Hosted Mail Security
Paul Wood
|
November 19th, 2009
This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.
As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.
The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.
Second, the image itself is a link to a Twitter account, an attempt to get past link signatures as Twitter is a legitimate site that couldn’t be stopped...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Spam, Hosted Mail Security
0 comments
Paul Wood
|
November 18th, 2009
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concurred that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys. So without further ado, I present to you Symantec’s 2010 Security Predictions.
2010 Security...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Security Risks, Spam, Hosted Mail Security
1 comments
MarissaVicario
|
November 17th, 2009
Posted on behalf of Paul Wood
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concur that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys.
So without further ado, I present to you Symantec’s 2010 Security...
0 comments
georgepr
|
November 12th, 2009
Hi,
We have certain domains that only receive email from certain geographic regions, is there a way to either exclude or include entire regions?
We would be interested in simply blocking all traffic from Russia, China, Africa, etc...
Thanks
3 comments
georgepr
|
November 12th, 2009
We are inondated with Viagra emails and they ARE spam, many of them come from China.
We have attempted to configure the settings to stop them to no avail. The from's are often setup like this:
VIAGRA ® Reseller [username@domain.com] where username and domain are our INTERNAL username and domains...
The content is something like this in the body:
Can't see everything? Visit online version here. <http://fe454.mimihxc.cn/>
We want to block this content and have tried everything to stop it but cant, how do we stop it?
Forwarding hundredes if not thousands of these emails to gsubmit has been USELESS!
Please advise and thanks
3 comments
Daren Lewis
|
November 11th, 2009
This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst
Researchers at the Fireeye intelligence lab recently decided to attempt to take down the Mega-D botnet after doing detailed analysis of its inner workings. It seems their actions have been very successful indeed, as our monitoring shows a huge decline in this previously prolific botnet’s activity.
Mega-D was the botnet that took the biggest advantage of the takedown of the McColo ISP in November 2008, becoming the biggest of all the spam botnets. Since then, others (such as Rustock, Bagle, Grum, and Cutwail) have gained strength, but Mega-D has consistently been in the top 10 spam bots. Or at least it was, until the 4th of November, when it was hit, and hit hard.
This shows the number of unique IP’s seen on our systems on a daily basis for the Mega-D botnet. Normally between 600 and 1600 IP’s are seen each day, but you can see quite clearly that after the 4th that it plummeted down to...
0 comments
Daren Lewis
|
November 5th, 2009
Posted on behalf of Dan Bleaken, Malware Data Analyst
MessageLabs Intelligence has been tracking a new botnet, ‘Festi’ since the beginning of August.
Gradually, Festi has steadily increased its output of spam from virtually insignificant volumes up to 3-6% of daily spam. In terms of spam volumes, 3-6% is estimated at a massive 1.5-3 billion spams per day globally. This increase in output has been achieved both by gradually increasing the amount of spam sent from each Festi bot, and by recruiting new bots to the botnet.
At the moment it is spewing out 2 variants of spam.
The first variant, is ‘male enhancement‘ type mails containing .cn domains, leading to a Canadian Pharmacy Website
Typical subjects such as:
Paradise in your bed
Very-very Magic Stick
Strong stick
Magic stick
Hard stick tonight
All night long
Website:
The other variant is geared more towards the Christmas product spamming season, it’s watch spam...
0 comments
Daren Lewis
|
November 2nd, 2009
This post is made on behalf of my colleague Nicholas Johnston
On 27 October, MessageLabs Intelligence began tracking a small number of spam emails that included links to the popular online file transfer service, YouSendIt.com. In the latest examples, the files that were being distributed were word-processing documents that contained advanced-fee fraud lottery scams. MessageLabs Intelligence will continue to monitor this activity. YouSendIt and other similar file transfer services are used legitimately by may users to send large files via the Internet where it may not be appropriate or possible to send as an email attachment, for example if the file is too large.
This is another example of the bad guys turning to online services in order to exploit the use of their reputable services and bypass traditional anti-spam countermeasures that consider the reputation of domain names contained in hyperlinks used in email messages in order to determine the likelihood of the message being...
0 comments
kosmachev
|
November 2nd, 2009
Hi.
