec: dltsolution

    Heads up on this new fake codec, dltsolution(dot)com.

    Incidentally, here’s what your system looks like after installing this thing:

    Virusprotect12388888

    As an aside, VirusProtect is removable from Add/Remove:

    Virusprotect12388880

    But good luck, it won’t get rid of everything:

    Virusprotect1238888a

    Anyway, in the case of this site, a sample binary can be found at dltsolution(dot)com/download.php?id=4082. And please — don’t touch this Trojan unless you know what you’re doing.

    Alex Eckelberry
    (Credit to Patrick Jordan)

    We’ve shipped our new email archiving tool

    Pretty nice product, if I might say so myself.

    CLEARWATER, FL–(Marketwire – November 19, 2007) – Sunbelt Software, a leading provider of Windows security and management software, today announced the release of Sunbelt Exchange Archiver, its new email archiving solution for Microsoft Exchange environments. Sunbelt Exchange Archiver (SEA) delivers cost-effective enterprise-class email archiving for organizations of all sizes, providing administrators with intelligent features such as integrated Hierarchical Storage Management (HSM), Direct Archiving for instant archival of incoming mail, full email continuity and disaster recovery, and seamless integration with Microsoft Exchange, Outlook and Outlook Web Access (OWA).

    SEA combines efficiency and innovation to give organizations a powerful email lifecycle management system that offers tamper-proof, long-term storage of emails with easy retrieval capabilities and full-text searching. SEA enables companies to preserve all electronic messages on a broad range of storage media, offloading the strain on Exchange servers.

    More company propoganda here.

    Alex Eckelberry

    Direct Revenue is dead. Sort of.

    We’ve written before about Direct Revenue’s demise.

    However, it’s still to early to say that this bugger is dead. We’re still seeing Direct Revenue binaries and sites out there.

    They have 64 known sites that are still assigned IP addresses and DNS servers, which make them active even if they cannot be accessed any longer, and 25 are active and also still registered to them under their thinkingmedia.net business name. The majority of the sites do not expire until the January through August 2008 timeframe.

    Since the end of 2005, when Direct Revenue claimed they were cleaning up their act, they went through all their servers where they stored their adware files and selectively removed only the main adware BHO dlls, leaving all their components still as live downloads.

    Until they let every one of their sites expire, delete all their files on the servers, and cancel their services for their sub domains, it’s too soon to say that this group has ceased operations.

    Our latest site list is here (pdf). We also have a list of active binaries we are tracking, here (pdf).

    Alex Eckelberry
    (Thanks to Patrick Jordan)

    New fake codec trojan variant — Windows and Mac

    I rather think the name of this site is fitting:

    Bsplayer12388

    Pushes both Windows and Mac TrojanDNSChanger.

    Sample binaries: Mac: bsplaycodec(dot)com/download/playcodec1123(dot)dmg; Windows: bsplaycodec(dot)com/download/playcodec1123(dot)exe. If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

    Alex Eckelberry
    (Thanks Patrick Jordan)

    Adult Friend Finder

    I loath this site. Putting aside the dubious moral issues, it’s routinely pushed in social networking spam (such as Myspace), and it’s been advertised heavily in malware. Maybe it’s pushed by affiliates and not the company, but we’ve all heard that argument before. It’s still the company’s responsibility.

    Now it looks like the site may have been acquired — and one of the rumored buyers is Penthouse Magazine. The size of the deal might be as high as $500 million.

    Taking a look at a Wikipedia entry for the site is disturbing:

    A key feature of their online advertising system is pictures of attractive women supposedly living local to the website user. This is achieved by IP-localisation software. On the AFF website (as with many ther similar sites), some advertisers (usually female) use faked details to entice others, including fake photographs. Some of the photographs known to have been used include those of well-known porn stars and similar…A velocitypress.com study showed that the male-female ratio is 10 to 1, that 2/3rds of the claimed subscribers have not visited the site for over 3 months and that nearly half of the women were angling for lesbian relationships.

    What a circus.

    I hope the acquiring company knows what it’s getting into.

    Alex Eckelberry

    New fake codec: playcodec

    Playcodec92348

    Pushes both Windows and Mac TrojanDNSChanger

    Sample binaries: Mac: playcodec(dot)net/download/playcodec4327(dot)dmg; Windows: playcodec(dot)net/download/playcodec(dot)exe.  If you are hunting for Mac fake codecs, remember to change your user agent to a Mac.  And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

    Incidentally, one site doing a good job of keeping up with fake codecs is http://peki.blogspot.com/.

