Security UPDATE--Blacklists: Readers Respond--November 17, 2004

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Get a Free T-Shirt: Security Solution Pack Offer

http://www.scriptlogic.com/wnm-nov17

Stop Malicious Email Threats Before They Harm Your Email System

http://www.windowsitpro.com/whitepapers/postini/emailintrusion/index.cfm?code=1117SEC_S

1. In Focus: Blacklists: Readers Respond

2. Security News and Features

- Recent Security Vulnerabilities

- Ten New Security Holes in Windows XP SP2?

- Policing the Airwaves

3. Security Matters Blog

- A Compromised Honeynet

- New MyDoom/Bofra Worm Variants on the Loose

4. Instant Poll

5. Security Toolkit

- FAQ

- Security Forum Featured Thread

6. New and Improved

- Secure IM Service

==== Sponsor: ScriptLogic ====

Get a Free T-Shirt: Security Solution Pack Offer

Get a free T-shirt when you evaluate ScriptLogic's Security Management Solution Pack which provides you tiered security for NTFS and Active Directory accounts in a distributed Windows environment. This Solution Pack combines our Active Administrator and Security Explorer products and gives you the power to manage Group Policy and Active Directory security, easily manage NTFS, Share and Registry Permissions, and quickly and simply generate comprehensive and concise summaries of file server security. Download now to evaluate this powerful solution pack and receive a free Anime T-shirt.

http://www.scriptlogic.com/wnm-nov17

==== 1. In Focus: Blacklists: Readers Respond ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about how blacklists can help an email filter detect junk mail and thus reduce the amount of junk that reaches your inbox. Several readers responded, and this week I'll share some of their perspectives because they make good points that everyone should be aware of.

Small-business owner Evan Ross wrote that he thinks blacklists are a bad idea. He said, "We had an issue last year where Spamhaus blacklisted my ISP due to . . . another one of their customers sending spam. We were prevented from sending mail to some of our customers for up to four weeks. In direct conversations with Spamhaus, I did not find them at all responsive. I felt that they were vigilantes that held me hostage."

Stephen Canale, from the mail-filtering outsourcing company OnlyMyEmail, expresses similar sentiments, writing that blacklist providers "are not particularly responsive to correcting listing errors and generally don't mind creating collateral damage. Some even encourage this as a way to put pressure on ISPs and other hosts. Spamcop is pretty straightforward about this, saying 'The SCBL is aggressive and often errs on the side of blocking mail.' The only way to accurately stop spam without significant false positives is to use out-sourced services such as ours." OnlyMyEmail filters out junk mail and malware for individual users or entire domains.

I think these services work well--otherwise they'd go out of business relatively quickly. But I don't agree that filtering services are the "only way to accurately stop spam." My desktop-based email filter that supports the use of blacklist services works well, and I'm sure most of you have similar results. A third reader, Joe Wein, wrote: "I wholeheartedly back your recommendation of the Spamhaus.org blacklists (SBL and XBL), with which we've had excellent results so far. Spamhaus is probably the single most valuable source of IP blacklist information available today."

Joe went on to say, "I would add some reservations concerning the SpamCop list though. While it catches a lot of spam, it has a much higher false positive rate than Spamhaus and even other services. SpamCop.net itself does not recommend using it for outright blocking: 'SpamCop encourages use of the SCBL in concert with an actively maintained whitelist of wanted email senders. SpamCop encourages SCBL users to tag and divert email, rather than block it outright.' http://www.spamcop.net/bl.shtml "

Joe had more to say about SpamCop: "SpamCop users frequently submit reports involving servers of their own mail accounts that are configured to forward mail to another account of theirs at a different provider, where mail is read. Because SpamCop does not follow the Received lines through \[to\] the real culprit, the servers of the auto-forwarding ISP end up getting listed instead of the spam source that hit the initial forwarding ISP."

Joe's next point was one that I probably didn't stress enough last week. "Because of its high \[false positive\] rate, the SpamCop list can only be used as one part of a scoring system, with a hit on the list weighted low enough so that false positives do not cause the loss of valid email." I think this principle should be employed when using any blacklist service.