I have SMSSMTP installed on Windows Server 2003 box. A few days ago I moved jlu_downloads directory to another disk. Since that time I can't start SMS Sync Server service. If I start it manually it starts and immediately stops. There is no errors in System or Application logs except this message:
The description for Event ID ( 105 ) in Source ( Ensure Synchronization Server ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: .
And I've found these messages in ensure.log.2:
[ 2009/11/02 16:10:59:886 ] 000003BC Controller | Controller created
[ 2009/11/02 16:10:59:886 ] 000003BC Controller | Version number 3.7.1
[ 2009/11/02 16:10:59:886 ] 000003BC Controller | Success loading URM configuration file
[ 2009/11/02 16:10:59...
0 comments
David Krauss
|
October 26th, 2009
Sometimes it takes multiple views to really bring a subject into focus.
For financial institutions looking to improve their data protection operations, the findings of the latest Symantec Internet Security Threat Report, Managed Security in the Enterprise Report, and State of the Data Center Report shed light on an increasingly important trend: the decision to outsource IT security.
This article shows how the growth in cyber attacks, mounting losses, the difficulty of providing security, and staffing issues are creating the impetus for IT to adopt managed security services.
Unprecedented attacks
By any measure, 2008 was a banner year for cyber-criminals.
In fact, if the latest Internet Security Threat Report is any indication, cyber-criminals have never been busier.
According to Volume XIV of the report, issued in April, attackers released Trojan horses, viruses, and worms at a record pace in 2008, primarily targeting computer users’...
5 comments
Daren Lewis
|
October 15th, 2009
After spending some time on analysing the mail bomber tool downloaded from spamfordz [dot] com, here is some interesting information noticed.
Fig.1 Files contained in the tool package
To get this work, one needs to upload the files (as shown in Fig. 1 above) to a web server and open index.html file, which opens the mail bomber sform as shown below.
Fig. 2 Mail Bomber form
As the form shows, one just needs to follow the easy steps like entering the victim’s email address, From name, etc, and hit ‘Do It!’ button, the job is done.
Is that simple? Before answering the question, let’s take a look at what it actually does behind the ‘Do It!’ button. After hitting the ‘Do It!’ button, it actually opens file bmb.php, which is contained in the mail bomber package, as shown in Fig.1. What does it contain in the file? After opening it with notepad, we see that there are some base-64 encoded strings, as shown in Fig. 3.
...
0 comments
Paul Wood
|
October 14th, 2009
This post is made on behalf of my colleague Manoj Venugopalan, Malware Analyst for Symantec Hosted Services.
AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.
Most of the malware based on AutoIT is in the form of worms and Trojans. Many such worms are well-known for logging into a user's IM client, changing their status message and then sending copies of the malware to all of the "buddies" in the victim's list.
MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is sent in the form of an enticing message containing...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Malicious Code, Hosted Mail Security
0 comments
Paul Wood
|
October 6th, 2009
Further analysis of Rustock reveals some interesting insights regarding how it seems to have settled into a remarkably predictable pattern of spamming in the last few months - so regular that it may be possible to set your watch by it! Every day at 8 a.m. GMT (3 a.m. ET) it begins to send out spam emails, continuing throughout the day, peaking at about midday GMT (7 a.m. ET), and then ceasing spamming at midnight GMT (7 p.m. ET). It then rests for about eight hours, before the cycle begins again the following day.
Figure 1 - Rustock's New, Regular Spamming Pattern
Figure 2 - Typical Spam Output from Cutwail
This pattern of spamming for Rustock (Figure 1) began around July 6-12, 2009. Prior to that, Rustock was spamming in much bigger bursts, but less frequently, roughly two weeks on followed by two weeks off. Analysis of the other major botnets sending spam reveals that there is no other botnet with such a regular cycle; they often...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Malicious Code, Spam, Hosted Mail Security
0 comments
Daren Lewis
|
September 29th, 2009
Botnets are now responsible for distributing 87.9% of all spam, an increase of 2.9% since Q2 2009. With approximately 151 billion unsolicited messages each day being distributed by compromised computers, understanding who is responsible for such unprecedented levels is always of interest as, much like the threat landscape, the botnet landscape is ever changing. As highlighted in the latest analysis from MessageLabs Intelligence, the largest botnet now appears to be Rustock with an estimated 1.3 million to 1.9 million compromised computers in its control. However, estimated at half Rustock’s size, the most active botnet in terms of spam distribution is now the little-known botnet, Grum.
