|May the source be with you, but remember the KISS principle ;-)|
|Contents||Bulletin||Scripting in shell and Perl||Network troubleshooting||History||Humor|
A former executive of McAfee agreed to pay about $757,000 to settle charges that he played a role in the company's $622 million accounting fraud.
October 19, 2006(IDG News Service) -- Yahoo Inc. put a customized version of Internet Explorer 7 on its Web site for downloading on Wednesday, before Microsoft Corp.'s own release of the browser.
The download page for the specialized final version of IE7 appeared during the afternoon on Wednesday, U.S. Pacific time. Microsoft, in Redmond, Wash., had given Oct. 18 as a tentative release date for the product but had not made the software available itself before Yahoo did.
Yahoo's version of IE7 includes the Yahoo toolbar and uses Yahoo's search tool as a default. It also features two home pages, Yahoo and Yahoo News, according to the company's Web site. It can bedownloaded here.
Malware, short for malicious software, refers to software applications designed to damage or disrupt a user's system. The proliferation of malware and its impact on security is a driving force behind the design of Internet Explorer 7. The new version has been improved to reduce the potential for hackers to compromise a user's browser or system. In addition, Internet Explorer 7 includes several technical features designed to thwart hackers' efforts to lead users into giving away personal data when they should not. Core parts of the browser's architecture also have been fortified to better defend against exploitation and improve the way the browser handles data.
Historically, attackers have taken advantage of internal code design issues within the Web browser to attack a system. A hacker would rely on a user clicking on an HTML link referencing some type of malformed URL that contains odd or excessive characters. In the process of parsing the URL, the system's buffer would overflow and execute some code the hacker wanted to install. Given the size of Web browser application code, the most efficient solution to fixing these types of attacks was to issue updates as each was discovered and the root cause identified. Yet even with only a handful of such updates required, the more optimal solution was to rewrite the baseline application code. Internet Explorer 7 benefits from these experiences and the analysis of attack signatures. Rewriting certain sections of the code has drastically reduced the internal attack surface of Internet Explorer 7 by defining a single function to process URL data. This new data handler ensures higher reliability while providing greater features and flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets and domain names.
Internet Explorer offers Web developers the ActiveX® platform as a mechanism to greatly extend browser capabilities and enhance online experiences. Some malicious developers have co-opted the platform to write harmful applications that steal information and damage user systems. Many of these attacks were made against ActiveX Controls shipped within the Windows operating system, even though the controls were never intended to be used by Internet-facing applications. Internet Explorer 7 offers users a powerful new security mechanism for the ActiveX platform. ActiveX Opt-In automatically disables entire classes of controls - all controls the user has not previously enabled - which greatly reduces the attack surface. This new feature mitigates the potential misuse of preinstalled controls. Users will now be prompted by the Information Bar before a previously installed but as-yet unused ActiveX Control can be accessed. This notification mechanism will enable users to permit or deny access when viewing unfamiliar Web sites. For Web sites that attempt automated attacks, ActiveX Opt-In protects users by preventing unwanted access and giving the user total control. If the user opts to permit loading an ActiveX Control, the appropriate control is easily enabled by clicking in the Information Bar.
Cross-domain scripting attacks involve a script from one Internet domain manipulating content from another domain. For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the hacker. Internet Explorer 7 has been improved to help deter this malicious behavior by appending the domain name from which each script originates and limiting that script's ability to interact only with windows and content from that same domain. These cross-domain script barriers will help ensure that user information remains in the hands of only those the user intentionally provides it to. This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user's PC.
Available only to users running Internet Explorer 7 in Windows Vista, Internet Explorer Protected Mode will provide new levels of security and data protection for Windows users. Designed to defend against "elevation of privilege" attacks, Protected Mode provides the safety of a robust Internet browsing experience while helping prevent hackers from taking over the browser and executing code through the use of administrator rights.
In Protected Mode, Internet Explorer 7 in Windows Vista is completely unable to modify user or system files and settings. All communications occur via a broker process that mediates between the Internet Explorer browser and the operating system. The broker process is initiated only when the user clicks on the Internet Explorer menus and screens. The highly restrictive broker process prohibits work-arounds from bypassing the Protected Mode. Any scripted actions or automatic processes will be prevented from downloading data or affecting the system. Specifically, Component Object Model (COM) objects will only be self-aware and will have no reference information by which to identify and attack other applications or the operating system.
