Security UPDATE--Fight Spam with Blacklists--March 1, 2006

1. In Focus: Fight Spam with Blacklists

2. Security News and Features

- Recent Security Vulnerabilities

- Over 45,000 New Malware Threats Discovered in 2005

- Phishing Sites Increase Significantly in December 2005

- Combining LogParser and Sed

3. Security Toolkit

- Security Matters Blog

- FAQ

- Security Forum Featured Thread

- Share Your Security Tips

4. New and Improved

- Block Bots and Other Web Malware

==== Sponsor: Availl ====

Ensure instant access to files at all remote servers and eliminate 95% of your network traffic.

Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs?

Get a free software trial, and register for the free seminar.

http://a.gklmedia.com/pnstorage/nl/118

==== 1. In Focus: Fight Spam with Blacklists ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

I'd guess that the biggest spam headache we all face is false positives--messages that are inadvertently flagged as spam. False positives can be a significant problem, particularly for businesses. After all, you don't want business associates to think you're ignoring them.

I recently wrote in the Security Matters blog about my findings with one particular mail server's various filters (at the URL below). The system uses a dozen filters to help eliminate unwanted email. One thing to keep in mind about filters is that what works for one entity might not work as well for another. You should try several filters and monitor your systems to determine what works best to eliminate the particular types of unwanted mail you receive.

http://www.windowsitpro.com/Article/ArticleID/49465

That said, my findings for the organization in question might be interesting to you. After observing the filters process more than 254,000 messages, I found that the most effective one for this particular organization is a simple language filter. The filter drops messages written in character sets that aren't used by the organization. Language filters might not be appropriate for every business, particularly those that have international relations, but many businesses might find such filtering useful.

The second most effective filter is an IP blacklist filter. IP blacklist filters query blacklist service providers about a given IP address, including the address of the message sender and any addresses that relayed a particular message along its delivery route. If the result of the query shows that the IP address is on the service provider's blacklist, then the probability is high that the message is spam. Some blacklist service providers also track addresses that are known to send viruses, Trojan horses, worms, back doors, and other sorts of malware. These blacklists can be useful in helping you keep such nuisances off your network.

A reader of the Security Matters blog asked which blacklists are used by the organization that I wrote about, so I thought I'd share those names here. The list of blacklist service providers is ordered based on the success rate of discovering blacklisted IP addresses:

sbl-xbl.spamhaus.org

blackholes.five-ten-sg.com

dnsbl.sorbs.net

t1.dnsbl.net.au

bl.spamcop.net

no-more-funn.moensted.dk

sbl.csma.biz

cn-kr.blackholes.us

cbl.abuseat.org

multihop.dsbl.org

list.dsbl.org

Another type of blacklist filtering is simple Uniform Resource Identifier (URI) filtering. Message content is scanned to locate all URIs in the body. Then those URIs can be checked against URI blacklist services to see whether any belong to known spammers. At the time I conducted my tests, I knew of only one URI blacklist provider, Spam URI Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org. Since then, I've learned about another URI blacklist service provider, URIBL.COM, whose DNS server address is multi.uribl.org. I just started using URIBL.COM last week, so I'm not yet sure how well it performs.

Keep in mind that blacklist filters can also produce false positives. However, most people agree that using a blacklist filter is highly effective. Other types of filters you might investigate or write your own scripts for are ones that check for weird spelling patterns (such as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for standards compliance.

For an explanation of how blacklist filters work, see "Dynamic Blacklists Demystified," at the first URL below. For links to other articles about blacklist filters on our Web site, use the second URL below.

http://www.windowsitpro.com/Article/ArticleID/45907

http://windowsitpro.com/search/index.cfm?Action=Search&incdocsets=3&sortby=date&qs=blacklists

Jeff Makey publishes a monthly report that shows which IP blacklist services perform best for his environment. Bookmark his report page URL (listed below) and check out the report once in a while--over time, you might learn about new IP blacklist service providers that you didn't know existed.

http://www.sdsc.edu/~jeff/spam/cbc.html

==== Sponsor: St.Bernard Software ====

Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter

Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now!

http://www.windowsitpro.com/whitepapers/stbernard/internetaccess/index.cfm?code=SECMid0301

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Over 45,000 New Malware Threats Discovered in 2005

According to Panda Software, more than 123 new malware threats were discovered every day in 2005. That adds up to more than 45,000 new malware threats being discovered last year. The figures represent a 240 percent increase over 2004, in which some 13,000 new threats were recorded by the company. Panda thinks there's a specific reason for the trend. Read about it in this news article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/49464

Phishing Sites Increase Significantly in December 2005

The Anti-Phishing Working Group (APWG) published its Phishing Activity Trends Report for December 2005. According to data gathered by the group, more than 7197 new phishing sites were created in December 2005 and attacks are becoming more sophisticated.

http://www.windowsitpro.com/Article/ArticleID/49482

Combining LogParser and Sed

Scrolling through the Windows event logs for specific information can be burdensome, and most administrators probably review the logs only when something bad happens or when something is broken. In this article on our Web site, Jeff Fellinge shows a method for extracting interesting data from event logs by using LogParser and parsing the data by using Sed.

http://www.windowsitpro.com/Article/ArticleID/49201

==== Resources and Events ====

Dev Connections provides world-class education for developers, architects, DBAs, and IT professionals.