Both Grum and another botnet called Bobax have overtaken Cutwail as the most active spam-sending botnets, currently responsible for 23.2% and 15.7% of all spam respectively. Although significant in their own rights, their size and power highlight the dominance that Cutwail had in June 2009, when...
0 comments
Daren Lewis
|
September 25th, 2009
We've taken a closer look at spam on a regional/city basis in five large markets for September 2009, Just as we see differences in spam rates between countries we often see significant differences within countries:
The areas that are subjected to the highest levels of spam are generally those locations that are populated with a higher density of small-to-medium sized businesses. Similarly, the least spammed places are often home to some of the largest companies.
Between four million and six million computers scattered across the globe have been compromised by cybercriminals without the user’s knowledge. These computers now form robotic networks – Botnets, which are controlled by cybercriminals and used to send out more than 87% of all unsolicited mail, equating to approximately 151 billion emails a day
The global spam rate for September 2009 is 86.4 percent, but Canadian businesses are receiving more than their fair share, with levels reaching 90.6 percent.
Spammers have...
0 comments
Jeff Vandervoort
|
September 13th, 2009
Prelude
Initially, I wrote this about Backup Exec, because that's where I ran into this problem. I'm also a SAV & SEP veteran but don't recall seeing this heinous language in their KB articles. So maybe it's a Veritas thing. But, whatever...
...then it occurred to me that while BE may (or may not) be the only Symantec enterprise product to which the symptom applies, the cure is universal. Because it bridges a huge gap between the goals of Symantec Sales, Support, Connect, Knowledge Base, and Product Managers. So I've taken the unusual-and-hopefully-not-presumptuous step of tagging it to all available products. It is global.
That kinda makes it Ideas spam, I know. Never done it before; probably never will again. Hope you can forgive me!
Don Quixote Battles Symantec
Two KB articles I've browsed recently contain variations on this boilerplate (emphasis mine):
"There are currently no plans to address this issue by way of a patch or hotfix in the...
11.x, 12.x, 8.x, Altiris Client Management Suite, Security, 10.x, 11.x, 7.x and Earlier, Altiris Deployment Solution, Vision User Conference, 10.x and Earlier, 9.x and Earlier, Altiris IT Asset Management, Storage Management, Altiris Notification Server, Backup and Archiving, Altiris Recovery Solution, Clustering and Replication, Altiris Server Management Suite, Endpoint Management and Virtualization, Inside Symantec, Brightmail Gateway, Cluster Server One, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Dell Management Products, Endpoint Encryption, Endpoint Protection (AntiVirus), Endpoint Protection Small Business, Enterprise Security Manager, General Symantec, Ghost Solution Suite, Helpdesk Solution, Hosted Mail Security, HP Management Products, IM Manager, Mail Security for Exchange/Domino, Mobile Security, Network Access Control, Online Backup, Online Storage for Backup Exec, pcAnywhere, Replication Exec, Security Information Manager, SecurityExpressions, ServiceDesk, SFHA Management (SFM, VIAS, VOS), Storage Foundation for Windows, Symantec Connect, Symantec Vision, Volume Replicator, Web Gateway, Wise Application Packaging, Wise Installation Development, Workflow Solution, Workspace Corporate, Workspace Remote, Workspace Streaming, Workspace Virtualization
15 comments
prvnrk
|
September 11th, 2009
Hello,
We are running "Symantec mail Security for SMTP 5.0" in our environment integrated with UNIX based Messaging Server.
I would like all my users with email client (e.g., outlook) to have Anti-spam BOX as "outgoing mail server" with authentication SMTP.
Is it possible or not? ( i did setup LDAP integration on anit-spam box with our mail server's LDAP service). If yes, please help me implement this.
regards,
Prvn
1 comments
Prachand
|
August 19th, 2009
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
11.x, Security, 10.x, 9.x and Earlier, IT Risk Management, Best Practice, Endpoint Protection (AntiVirus), Endpoint Protection Small Business, Enterprise Security Manager, Hosted Mail Security
1 comments
jubides
|
August 13th, 2009
Symantec has confirmed that the .Zipx file type is currently not supported and not able to be scanned by Symantec's AV products. Please add support for the .Zipx files to current scan engines.