Internet Explorer Protected Mode helps protect users from malicious downloads by restricting the ability to write to any local machine zone resources other than temporary Internet files. Attempting to write to the Windows Registry or other locations will require the broker process to provide the necessary elevated permissions. Internet Explorer Protected Mode also offers tabbed browsing security protection by opening new windows - rather than new tabs - for content contained outside the current security zone.
Fix My Settings
Knowing that most users are likely to install and operate applications using the default configuration, Internet Explorer 7 ships with security settings designed to provide the maximum level of usability while maintaining controlled security. There are legitimate reasons why a custom application may require a user to lower security settings from a default, but it is critical the user reverse those changes when they are no longer needed. Internet Explorer 7 introduces users to the new Fix My Settings feature to keep users protected from browsing with unsafe settings. This new feature in Internet Explorer 7 warns users with an Information Bar when current security settings may put them at risk. When a user makes changes in the security settings window, they will see settings automatically highlight in red if they modify certain critical items. In addition to dialog alerts warning the user about unsafe settings, the user will be reminded by the Information Bar as long as the settings remain unsafe. Users can instantly reset the security settings to the 'Medium-High' default level by clicking the 'Fix My Settings' option in the Information Bar.
Microsoft Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Extending the protections against malware at the browser level, Windows Defender helps prevent malware entering the machine via piggy-back download, a common mechanism by which spyware is distributed and installed silently along with other applications.
Although the improvements in Internet Explorer 7 cannot stop non-browser-based spyware from infecting the machine, using it with Windows Defender will provide a solid defense on several levels. Windows Defender is available in a beta release now for Windows XP SP2 and will also be in Windows Vista.
Most users are unaware of how much personal, traceable data is transmitted with every click of the mouse while they are browsing the Web. The extent of this information continues to grow as browser developers and Web site operators evolve their technologies to enable more powerful and convenient user features. Similarly, most online users are likely to have trouble discerning a valid Web site from a bogus copy.
The extent to which convenience and discount pricing are available online gives users an attractive reason to click and buy. The Internet enables any large or small business to easily create an online storefront for selling goods, enabling the business to reach a consumer audience well beyond traditional physical and geographic boundaries. Search engine marketing efforts allow these Web sites to establish instant consumer credibility and reach millions of users through some of the largest search engines or portal Web sites. The combination of these factors creates situations in which consumers are dealing with distant businesses and left with fewer concrete mechanisms to differentiate legitimate businesses from those seeking to collect their information for improper gain. Another challenge facing users is the ability for malicious Web site operators to abuse the same search listing services to attract unsuspecting consumers to knockoff Web sites designed to mimic the appearance and function of well-known and trusted businesses.
A technique used by many malicious Web site operators to gather personal information is known as phishing - masquerading online as a legitimate person or business for the purpose of acquiring sensitive information. Such fake Web sites designed to look like the legitimate sites are referred to as spoofed sites. Over the past year, phishing attacks have been reported in record numbers, and identity theft is emerging as a major threat to personal financial security. In the past year, the number of confirmed phishing sites has grown fivefold - from 580 to more than 3,000 (source: Anti-Phishing Working Group, April 2005 report).
Unlike direct attacks where hackers break into a system to obtain account information, a phishing attack does not require technical sophistication but instead relies on users willingly divulging information such as financial account passwords or Social Security numbers. These socially engineered attacks are among the most difficult to defend because they require user education and understanding rather than merely issuing an update for an application. Even experienced professionals can be fooled by the quality and details of some phishing Web sites as hackers become more experienced and learn to react more quickly to avoid detection.
Internet Explorer 7 offers a range of enhancements and solutions to better protect against malicious Web site operators and help prevent users from becoming victims of confusing URLs. The new Security Status Bar, located next to the Address Bar, is designed to help users quickly differentiate authentic Web sites from suspicious or malicious ones. In addition, Internet Explorer provides a simple file cleanup utility.
Certificates also play an essential role for users in validating e-commerce Web sites and helping to thwart phishing scams. Internet Explorer 7's Security Status Bar enhances access to certificate information by placing it more prominently in front of users and providing single-click access to the certificate.