*WinConnections (2 conferences for the price of 1): April 9-12, 2006, Orlando, Florida, http://www.winconnections.com

*DevConnections (4 conferences for the price of 1): April 2-5, 2006, Orlando, Florida, http://www.devconnections.com

*DevConnections Europe coming to Nice, France, April 24-27, 2006. EARLY BIRD SPECIAL ends 1 March!

http://www.devconnectionseurope.com/?refer=0227emailannc

Learn why new features in Windows Server 2003 R2, including large clustering, increased RAM, and 64-bit support, make it the ideal platform for your collaboration tools. Live event: March 28; 12:00 pm EST

http://www.windowsitpro.com/go/seminars/microsoft/collaboration/?parterref=0301emailannc

Find out or what policies help or hurt in protecting your company's assets and data. View this on-demand seminar today! http://www.windowsitpro.com/go/seminars/compliance/?partnerref=0301emailannc

Learn how to leverage new features in SQL Server 2005 to extend your existing backup and restore capabilities. View the on-demand Web seminar now!

http://www.windowsitpro.com/go/seminars/SQLServer/?partnerref=0301emailannc

Implement real-time processes in your email and data systems--you could also win an iPod Nano!

http://www.windowsitpro.com/toolkits/xosoft/index.cfm?code=0301emailannc

==== Featured White Paper ====

Get the tips you need to prepare for and comply with the PCI Data Security Standard, including how to define the 12 major requirements and how those requirements affect IT.

http://www.windowsitpro.com/go/whitepapers/bindview/pci?code=0301emailannc

==== Hot Spot ====

Cyclades AlterPath(TM) KVM/netPlus KVM over IP Switches

Cyclades AlterPath(TM) KVM/netPlus is the industry's first KVM solution to offer Cyclades AdaptiveKVM(TM) technology that combines Microsoft(R) Remote Desktop Protocol (RDP) functionality with KVM over IP access. Download Cyclades AdaptiveKVM white paper at www.cyclades.com/wit and visit us at FOSE 2006 Washington, D.C., March 7-9, Booth 2807.

http://www.cyclades.com/wit

==== 3. Security Toolkit ====

Security Matters Blog: How to Nip a Little More Spam in the Bud

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Most spam filtering systems do a good job of tagging spam, but many can be tweaked for better detection and better performance. I ran a test on more than 254,000 email messages to see which filters work best. My tests were conducted against live incoming email on a legitimate mail server. Read what I found in this blog article.

http://www.windowsitpro.com/Article/ArticleID/49465

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I use a script to delete a computer from a domain?

Find the answer at http://www.windowsitpro.com/Article/ArticleID/49386

Security Forum Featured Thread: Running WSUS

A forum participant would like to establish Windows Server Update Services (WSUS) on his Windows Server 2003 backup server. He knows that WSUS requires Microsoft IIS and wonders whether he should use a dedicated server and whether there are any related security concerns. Join the discussion at

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=46259&enterthread=y

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Announcements ====

(from Windows IT Pro and its partners)

VIP Subscribers have it all!

Become a VIP subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CD-ROMs per year that contain the entire article database. Don't miss out--sign up now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2762uv

Save 44% Off the Windows Scripting Solutions Newsletter

For a limited time, order Windows Scripting Solutions and SAVE up to $30 off the regular price. You'll get 12 helpful issues loaded with expert-reviewed downloadable code and scripting techniques, as well as hundreds of tips on automating repetitive tasks. You'll also get FREE, unlimited access to the full online scripting article database (more than 500 articles). Subscribe now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2662us

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Block Bots and Other Web Malware

Websense announced enhanced features in Websense Web Security Suite 6.2 and Websense Web Security Suite--Lockdown Edition 6.2, which are scheduled to ship in Q2. The new versions of the Web security and Web filtering software will block access to Web sites that host bot command-and-control centers, eliminate non-HTTP bot network traffic, block the launch and spread of bots, and extend protection to mobile employees. Websense also launched Websense Web Protection Services. Comprising three security services--SiteWatcher, BrandWatcher, and ThreatWatcher--Websense Web Protection Services give Websense Security Suite customers a view of their Web servers and external-facing Web sites and protection of customers' online brand. For more information, go to http://www.websense.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]