Joe continued, "A good anti-spam solution should involve multiple strategies and combine the results, rather than relying on a single make-or-break test. A combination of IP blacklists, domain blacklists and content-based scoring (such as detecting known bulk email software and/or Bayesian filters) offers the best results overall. This multi-pronged approach has been used by SpamAssassin and also by our own desktop solution, jwSpamSpy. http://www.joewein.de/sw/jwSpamSpy/ "

Joe also informed me about another type of blacklist service, Spam Uniform Resource Identifier Realtime Blocklists (SURBLs), in which, according to the http://www.surbl.org/ Web site, "SURBLs are not used to block spam senders. Instead they allow you to block messages that have spam domains which occur in message bodies." Joe said that because of the way SURBLs work, "Spammers can switch Trojaned boxes and open proxies as much as they want. As long as they still advertise the same Web sites, they will get caught in the filter."

Joe continued, "My main advice for people running Web sites and mail servers who want to avoid ending up in IP blacklists (other than not spamming, of course) is to pick their \[ISP and hosting service\] well. Make sure \[the provider has\] a strong acceptable use policy (AUP) and \[that they\] enforce it. \[Perform\] some due diligence and don't just go for the cheapest offer. Otherwise your business could end up paying for the \[mistakes\] of others \[in the event that\] your \[ISP and hosting service\] get blacklisted. If you run any mailing lists, do make sure to use confirmed opt-in for all subscriptions. Sometimes people end up getting their domains listed on URL blacklists because they paid shady online marketing companies for sending bulk email. Just because someone claims to have an opt-in mailing list doesn't mean it actually is one. Check out how long they've been around and what kind of references to them you can find on the Web. Emails from a known spam source advertising a freshly registered domain are a big red flag for us. Therefore, do some research before you pay someone to do marketing for you, or you could harm your reputation."

The same holds true for your junk-mail-filtering solutions, whether you use one in-house or an outsourced service. Check them for functionality, accuracy, reputation, support, responsibility, then choose one wisely.

==== Sponsor: Postini ====

Stop Malicious Email Threats Before They Harm Your Email System

Many companies today are attempting to curb the growing amount of spam and email attacks by purchasing anti-spam appliances, software, or desktop products to implement an in-house email security solution. Yet, the incidence of spam and malicious emails carrying viruses and worms continues to increase. Conventional anti-spam content filtering using software and or appliances inside the firewall are all reactive technologies that cannot prevent these new attacks. In this free white paper, find out what you can do to stop these new techniques and protect your organization. Download this free white paper now!

http://www.windowsitpro.com/whitepapers/postini/emailintrusion/index.cfm?code=1117SEC_S

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Ten New Security Holes in Windows XP SP2?

A vendor claims that ten new security holes in Windows XP Service Pack 2 (SP2) have been discovered. If that's true, get ready to insert new patches into your patch management schedule. Microsoft recently announced a Security Bulletin Advance Notification program, which gives administrators several days' advance notice of upcoming patches; however, these new security holes were announced by security product maker Finjan Software. Microsoft says the claim might be exaggerated, but regardless, the company will protect its customers.

http://www.windowsitpro.com/Article/ArticleID/44502/44502.html

Policing the Airwaves

If you operate a wireless network, you probably need to monitor the security of that network to help protect both the wireless LAN and the wired LAN that it's connected to. If your business prohibits wireless devices, you might want to monitor the airwaves to make sure that policy isn't violated. To scan and monitor wireless activity, you need a specialized security tool designed for this task. That's where wireless Intrusion Detection Systems (IDSs) come in. Read this review of three wireless IDSs to learn which might work best for you.

http://www.windowsitpro.com/Article/ArticleID/44101/44101.html

==== Announcements ====

(from Windows IT Pro and its partners)

Get a Free Digital Issue of SQL Server Magazine

Now is the time to try the #1 SQL Server resource--SQL Server Magazine. Whether you're looking for novice or advanced-level SQL Server information, our experts produce helpful answers relevant to every SQL Server user. Stay on top of such topics as Reporting Services, SQL Server 2005, security, and much more! Click here to get your free issue:

http://www.windowsitpro.com/sqlserver/digital/index.cfm?code=yupdate1117

Get a Free Windows IT Pro Subscription! The Enterprise Alliance Roadshow

Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Attend and get a free Windows IT Pro subscription. Plus, you could win an iPod! Sign up today. Space is limited.