    Alex Eckelberry
    (Thanks Bharath)

    Some new twists in the Storm worm

    Our friends over at Secureworks, who have done some great research on Storm, pointed out some very interesting information to us recently. The spam template (which typically includes data such as a peer list, addresses to spam to, spam message content and some other data), was updated to include a list of over 1,000 Geocities domains.

    These domains include a small piece of Javascript code that re-directs to a malicious webserver:

    Stormworm1238888

    This page informs you that it is necessary to download and install a plug-in in order to view the content.

    Plugin123123123

    Plugin2adf

    In reality, the “plug-in” is a variant of the dangerous information stealing malware called Backdoor.Win32.Smalll.lu, which was first found back in late 2006. Many variants have spawned and as a result: Infostealer.Monstres, Infostealer.Banker.C, NTOS, PRG, and GPCode/Glamour (which included a file encrypting/ransomware function).

    Stolen data from this Trojan is actively being uploaded to a server located in Turkey.

    This particular attack only appears to target Dutch/German users and doesn’t appear to be widespread. However, it is not typical for the Storm botnet to be used to spread other malware in this manner. This could indicate that the Storm herders are making the power of their massive botnet available to other malware groups.

    Adam Thomas
    Malware research

    Rogue ads pushing malware — how it works

    On Monday, eWeek wrote an article about DoubleClick displaying ads that promoted rogue antispyware. The article quoted our work.

    To clarify — it wasn’t DoubleClick that was spawning the ads (well, it was, but it wasn’t). DoubleClick sells a system called DART, which websites (called “publishers” in the world of advertising) use to manage their advertising. So if you’re looking at the URL in a packet capture, it looks like it’s coming from DoubleClick . You can see this in a video that Roger Thompson made:

    There will be more on this story later today, but quickly, here’s what’s been going on:

    • The slimeballs at Adtraff have gone out and registered buckets of sites.
    • They contact ad sales people at various websites (like the Economist, mlb.com, etc.) and buy advertising — always using wire transfer or credit cards. They play tricks, like buying ad space at the end of the month, when ad sales people are hungry for deals.
    • After the ad space is booked, they send the creative, which is always a .swf (Flash) file. It’s innocuous. In the case of the stuff that happened over the weekend, it was some ad for eMusic:
    • Emusci123812378

      (There’s a live sample still up — curious researchers can download it here: m1(dot)2mdn.net/1622576/199485_1194389307_numbers-count-728×90.swf.)

    • The SWF files vary: Sandi Hardmier observed one recently for an airline auction site.
    • Inside that Flash file are encrypted redirects to whatever site that Adtraff is pushing (like this malware ad that is in Roger’s video above).
    • The redirect data in the Flash file does not show itself when the creative people at the website upload it. The redirects are triggered by times, geo location, etc.
    • In the case of DoubleClick, many publishers use DoubleClick’s DART system, which allows them to manage the ads. The ads are uploaded into the DART system, which hosts ads on DoubleClick’s servers. Then, websites can track how many people view the ad, generate reports, etc.

      So in the case of what we saw over the weekend, it looked to researchers like the ads were coming from DoubleClick — and they were — sort of. But it was the websites themselves that were uploading the ads onto the DoubleClick system. (DoubleClick is no longer in the ad network business — meaning, they are no longer in the business of placing ads on websites, with the exception of their Performics subsidiary).

    • DoubleClick itself is trying to filter these malicious ads, and is working on improved filters to better detect them.

    This is not a trivial problem, and the most important thing for publishers to do is to be extremely careful when accepting new advertisers (and be wary of tricks these people use, like giving fake references), and then keep a close eye on the advertising as it’s running (and hopefully some good tools can be developed for publishers to use to check the content of ads for malicious redirects before posting).

    Alex Eckelberry

    New fake codec site: zangcodec

    Zangcodec

    Pushes both Windows and Mac TrojanDNSChanger

    Sample binaries: Mac: zangcodec(dot)net/download/zangcodec4327(dot)dmg; Windows: zangcodec(dot)net/download/zangcodec4327(dot)exe.  If you are hunting for Mac fake codecs, remember to change your user agent to a Mac.  And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

    Alex Eckelberry

     

    DNS hacks the norm

    For search engine optimization and increased distribution, pornography and malware distributors commonly hack websites (interestingly, Google’s work in marking sites as “unsafe” in search results may be contributing to this trend, as it is driving malware and porn distributors to rely increasingly on hacking good sites to perform redirections to their own bad sites).

