My advice for other email admins that find someone inside spamming

Subject: Re: [ms-exchange-l] how to stop a user in our domain sending spam?

We’ve had lots of problems with students (and some faculty and staff) responding to phishing emails with their usernames and passwords.  The spammers typically login through our webmail hosts in the middle of the night and generate the spam.

We actively block every phishing email reply address on our mail gateways (we use BorderWare appliances), and I look for responses to every phishing email as well.  I also have an AOL feedback loop setup so can see if an account is running amok.  I also check the postmaster account daily to be sure we aren’t getting complaints – and our network team monitors the abuse address.  If you don’t have these addresses for your domain, set them up.

I examine the headers on every phishing email we receive and forward them to the postmaster and abuse addresses for the server domain that actually sent the mail.  These are typically coming from a compromised account on someone else’s system, and frequently have forged from or replyto addresses, so you have to look at the hostnames of the SMTP relay points.  Most webmail systems include message headers identifying the IP address of the original connection – rather educational!

When I find an account that has been compromised, either by seeing a reply to a phishing email or finding an account is sending email, the first thing I do is change the account password, and then I make sure the user doesn’t change it back to the same thing (a future password policy will prevent that stupidity!)  I log directly into the mailbox as the user and make sure there are no rules – several of the spammers have set rules to automatically delete _all_ incoming mail to the mailbox to hide their tracks, since they typically generate thousands of bounces, and more than a few venomous (really unnecessarily nasty) replies.

For those of you who haven’t seen it – here’s what they do:
1)  Access the mailbox and send a test message to some outside address.
2)  If possible, change the reply and from addresses for the mailbox to something they have setup, typically a mailbox on gmail, yahoo or hotmail.
3)  Change the autosignature to their message.
4)  Create the messages one at a time by copying in hundreds of addresses to the bcc: field.

Do the math – in just a couple hundred messages they can send tens of thousands of messages!

We’ve tried to limit the number of recipients – they just send test messages with different numbers of recips until they don’t bounce back!  This also messes with Active Directory based distribution lists.

We’ve had some success reducing this problem by doing the following:
1) Repeated announcements that we don’t ask for username and passwords.  We don’t need to!  It’s amazing how gullible people can be, and they don’t look at reply addresses when they see a message.  They also don’t notice misspelling, bad grammar, and internal organizations that don’t exist.  The phishers are now starting to use webforms to collect the information.
2) Limit ability to change from and reply addresses.  Not as much of a problem for Exchange and OWA, but other webmail clients are VERY flexible, as are most all POP3 and IMAP clients.
3) More announcements that we don’t ask for passwords!
4) Encourage reporting of phishing emails – several key contacts get nearly all of them
5) Aggresive blocking of phishing email replies.
6) Reminders to anyone that gives their password away that we didn’t ask!

I actually haven’t seen much virus generated spam coming from our network.  If you have that issue, you should strongly consider closing port 25 outbound on your firewall except from your Exchange servers, and make sure that you don’t allow relay on your mail servers either, except from authenticated SMTP sessions.  Definitely make sure that any server with port 25 open to the outside does not have have open relay – that will get you blacklisted.

If you do have virus generated spam coming from your network, strongly consider:
1) Get a campus license for anti-virus software, and a clean access monitoring tool to make sure it gets installed.  You can negotiate ridiculously cheap prices for licenses (on the order of $2 per student!)
2) Force Windows Updates to be applied (with exceptions for clients that beg) for all domain computers using group policy
3) Force domain authentication using radius for wireless connections
4) Use an imaging system like Deep Freeze for classroom, lab and library computers to counter open access infections

Most of the botnet networks that generate spam reside on unpatched systems or systems without current or active antivirus.

A link monitoring web proxy system would be useful to stop people from clicking on infected links from spam mail.  We don’t have one, yet, and have cleaned lots of “Antivirus 2009″ and the like from our clients.

I hope this helps!
-JFS

John F. Schroeder
Email/Communications Analyst
College of Charleston, Charleston SC

Vista and Adobe Updater

Ever since I upgraded to Vista, I’ve had trouble with automatic updates to Adobe products.  Since I was rebuilding my tablet PC to use Vista, I figured I would find out what was going on.