Security Status Bar
Over the past few years, Web browser users have been introduced to the concept of encrypted communications and secure sockets layer (SSL) technologies to better protect their information from being obtained by third parties. Although many users have become quite familiar with SSL and its associated security benefits, a large proportion of Internet users remain overly trusting that any Web site asking for their confidential information must be protected. With the explosion of small- and home-based business Web sites selling goods that span the pricing spectrum, users are even more likely to encounter unknown entities asking for their financial information. The combination of these factors creates a situation ripe for abuse. Internet Explorer 7 addresses this issue by providing users with clear, prominent, color-coded visual cues to the safety and trustworthiness of a Web site. With the assistance of Internet Explorer 7 to help identify legitimate Web sites, users can more confidently browse and shop anywhere on the Internet.
Previous versions of Internet Explorer placed a gold padlock icon in the lower-right corner of the browser window to designate the trust and security level of the connected Web site. Given the importance and inherent trust value associated with the gold padlock, Internet Explorer 7's new Security Status Bar places it more prominently in users' line of sight. Users can now view the certificate information with a single click on the padlock icon. The Security Status Bar also supports information about High Assurance (HA) certificates for those sites meeting guidelines for better entity identity validation. Users can benefit from support for HA certification by having instant visual access to the increased validation of authenticity for a given Web site. To provide users with another visual cue designed to help them recognize questionable Web sites, the padlock now appears on a red background if Internet Explorer 7 detects any irregularities in the site's certificate information. By contrast, trusted Web sites will clearly display the name of the certificate owner and a gold background to indicate that users can provide confidential data.
Developers of phishing and other malicious activities thrive on lack of communication and limited sharing of information. Using an online service that is updated several times an hour, the new Phishing Filter in Internet Explorer 7 consolidates the latest industry information about fraudulent Web sites and shares it with Internet Explorer 7 customers to proactively warn and help protect them. The filter is designed around the principle that, to be effective, early warning systems must derive information dynamically and update it frequently.
The Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:
1. It compares the addresses of Web sites a user attempts to visit with a list of reported legitimate sites that is stored on the user's computer.
2. It analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites.
3. It sends the Web site address that a user attempts to visit to an online service run by Microsoft to be checked immediately against a frequently updated list of reported phishing sites.
Internet Explorer 7 uses the Security Status Bar to signal users (in yellow) if a Web site is suspicious.
Hi, my name is John Hrvatin and I'm the program manager for Internet Explorer setup. I'd like to share some of the ways setup in IE 7 helps keep you more secure and IE running smoothly.
Prior to installing IE 7, setup runs the Windows Malicious Software Removal Tool to clean your system of known malware and help prevent problems installing IE 7 or running it for the first time. If you keep your computer up-to-date using Windows Update, which hopefully everyone does, you will already have the latest version of the cleaner. In that case, setup will re-run the installed version; otherwise, it will download and run the latest version.
Setup also makes sure you have the latest-and-greatest by downloading and installing any available IE updates. In previous versions of IE, users had to install updates after IE installation and anyone who didn't was out-of-date. In IE 7, setup takes care of the updates so you can get right to using IE 7.
Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft's growing understanding of the spyware landscape.
Specific features of Windows Defender Beta 2 include:
- A redesigned and simplified user interface – Incorporating feedback from our customers, the Windows Defender UI has been redesigned to make common tasks easier to accomplish with a warning system that adapts alert levels according to the severity of a threat so that it is less intrusive overall, but still ensures the user does not miss the most urgent alerts.
- Improved detection and removal – Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real Time Protection has also been enhanced to better monitor key points in the operating system for changes.
- Protection for all users – Windows Defender can be run by all users on a computer with or without administrative privileges. This ensures that all users on a computer are protected by Windows Defender.
- Support for 64-bit platforms, accessibility and localization - Windows Defender Beta 2 also adds support for accessibility and 64-bit platforms. Microsoft also plans to release German and Japanese localized versions of Windows Defender Beta 2 soon after the availability of the English versions. Use WindowsDefenderX64.msi for 64-bit platforms.
- Microsoft Windows AntiSpyware (Beta):
Windows Defender (Beta 2) is the final name for Microsoft's antispyware solution. Current Windows AntiSpyware (Beta 1) customers will be notified automatically to upgrade.
