Gossamer's Lake Tahoe Web Design

The forging of email addresses of our domain names continues as the never ending barrage of phishing and other dangerous SPAM email is received. These attacks are socially engineered in that they rely on the fact that the email appears to come from your domain name, but does not. The most recent attack received looks like the following and contains the subject line “your mailbox has been deactivated“:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, pfeiferhouse.com technical support.

It appears to be from support@yourdomain.[com,net,org]. If you examine the email header information and trace the IP address you will find that the IP address does not match that of the IP address of the email server for your domain name.

Outlook users can look at the email header information by right clicking on the email and selecting the ‘Options…’ menu item. A window will appear that looks similar to the following:

Return-Path: <nappingyz166@ssv-laudenbach.de>
Delivered-To: webmaster@pfeiferhouse.com
Received: (qmail 61213 invoked by uid 98); 16 Nov 2009 18:06:16 -0000
Received: from 83.30.108.137 by tahoestores.org (envelope-from <nappingyz166@ssv-laudenbach.de>, uid 1002) with qmail-scanner-2.01
(clamdscan: 0.95.1/9441. spamassassin: 3.2.5.
Clear:RC:0(83.30.108.137):SA:0(2.1/2.5):.
Processed in 2.550748 secs); 16 Nov 2009 18:06:16 -0000
X-Spam-Status: No, score=2.1 required=2.5
X-Spam-Level: ++
Received: from cbk137.neoplus.adsl.tpnet.pl (83.30.108.137)
by tahoestores.org with SMTP; 16 Nov 2009 18:06:11 -0000
Received: from 83.30.108.137 by mailin.rzone.de; Mon, 16 Nov 2009 19:05:35 +0100
From: “support@pfeiferhouse.com” <support@pfeiferhouse.com>
To: <webmaster@pfeiferhouse.com>
Subject: your mailbox has been deactivated
Date: Mon, 16 Nov 2009 19:05:35 +0100
Message-ID: <000d01ca66e7$65718f20$6400a8c0@nappingyz166>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_000E_01CA66E7.65718F20″
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2905
Importance: Normal

Notice the Return path and the IP address highlighted above. If the Return path does not match the email address you see in your inbox you will know right away that the email address is forged. You can further verify that the email is SPAM by comparing the IP address to the IP address of our email server which is 207.158.15.91.

Customers of Gossamer can also rest assured that the configuration of our email server cannot be modified or otherwise updated by running a program on your local machine.

You will not continue to see these emails as Gossamer blocks the offending IP addresses permanently from our email server as soon as they are received. In addition, our virus and SPAM filters will generally update within 24 hours to block similar SPAM and virus content.

If you do receive a suspicious email related to the continued use of your email account you may safely ignore it and remember the golden email rule. Also remember the corollary, do not click on links contained in email from those you do not know.

If you do receive a similar email, follow the golden email rule and delete it. If you are so inclined, you can also send the email header information to me and I will immediately ban the IP address.

You may also review a variety of other similar attacks on Google by searching on ‘your mailbox has been deactivated’.

Wordpress announced another security update. According to WordPress this security bug only can only be exploited by users with login and post privileges. In addition, the exploit is only applicable if the appropriate mime types have not been configured within the Apache server. While this exploit is not possible with Gossamer’s configuration, the update was applied to keep up to date.

Several plugins have also been updated. The updates include:

• wordpress-2.8.6,1
• All in One SEO Pack – Version 1.6.8.1
• Contact Form 7 – Version 2.0.7
• Google XML Sitemaps – Version 3.1.9
• GRAND Flash Album Gallery – Version 0.37
• Page Tree – Version 2.2
• WordPress Exploit Scanner – Version 0.7

WordPress released a security hardening release version 2.8.5. This update was applied on November 1. According to the WordPress Blog:

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The headline changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.

In addition, a security problem was discovered in the graphics library that WordPress uses for fast creation of images. Specifically, a remote buffer overflow vulnerability. The core module GD (gd-2.0.35_2,1) was updated on November 9. The PHP module that utilizes GD (php5-gd-5.2.11_2) was updated today.

If your hosting provider is not keeping up to date with their WordPress updates your website may be at risk. We invite you to take a look at our services and make the switch today.

While I can not imagine living without the now age old Internet tool known as email, using email can be dangerous to the health of your computer. Fortunately there is a simple rule that can prevent most attacks dressed up and disguised as email.

NEVER, NEVER, NEVER open an email attachment in which you are not absolutely sure of its content. Did I say NEVER?

Here at Gossamer we run the very best virus scanning software (CLAMAV) and spam detection software (SPAMASSASSIN) offered by the OpenSource community. Every day thousands of virus and spam laden email is detected and rejected by our email server.

In addition, we have added an additional layer of prevention provided by automatically monitoring the sources of detected virus and spam generators and blocking their IP addresses. Our blocked (blackhole) list of IP addresses contains, on average, some 50,000 IP addresses from all over the globe. Our blackhole is updated every few minutes.

In addition, we permanently block all IP addresses that generate email using a spoofed address under our control.

Recently we have seen a number of Trojan horses preying on popular social media networking sites like Facebook and MySpace along with a few emails dressed up as coming from Microsoft’s Exchange email server, an email server which we do not use or recommend.

A recent popular version of delivering a trojan horse has been dressed up as a request to update your Facebook account agreement.

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date. Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Confirmation Code #: 60768260508

Aside from the quick clue consisting of a grammatical error, and the fact that the email address is not used with a Facebook account; a quick google foo reveals that the attachment provided, disguised as an update to your account agreement, is a trojan known as either the Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

While it is impossible to detect and deny delivery of all harmful email, notably attacks that are very, very new, you can protect yourself by following a very simple rule.

NEVER, NEVER, NEVER open an email attachment in which you are not absolutely sure of its content. Did I say NEVER?