11.x, Security, 10.x, 9.x and Earlier, Features, Endpoint Protection (AntiVirus), Upgrade, Hosted Mail Security
3 comments
Richard-ADRA
|
July 16th, 2009
Hi,
We use SHMS and one of our users reports that recently, all incoming mail from a listserv is being quarantined. The sender addresses are many, so it isn't practical to whitelist each one individually. The only consistent way I see to identify the listserv is that the subject line starts with "[epn]". Is there a way to whitelist based on the subject, or is there another way to allow these listserv emails through for this user?
Thanks,
Richard
1 comments
ironmanbox
|
July 8th, 2009
I have several domains using Hosted Mail Security. Over the past several weeks all have reported an increase in the amount of spam that gets through. Is this realted to the merger with MessageLabs? I hope not as the brightmail engine did an excellent job of filter spam. I'd hate to have to go looking for another vendor as I really was very pleased with the old HMS.
Anyone seen an uptick in spam getting through as of late?
4 comments
571202126
|
July 7th, 2009
I have SMTP 5.01 with Patch 201.All has been working well. Recently I notice a problem with the mail server sending large emails or somthing.
I notice my bandwith on the server rise to over 25Mbs. I then do a Packet Caputer on the router. What I find is the server is be sent something from an IP number then the server Send something back on port 25. When I block the IP number inthe router problem goes way.
I just can't figure out what is going on. If I search in the software portal the ip number does not show. This is trashing my Internet pipe.
I checked all my policies and have none that boune. We do not and can not use LDAP.
Any thoughts.
Fred
1 comments
FrazzledTech
|
June 30th, 2009
Hi,
We have several clients that have been receiving errors when sending to Microsoft Web mail accounts such as Hotmail, Live and Msn.
The error they receive is ;
This message was created automatically by mail delivery software.
A message that you have sent could not be delivered to one or more recipients. This is a permanent error. The following address failed:
<ANYUSER@hotmail.co.uk>: Validating Sender
This is happening on 3 of our client sites, and to resolve we have set up temporary SMTP connectors using DNS to forward to these domains.
Is anyone else having this issue or know how to resolve it?
Thanks
2 comments
Vikram Kumar-SA...
|
June 28th, 2009
Symantec Global Internet
Security Threat Report
Trends for 2008
Volume XIV, Published April 2009
Some insight on what's going on throughout the world in terms of Malwares and what has been Symantec's response on them.
11.x, Security, 10.x, Evolution of Security, 9.x and Earlier, IT Risk Management, Brightmail Gateway, Endpoint Protection (AntiVirus), Endpoint Protection Small Business, Enterprise Security Manager, Hosted Mail Security
1 comments
TomSchroeder
|
June 26th, 2009
Gartner Information Security Summit, Sept 21-22, London, Royal Lancaster Hotel, UK
Visit Symantec - the Premier Sponsor at Gartner Information Security Summit and and learn how you can protect and manage today’s ever-growing variety of endpoints and systems—smartphones, laptops, mail servers, gateways, and more
The Gartner Information Security Summit will give you the information you need to create a layered approach combining risk management and compliance, secure business enablement and infrastructure protection. Hear the latest analysis revealing market trends, opportunities and threats to you and your organization.
Topics: Business Continuity Management, Customer Security and Privacy, Identity and Access Management, Infrastructure Protection, Managed Security Services, Mobile Security, Securing the Workplace, Security Management, Security Risk Management, Security Software
For further questions please contact Ilka Eimkemeier, EMEA Events (ilka_eimkemeier@symantec.com...
Agents, Altiris Client Management Suite, Emerging Threats, Security, Altiris Deployment Solution, Evolution of Security, Altiris IT Asset Management, Internet Security Threat Report, Altiris Notification Server, IT Risk Management, Altiris Recovery Solution, Drivers, LiveUpdate, Altiris Server Management Suite, Endpoint Management and Virtualization, Malicious Code, Inside Symantec, Online Fraud, Compatibility, Security Risks, Configuring, Spam, Vulnerabilities & Exploits, MS Exchange, Brightmail Gateway, VMware, Windows, Control Compliance Suite, Critical System Protection, Data Loss Prevention (Vontu), Reporting, Endpoint Protection (AntiVirus), Tip/How to, Endpoint Protection Small Business, Enterprise Security Manager, General Symantec, Hosted Mail Security, Mobile Security, Network Access Control, Security Information Manager, SecurityExpressions, Workspace Virtualization
2 comments