The current beta is in the English language although we will deliver German and Japanese localized versions. All versions can be installed on any locale but the user interface will only be delivered in these three languages for testing purposes.
- Beta Support Policy:
This is pre-release (beta) software distributed for feedback and testing purposes. Microsoft only provides best effort support through the newsgroups. If Windows Defender (Beta 2) is causing an issue with your system, we recommend removing it by using Add or Remove Programs and even using System Restore if the problem persists.
- Access to Newsgroups:
Although formal support is not offered for this beta, we have provided newsgroups to help get your questions answered.
Faster way to clean up Norton(Score:5, Informative)
by TheGSRGuy (901647) on Saturday February 11, @07:07PM (#14696805)
If MS Antispyware wipes out your Norton install, the fastest and easiest way to clean out Norton to prepare for a reinstall is with Symantec's Norton Removal Tool, aka SymNRT. It's available for free from their website and is designed for situations like this where the install gets corrupted and you can't remove it.
The tool removes every trace of Norton from your system. It does a better job than the normal uninstaller.
Re:What problem?(Score:5, Informative)
by dynamo52 (890601) on Saturday February 11, @06:43PM (#14696701)
Seriously. Considering how good NAV is at sucking up memory and CPU cycles, the only way anyone probably noticed was when their computer suddenly seemed much smoother and more responsive.
I agree. I am a computer services provider for mostly home users and I often find NAV and internet tools to be single greatest contributor to draining system resources. I usually recommend disabling NAV, using safe internet practices, and scanning weekly or if there appears to be a problem.
Re:What problem?(Score:3, Interesting)
by AsbestosRush (111196) on Saturday February 11, @07:24PM (#14696891)
(http://slaquer.com/ | Last Journal: Wednesday October 27, @02:05PM)
That is most likely the Corperate version of Symantec AV, which is *far* better than the desktop version that most people usually purchase. The corp version just sits in the tray until something comes along that might need some attention.
Re:What problem?(Score:5, Informative)
by spectre_240sx (720999) on Saturday February 11, @08:19PM (#14697151)
Well that's not surprising considering NAV runs at least 14 processes. I think it might be 15 including that glorified advertisement they call Norton Protection Center.
We're still selling it at the shop that I work at. I'm not sure why... We recommend AVG Free for most people, but for business users we sell NAV.
Re:What do you really expect it to do?(Score:5, Funny)
by slashname3 (739398) on Saturday February 11, @10:22PM (#14697747)
Just because these products must use continuous system resources doesn't mean they need all of them. That would kind of defeat the purpose of having a computer.
But the purpose of having a computer is to run anti virus software, spy ware detectors, and firewalls. Between running those tools and updating the system there is not much time or resources for anything else.
Discussion Link(Score:5, Informative)
by Mz6 (741941) * on Saturday February 11, @06:36PM (#14696653)
(Last Journal: Friday June 18, @11:45AM)
Here's a link to the actual discussion [microsoft.com]. Looks like this has been corrected with the latest definitions.
But what if(Score:4, Informative)
by ImaLamer (260199) <john.lamar@gm[ ].com ['ail' in gap]> on Saturday February 11, @06:37PM (#14696660)
(http://mintruth.com/ | Last Journal: Sunday June 05, @05:40PM)
Microsoft knows something we don't?
Norton/Symantec hasn't always been nice (are they now?) - remember when Norton Utilities couldn't be removed on DOS installations? The only option was to totally format the drive and start over. I know people who won't even try Norton/Symantec products after all of those years because of these types of problems.
But it's not really a beta...(Score:5, Informative)
by vudufixit (581911) on Saturday February 11, @07:35PM (#14696950)
This was a full product called Giant Anti-spyware that MS acquired.
"Beta" is their term.
75% of my private client calls involve removing malware, and the MS product
is a champ at this task.
MS antispyware gives you a summary screen that breaks down each item it found,
assigns it a perceived threat rating, and gives you the choice to "Remove, Ignore, Quarantine."
So, anyone watching with any degree of care should notice that Norton was one of the choices
and simply select the "ignore" option.
Personally, I haven't seen this happen myself.
I agree with many other posters that Norton isn't that great of a product.