The problem, in nutshell, is that Adobe Updater would report that updates were available for Reader, but when I tried to apply them, Updater would fail and/or report an error like “Invalid Drive U:\”.  My Documents are redirected to my network home directory on U:\.  I had previously found that turning off UAC or resetting my documents directory to the default location would allow me to complete the update.

Today, I found a solution.  Thanks to http://www.acrobatusers.com/forums/aucbb/viewtopic.php?id=3890.  It seems that Updater needs to run in the elevated security context of Administrator.  Administrator does have a HOMEPATH variable pointing to U:, but didn’t have anything mapped to U: (it’s not me.)

To work around this:

  1. I ran the Command Prompt as Administrator (Start-Accessories-Command Prompt, right click and choose ‘Run as Administrator’)
  2. Net use – all drives are disconnected, no U: mapping
  3. net use u:  \\server\share\directory
  4. run the updates from inside Acrobat (or from the tray if updater ran automatically)

I don’t know yet if the mapping is persistent across logins.

This applies to products since Actobat 8, in my case Acrobat 9.

Protecting yourself against the latest computer worms

The computer virus that’s being talked about all over the media lately is actually a few months old.  It’s called Conficker or Downadup.  It spreads through a few different methods, and is being mixed together in discussions with other virus infections that are prevalent.  PC World has a decent article about it: http://www.pcworld.com/article/157876/protecting_against_the_rampant_conficker_worm.html.

If you’ve got a Macintosh, you’re safe.  If you have a Windows PC, you can protect yourself by:

  1. Make sure you’re patched up to date: Start-All Programs-Windows Update, and make sure that it is running and has installed patches this month.  The virus shuts the update system down.
  2. Make sure you are running a current anti-virus program, that it has recent virus definitions, and that it has scanned your computer.  If you have Comcast or AOL, you can get McAfee free.  Symantec or Norton Antivirus are good.  A reasonable free alternative is AVG, available at http://avgfree.com.  That site ultimately leads you here to download and install: http://download.cnet.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=mncol
  3. Install MalwareBytes Anti-Malware and scan your computer.  This is the latest anti-spyware program, and runs faster and more effectively that most other programs, and it’s free!  Go to http://download.com and search for malwarebytes.  Beware of the “sponsored links” – they are frequently soundalike programs that may actually be scams.  Use this link: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol.

Be careful with USB memory drives.  If inserted into an infected machine, it may also get infected, and the virus affects the autoplay system which can trick you into opening the virus.  See http://isc.sans.org/diary.html?storyid=5695 for more information and pictures of the autoplay trick.

Some virus variations, not necessarily this one, use poisoned links for videos that try to trick you into installing updates to Adobe Flash.  If you click on a link for a video, and it wants you to install software, don’t.

You can further protect yourself by using Firefox 3 instead of Internet Explorer (IE).  Firefox is generally faster, and doesn’t support a primary method that many viruses exploit to automaticaly run software on your computer (ActiveX).  You are particularly at risk if you are still running IE 6 or an even older version.  IE 7 is better, but still more vulnerable than Firefox.  Get it from http://firefox.com.

The Conficker worm has been speading for months – the latest fuss is because something might happen on infected machines on April 1 – but nobody really knows what.  If your computer is up-to-date and scanned, you’ll probably be fine.
-JFS

New Mail Filtering System!

We are in the process of installing a new mail filtering system to replace our existing SonicWall Email Security servers.  The new systems, BorderWare Security Platform and Borderware Quarantine Server, will handle all in and outbound mail filtering for the college.  They utilize new technology that promises to drop 85% or more of inbound spam when it attempts to connect to the college.  The college currently receives in excess of 1,000,000 messages per day, of which about 95% is spam.  Our current system examines each message, drops definite spam, and quarantines the remaining 15% of questionable mail in your junk box.  The new system does the same general thing, but will reject the definite spam based on a variety of criteria, without loading down the system to evaluate the message itself.  It’s called connection level blocking.

We’ll be turning on inbound filtering for edisto.cofc.edu in the next day or so.

I think you’ll find the Quarantined Email Summary that you’ll receive to be very intuitive.  If you need a little extra help, look at this document:

bqs_111_userquarantineguide

Another Thursday @ 3 session, this time about Blogging

I like to attend the Faculty Technology Sessions, which focus on various technology areas that can be used by the faculty (and us lowly staff) in furtherance of our jobs.  I kept notes at this page.

