Gossamer Web Design Lake Tahoe

Over the last couple of weeks it seems that some email servers are strictly enforcing the rejection of email when a domain’s email address header does not have a matching SPF record. The problem is further compounded since very few ISP’s actually allow you to utilize your domain’s email server (smtp) directly if they are not hosting your domain.

While most ISP’s pass through the sender’s email address (user@yourdomain.com), the actual email header contains the address of your ISP’s smtp service.

Microsoft was the first to begin enforcing this proposed standard a couple of years ago. The SPF proposal has yet to receive endorsement and it is not an approved standard. The proper way to handle this situation is embodied in the approach taken by Qmail and the Open Source community. Qmail does not reject email on this basis although you can patch it to do so. SpamAssassin will add a small penalty to an email’s total score but this is usually not enough to cause an email to be flagged and rejected.

The problem is further compounded when openspf.org posts a seriously misleading statement of error regarding the cause. Their recommendation is to contact your email administrator with a recommendation that the postmaster fix the email server’s configuration.

Nothing could be further from the truth. It is the email recipient’s email server that is rejecting the email. It is highly unlikely that your postmaster has any control at all of the recipient’s email server, unless they run email service for both parties.

Secondly, the fix has nothing to do with an email server. The SPF record is part of your domain service records that are served up by a DNS server, not an email server.

Of course, just try explaining that to an irate customer.

The fix is to add a SPF record to your domain records which is accomplished by contacting your domain registrar.

The biggest problem I see with this issue, besides not being totally convinced that this is a solution that can or will reduce SPAM, is that the arbitrary enforcement of this proposed standard violates one of the fundamental tenants of computer science.

DO NOT CREATE CONTENTION WHEN NONE EXISTS!

The enforcement of this proposed standard creates contention on multiple levels, the most important level is that of customer satisfaction. Customers get angry. False impressions of SPAM are created. And your customer’s customers get angry.

I would hope that openspf.org would get it’s act together. They are giving out a lot of black eyes and I am none too happy about it.

I fully expect to field more customer complaints when their ISP arbitrarily changes the address of their SMTP server, which happens quite frequently. If SPF is to be useful, then ISPs will need to develop a way to relay requests from their customers to their customer’s email server so that the proper email headers can be generated.

Otherwise, SPF is just a waste of time and effort.

We processed another batch of plugin upgrades for WordPress. The following plugins were upgraded:

• All in One SEO Pack – Version 1.6.10.1
• Clean-Contact – Version 1.3.3
• eShop for Wordpress – Version 4.3.2
• Fast and Secure Contact Form – Version 2.0.1
• GRAND Flash Album Gallery – Version 0.39pl3
• Page Tree – Version 2.6
• Platinum SEO Pack – Version 1.3.2
• Wordpress Download Monitor – Version 3.3.3.5
• WordPress Exploit Scanner – Version 0.95
• WP-EMail – Version 2.51
• wp-forecast – Version 2.9
• WP-PageNavi – Version 2.61
• WP-SpamFree – Version 2.1.1.2
• wp-weather – Version 0.3.8
• WP Google Weather – Version 0.4
• YAK for WordPress – Version 2.0.7

Enjoy!

We have processed nother batch of WordPress plugin upgrades including:

• Clean-Contact – Version 1.3.2
• Collapsing Pages – Version 0.5.3
• Connections – Version 0.6.2.1
• Contact Form 7 – Version 2.1.1
• eShop for Wordpress – Version 4.3.1
• Fast and Secure Contact Form – Version 2.0
• GRAND Flash Album Gallery – Version 0.39pl2
• Page Tree – Version 2.5
• QuickShop – Version 2.2.1
• Wordpress Download Monitor – Version 3.3.3.3
• WordPress Exploit Scanner – Version 0.94
• wp-forecast – Version 2.7
• WP-SpamFree – Version 2.1.1.1
• wp-weather – Version 0.3.7
• YAK for WordPress – Version 2.0.6

Please enjoy.

Yesterday we received and applied a new security update contained in openssl-0.9.8l_2 designed to address “man in the middle attacks” which allows attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL.

As part of the upgrade, the shared object libssl.so.5 was deleted and replaced by libssl.so.7. Unfortunately this caused a number of services that depended on libssl.so.5 to fail. Services that were disrupted included email services, the restarting of apache2, and other services that make use of SSL or TLS connections.