    It’s rampant. And it’s most troubling because a lot of these are happening on .edu and .gov sites. Finding these hacked sites is trivial. Simply search for terms like “sex”, “porn”, “free ringtones”, “free”, “casino”, “‘sesso” “gratuito” “porno”, “fottilo”, etc., combined with the operator Site:edu or site:gov (if you’re going to do this, be very careful with these links — they often push malware). Some of the stuff is just comment spam. But plenty is real live redirects.

    What we’re also seeing is a lot of DNS hacks. For example, take the City of Plainsville, Kansas (warning: graphic content):

    Cityofplainsville12388

    God what a mess. These people are so hosed it’s beyond belief. And those links push malware.

    Now, let’s take a closer look. If you we do a simple dns lookup on cityofplainville-ks.gov, we get an IP 72.22.69.138. However, if we do a dns lookup on, for example, 2.z.cityofplainville-ks.gov, we get an IP of 89.28.13.214. This same pattern will show itself on a number of other sites. And they are always the fault of the web hosting provider.

    Fair warning.

    Alex Eckelberry
    (thanks Francesco)

    Webinar on email archiving this Thursday

    Greg and I are holding another webinar on archiving for Exchange, featuring our upcoming product, Sunbelt Exchange Archiver.

    From our propaganda department:

    Join us for a look at Sunbelt Software’s new Exchange email archiving and compliance solution, Sunbelt Exchange Archiver.

    If you need a powerful, easy to use, enterprise-class email archiving tool that automatically enables you to comply with all requirements, and allows you or your end-users to transparently retrieve any archived email, then don’t miss this webinar!

    The webinar will be hosted by Alex Eckelberry, CEO and Greg Kras, VP of Product Management for Sunbelt Software on Thursday, November 15th at 2:00pm EST and will explain the features and benefits of implementing a powerful email archiving solution on your Exchange Server at an affordable price.

    Learn how Sunbelt Exchange Archiver can help you:

    • Improve Exchange performance
    • Eliminate PST headaches
    • Dramatically reduce backup times
    • Use up to an 80% smaller message store
    • Meet compliance requirements
    • And more

    When: Thursday, November 15th, 2007 2:00 PM EST

    To register for this event, click here.

    Alex Eckelberry

    eEye comment spam

    This is kind of a bummer: A really good, very reputable security vendor is doing comment spamming.  I did contact them the last time I saw this, thinking it might be a Joe job.  Unfortunately, I didn’t get a clear answer. In fact, I got a response which indicated an affirmation of sorts.

    Eeyecommentspam113

    The tech guys at eEye couldn’t possibly condone this type of activity.  I know marketing departments (even mine) are sometimes not completely aligned with the mission of the company, and let’s hope this is only temporary.  

    Alex Eckelberry

    Some more fake codec sites

    gneprogram(dot)com
    ndcperformance(dot)com
    mzdsoftware(dot)com
    pkbsolution(dot)com
    zerocodec(dot)com

    As is the case with fake codecs these days, the binaries are hidden and getting them depends on where the developer hides them.  With certain sites, you can often get a sample through /download/(sitename).exe (there are always more binaries in the same directory as well, each numbered for affiliates). For other codec sites, /download.php?id=4082 will get a binary (that number is just an affiliate ID — other numbers work as well). If you are hunting for Mac fake codecs, remember to change your user agent to a Mac.  And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

    Alex Eckelberry
    (Thanks Bharath)

    A culture of fear: Japanese traveler removed from train for taking pictures

    Our post-9/11 culture of fear is not having the best effects on our economy. And this depressing story, of a foreign traveler removed from a train for taking pictures, is just another sad highlight as to why:

    The police speak through the interpreter, with the impatience of authority. “The conductor asked this man three times to discontinue. We must remove him from the train.” The traveler hears the translation, is befuddled. Hidden beneath the commotion is a cross-cultural drama. With the appearance of police officers, this quiet visitor is embarrassed to find he is the center of attention. The officers explain, “After we remove him from the train, when we are through our investigation, we will put him on the next train.” The woman translates. The passenger replies, “I’m meeting relatives in Boston. They cannot be reached by phone. They expect me and will be worried when I do not arrive on schedule.” “Our task,” the police repeat, “is to remove you from this train. If necessary, we will do so by force. After we have finished the investigation, we’ll put you on another train.” The woman translates. The traveler gathers his belongings and departs.

    Link here (via Schneier).

    Alex Eckelberry