John - CBS commentator?

John - CBS commentator?

Why call Helpdesk?

I ran into someone I’ve helped several times recently on campus.  He was doing fine, but was experiencing a problem with his computer.  He was reluctant to call me about a relatively minor issue, so hadn’t.  I encouraged him to contact the Helpdesk (3-3375).  He responded that they would just call me, so he hadn’t called.  In this case they probably wouldn’t have called me, and his problem would probably be solved by now.

When you have a problem with your computer or a program / system on your computer, you should contact the helpdesk and open a work order.  If you aren’t willing to wait on the phone, send an email.  That’s the right way to get your problem fixed.  Plus, your issue gets logged and tracked by multiple people.

There are lots of people on campus who have identified their “go-to” people in IT or their department to solve computer problems.  I’ve heard all the gripes about calling the helpdesk, and these folks figure it’s just faster to call the person that they figure can solve their issue directly.  In that situation, one person knows about your issue, and may not be able to respond or resolve it in a timely fashion.  Of course, you just call back, or go around them to another person.

Suppose I did this:  My son Benjamin might be applying to college soon.  I’ll just identify someone in Admissions and insist that they let him in.  I don’t need to wait for an application, or go through that faceless admissions process, do I?  Maybe I’m going to need a travel advance soon.  I’ll just email the controller’s office and ask them to send me a check – no problem, right?  My office needs to be repainted – can’t I just contact a painter in Physical Plant and have them come right over?  I know what you’re thinking – that’s ridiculous.  The President of the College needs to approve repainting!

Yes, it’s true that the helpdesk is busy.  They are responsible for front-line screening of issues.  They try to understand and record what’s happening (or not), and then figure out how to get the issue solved.  In many cases, they can take remote control of your system right there on the phone and work through the problem with you.  If they can’t do that, they are responsible for assigning the issue to one of several groups of people that can help.

I’m in the Infrastructure Services group in Information Technology.  Our group is responsible for the care and feeding of about 200 servers on campus.  I’m responsible for the messaging servers (with the notable exception of student messaging [Edisto, Webmail, WebCT], which are Sue Dowd’s.)  I’m also a Microsoft expert, having dedicated much of my 30+ year career to servicing technologies and systems running their products.

While I can solve many problems, so can other members of my team, and in some cases it’s really not my job to solve them.  As an organization, IT is committed to resolving your issues, but we can’t do it well if you short-circuit the system.  All of us are supporting multiple systems, working on projects, and helping multiple people on campus.  We have far more work than we have people – a problem our managers are working to resolve.  In particular, we’ve got this major systems heart-transplant called BATTERY that has to take gobs of time from all of us for the next two years to get done.

Part of me is gratified that you think highly enough of me to believe I can solve your problem.  Hopefully, I will.  And I hate a long list of workorders in my support queue from Helpdesk – sometimes it takes awhile to solve an issue and the list nags me.  But I’ve also discovered that I don’t get recognition for doing things if they don’t get recorded in the departmental system.  My mailbox and phone are effectively private, so they don’t know what I’m doing unless I make copies.

Sorry for the rant – everything I’ve written here applies to just about everyone in IT, and probably many other groups on campus.  Thanks for listening!

Thursday @ 3 @ Addlestone sessions

I attended the first of several sessions offered by our Library and Instructional Technology folks, which they call the Thursday@3@Addlestone sessions.  This seemed like an opportune place to start using the blog, particularly when I discovered that the other people in the room hadn’t gotten their blog sites yet!

Here’s the notes from the first session.

Hello world!

Welcome to Blogs.cofc.edu. I have the dubious distinction of being one of the first College of Charleston people to use the new blog server, which I understand is going live shortly (maybe tomorrow?).

I’ll use this blog to annotate some my projects and doings here at the College.  I’m new to WordPress, one of the more common blogging systems available, although I’ve had a blog for a few years at http://technicalsong.spaces.live.com.  I’ve also had a “vanity” website for about 10 years at http://jfschroeder.com, which I setup long before blogging was the way.

-JFS

Copyright © John Schroeder – I.T. Email Admin     Provided by WPMU DEV -The WordPress Experts    Designed by WPDesigner    Hosted by College of Charleston Blogs