http://www.windowsitpro.com/roadshows/serverconsolidation/index.cfm?code=1115emailannc

Enter to Win TiVo at the Windows IT Pro eNewsletter Center

Did you know Windows IT Pro has 12 free eNewsletters to help you find up-to-date, fast information on the topics you care about? Sign up now for any of our eNewsletters and be entered for a chance to win a TiVo and a lifetime subscription to TiVo service.

http://www.windowsitpro.com/email

Get a Backstage Pass to the ISA Server 2004 Hands-On Lab

In this free and exclusive online ISA Server 2004 Lab, developed by Microsoft and offered through New Horizons, you'll learn firsthand how to implement Internet access, Web publishing, VPN client access, network quarantine, and how to monitor ISA Server 2004. Space is limited. Sign up today.

http://www.windowsitpro.com/roadshows/security/index.cfm?action=handsontraining&code=1115emailannc

==== Hot Release ====

The Unofficial Guide to IM for Executives

This free white paper will help managers, directors and executives in all types of businesses understand Instant Messaging and the powerful benefits it brings to the workplace when properly managed and controlled. Start protecting your organization and get the white paper now!

http://www.windowsitpro.com/whitepapers/akonix/im/index.cfm?code=1117sec_hr

==== 3. Security Matters Blog ====

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

A Compromised Honeynet

Every wonder what monitoring a honeypot might be like? The fun starts when it's compromised.

http://www.windowsitpro.com/Article/ArticleID/44521/44521.html

New MyDoom/Bofra Worm Variants on the Loose

New worms have been released to the unsuspecting public, and at first glance, at least one of them looks like a phishing attempt. Some vendors label the new worms as variations of MyDoom; others have chosen to name them as variations of Bofra. Regardless of the name, they're dangerous.

http://www.windowsitpro.com/Article/ArticleID/44462/44462.html

==== 4. Instant Poll ====

Results of Previous Poll:

What password length do you enforce on your network? The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 50 votes.

- 82% 14 or fewer characters

- 10% 15 to 24 characters

- 0% 25 to 34 characters

- 2% 35 to 44 characters

- 6% 45 or more characters

New Instant Poll:

Does your company use blacklists to help filter unwanted email?

Go to the Security Hot Topic and submit your vote for

- Yes, we use blacklists to weight a message as potential junk

- Yes, we drop all mail from addresses that appear in blacklists

- No, but we might start

- No

http://www.windowsitpro.com/windowssecurity#poll

==== 5. Security Toolkit ====

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: What's Gpotool?

Find the answer at

http://www.winnetmag.com/Article/ArticleID/44396/44396.html

Security Forum Featured Thread: Problems with EFS in XP

Simon writes that since he's installed a new digital certificate for signing his email messages, he's experiencing problems with his encrypted files. Windows doesn't use the old key to encrypt files but instead creates a new one. How can he get Windows to use the right key? Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=127136

==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events )

Free Web Seminar: Best Practices for Systems Management, Part 2--Managing Applications

Join us for part two of our Best Practices Web seminar series and discover the most effective practices to monitor and manage your infrastructure applications, such as Active Directory and Exchange. You'll learn practical techniques you need to improve service levels and maximize IT staff efficiency through real-world examples and more. Register now!

http://www.windowsitpro.com/seminars/managingapplications/index.cfm?code=1115emailannc

==== 5. New and Improved ====

by Renee Munshi, [email protected]

Secure IM Service

Kranos Security Technologies offers MessageMate, an enterprise Instant Messaging service that incorporates digital signatures and public key encryption so that IM users can communicate securely. Administrators can set policies for users, enforcing digital signing and encryption on messages as well as enabling logging and spam and content filtering. The MessageMate desktop client includes standard features such as server stored address books, choice of online states (e.g., available, away) and folder hierarchies with colors and icons reflecting those states, and conversation printing and saving. You can also tailor the user interface to match corporate branding. For more information about the subscription-based MessageMate service, go to

http://www.kranos.com/index.php

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]