Fortunately this problem was fixed by rebuilding all applications that depend on OpenSSL so that they pick up the new shared object. These applications include:

• Apache2
• Qmail
• SpamAssassin
• ClamAV
• Curl
• gnome-vfs
• gnutls
• neon28
• nmap
• ntp
• openldap-client
• p5-Crypt-OpenSSL-Bignum
• p5-Crypt-OpenSSL-RSA
• p5-Crypt-OpenSSL-Random
• p5-Crypt-SSLeay
• p5-Net-SSLeay
• php5-curl
• php5-ftp
• php5-imap
• php5-openssl
• proftpd
• soup
• subversion
• squirrelmail
• wget

We believe we have identified and rebuilt all applications impacted and we are continueing to monitor the situation to identify other possible failures.

UPDATE: 01/16/2009

We have completed a sweep of all of shared objects using ldd. This process identified a few more rebuilds (not listed above) to some packages not in general production use. The upgrade of OpenSSL is now complete.

WordPress was upgraded to the latest version this morning. We did skip the 2.9 upgrade due to some reported problems. The upgrade requires a database upgrade when logging in as admin. I have logged into all of our WordPress sites and run the database upgrade procedure.

I have detected no immediate problems with any of our WordPress installations. If you find a problem, please let me know.

A number of WordPress plugin authors have released new releases just in time for the New Year! The following plugins have been upgraded:

• Akismet – Version 2.2.7
• All in One SEO Pack – Version 1.6.10
• Google XML Sitemaps – Version 3.2.2
• GRAND Flash Album Gallery – Version 0.39
• Theme Switcher – Version 1.0
• WordPress Exploit Scanner – Version 0.93
• wp-forecast – Version 2.6
• WP Shopping Cart – Version 3.7.5.3
• Yet Another PhotoBlog – Version 1.9.24

We have delayed installing the latest WordPress 2.9 release until we have verified that WordPress 2.9.1 has fixed some of the problems found in WordPress 2.9.

A number of updates were completed today. The majority of the updates are to core packages and we expect no changes to our server’s functionality. As is normal, our web services were down for about 5 minutes during the Apache2 upgrade.

• apr-gdbm-db42-mysql-1.3.8.1.3.9_1
• apache-2.2.14_5
• cups-client-1.4.2_3
• cups-image-1.4.2_3
• curl-7.19.7_1
• expat-2.0.1_1
• ghostscript8-nox11-8.70
• gnome-keyring-2.28.2
• gobject-introspection-0.6.7
• gvfs-1.4.3
• libsoup-2.28.2
• xcb-proto-1.6
• libxcb-1.5
• mhash-0.9.9.9_1
• p5-Any-Moose-0.11
• p5-Catalyst-Action-RenderView-0.14
• p5-File-ShareDir-1.01
• p5-Proc-Background-1.10
• p5-Catalyst-Devel-1.24
• p5-Catalyst-Plugin-Session-0.29_1
• p5-Catalyst-Plugin-Session-Store-DBI-0.15
• p5-Catalyst-Plugin-Static-Simple-0.26
• p5-Catalyst-Runtime-5.80016
• p5-Class-MOP-0.97
• p5-Error-0.17016
• p5-File-ChangeNotify-0.11
• p5-Getopt-Long-Descriptive-0.083
• p5-OLE-Storage_Lite-0.19
• p5-Object-Signature-1.05_1
• p5-Params-Validate-0.93
• p5-Pod-Simple-3.13
• p5-Pod-Simple-3.13
• p5-String-Format-1.16
• p5-SQL-Abstract-Limit-0.141_1
• p5-Test-Pod-1.40_1
• p5-Test-WWW-Mechanize-1.24_1
• p5-TimeDate-1.20,1
• p5-UNIVERSAL-can-1.15_1
• p5-WWW-Mechanize-1.60_1
• p5-XML-RSS-1.47
• p5-common-sense-2.03
• pango-1.26.2
• tnef-1.4.6
• unixODBC-2.2.14_2
• wordpress-mu-2.8.6,2

There seems to be no end to the updates available for our WordPress Plugins. In fact, there have so many updates that I have actually failed to post a listing of plugin upgrades recently. So, without further ado, the following upgrades were implemented today:

• All in One SEO Pack – Version 1.6.8.2
• eShop for Wordpress – Version 4.1.1
• Fast and Secure Contact Form – Version 1.9.5
• Google Analyticator – Version 6.0.2
• Google Analytics Dashboard – Version 1.0.6
• Google XML Sitemaps – Version 3.2.1
• GRAND Flash Album Gallery – Version 0.38
• Page Tree – Version 2.3
• QuickShop – Version 2.0.1
• WordPress Exploit Scanner – Version 0.92
• WP Shopping Cart – Version 3.7.5.1
• YAK for WordPress – Version 1.8.6

The forging of email addresses of our domain names continues as the never ending barrage of phishing and other dangerous SPAM email is received. These attacks are socially engineered in that they rely on the fact that the email appears to come from your domain name, but does not. The most recent attack received looks like the following and contains the subject line “your mailbox has been deactivated“:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, pfeiferhouse.com technical support.

It appears to be from support@yourdomain.[com,net,org]. If you examine the email header information and trace the IP address you will find that the IP address does not match that of the IP address of the email server for your domain name.

Outlook users can look at the email header information by right clicking on the email and selecting the ‘Options…’ menu item. A window will appear that looks similar to the following:

Return-Path: <nappingyz166@ssv-laudenbach.de>
Delivered-To: webmaster@pfeiferhouse.com
Received: (qmail 61213 invoked by uid 98); 16 Nov 2009 18:06:16 -0000
Received: from 83.30.108.137 by tahoestores.org (envelope-from <nappingyz166@ssv-laudenbach.de>, uid 1002) with qmail-scanner-2.01
(clamdscan: 0.95.1/9441. spamassassin: 3.2.5.
Clear:RC:0(83.30.108.137):SA:0(2.1/2.5):.
Processed in 2.550748 secs); 16 Nov 2009 18:06:16 -0000
X-Spam-Status: No, score=2.1 required=2.5
X-Spam-Level: ++
Received: from cbk137.neoplus.adsl.tpnet.pl (83.30.108.137)
by tahoestores.org with SMTP; 16 Nov 2009 18:06:11 -0000
Received: from 83.30.108.137 by mailin.rzone.de; Mon, 16 Nov 2009 19:05:35 +0100
From: “support@pfeiferhouse.com” <support@pfeiferhouse.com>
To: <webmaster@pfeiferhouse.com>
Subject: your mailbox has been deactivated
Date: Mon, 16 Nov 2009 19:05:35 +0100
Message-ID: <000d01ca66e7$65718f20$6400a8c0@nappingyz166>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_000E_01CA66E7.65718F20″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2905
Importance: Normal

Notice the Return path and the IP address highlighted above. If the Return path does not match the email address you see in your inbox you will know right away that the email address is forged. You can further verify that the email is SPAM by comparing the IP address to the IP address of our email server which is 207.158.15.91.

Customers of Gossamer can also rest assured that the configuration of our email server cannot be modified or otherwise updated by running a program on your local machine.

You will not continue to see these emails as Gossamer blocks the offending IP addresses permanently from our email server as soon as they are received. In addition, our virus and SPAM filters will generally update within 24 hours to block similar SPAM and virus content.

If you do receive a suspicious email related to the continued use of your email account you may safely ignore it and remember the golden email rule. Also remember the corollary, do not click on links contained in email from those you do not know.

If you do receive a similar email, follow the golden email rule and delete it. If you are so inclined, you can also send the email header information to me and I will immediately ban the IP address.

You may also review a variety of other similar attacks on Google by searching on ‘your mailbox has been deactivated’.

Wordpress announced another security update. According to WordPress this security bug only can only be exploited by users with login and post privileges. In addition, the exploit is only applicable if the appropriate mime types have not been configured within the Apache server. While this exploit is not possible with Gossamer’s configuration, the update was applied to keep up to date.

Several plugins have also been updated. The updates include:

• wordpress-2.8.6,1
• All in One SEO Pack – Version 1.6.8.1
• Contact Form 7 – Version 2.0.7
• Google XML Sitemaps – Version 3.1.9
• GRAND Flash Album Gallery – Version 0.37
• Page Tree – Version 2.2
• WordPress Exploit Scanner – Version 0.7