I've noticed their firewall suddenly,without provocation, start blocking
I've also noticed their antivirus turn itself off for no reason, never
to be turned on again. Reinstalling is often interesting, since even the
least little trace of the product prevents an install/reinstall, but it
almost never uninstalls cleanly.
Netscape 8.1 offers built-in spyware and adware protection that scans files that Web users try to download as well as those that are sent to them without their interaction, according to a representative for Netscape, a division of Time Warner's America Online subsidiary. The updated browser will also let consumers run complete memory and disk scans.
Other security features include an updated blacklist of potential phishing sites and a security center people can access to see if they need to take action on their computer.
Netscape's move to increase security features comes as malicious attackers are increasingly targeting browser flaws, including vulnerabilities found last spring in Netscape's browser.
The latest version of the browser also offers updates designed to enhance its RSS (Really Simple Syndication) support. RSS feeds, for example, can be viewed within the browser rather than requiring a separate viewer.
In addition, a new profile manager is designed to let multiple Web users share the same browser but maintain different bookmarks, passwords and other customizations.
The Windows operating system expert who exposed Sony BMG Music Entertainment's use of "rootkit" cloaking techniques last year is now criticizing security vendors Symantec Corp. and Kaspersky Lab Ltd. for shipping software that works in a similar manner.
Mark Russinovich, chief software architect with systems software company Winternals Software LP, says that the techniques used by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques used by malicious software to avoid detection on an infected PC. There is "no good justification," for the use of such techniques, Russinovich said. "If the vendor believes that the implementation of their software requires a rootkit then I think they need to go back and re-architect it."
Both Symantec and Kaspersky concede that they have shipped software that hides information from system tools, but they told IDG News Service that they disagreed with Russinovich's use of the term rootkit, saying that because their software was not designed with malicious intent, it should not be lumped into the same category.
Still, both companies appeared sensitive to Russinovich's criticism.
Symantec on Tuesday issued a patch to SystemWorks that disabled the cloaking feature. On Thursday, a representative from Kaspersky said that it was possible that his company could take similar action. "I don't know whether we've got a plan to do that, but that's obviously one thing that we could do here," said David Emm, a senior technology consultant with Kaspersky.
Unlike Sony's XCP (Extended Copy Protection) software, the Symantec and Kaspersky products do not cloak the fact that certain pieces of software are running on the computer. Instead, they hide data
... ... ...
Kaspersky's use of cloaking software is more recent. With version 5 of its Kaspersky Anti-Virus software, first released about a year ago, the company used cloaking techniques to hide "checksum" information that the software used to determine which files on the computer it had or had not scanned.
... ... ...
While Russinovich agreed that the Symantec and Kaspersky cloaking techniques are not as dangerous as Sony's, which was ultimately exploited by virus writers, he said that all three vendors were engaging in a practice that was bad for users and IT professionals. "You don't want IT not knowing what's on the systems," he said. "Not being able to go to the system to do software inventory and disk space inventory, that's just not a good idea."
A new Windows Metafile (WMF) vulnerability potentially affects most versions of Windows (including 2000 and XP) , and could theoretically be exploited to allow to install arbitrary programs on the system by tricking a user into viewing a maliciously formatted Metafile image on computers with enabled shimgvw.dll (see below on how temporary disable it until the patch is available).
This is not an automatic self-propagating vulnerability, therefore even on unpatched PCs it potentially affects only naive users (children, senior people), very gullible users or users inclined to visit "grey" or "black" Internet sites or respond to unsolicited e-mail advertising:
- In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker need to use social engineering to persuade a naive user to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
- In an E-mail based attack scenario involving the current exploit, a user would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability.
- An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Due to those mitigating factors Microsoft Corp. said today that it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January.
Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released the last week. The update will be available at Microsoft's Download Center. "Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the attacks are not widespread."
This attack is directed on a flaw in the way Windows handle malicious files in the WMF format. For example one such attack arrives in an e-mail message titled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file.
To protect yourself (especially important at home users where you are not protected by mail gateway and corporate firewall) you can execute the command on the command line (or via Start -> Run menu):
Windows 2000:regsvr32 -u C:\WinNT\system32\shimgvw.dll
Windows XP: regsvr32 -u C:\Windows\system32\shimgvw.dll
In case this leads to problems with applications (very unlikely) you need to register this DLL again using the command:
Windows 2000:regsvr32 C:\WinNT\system32\shimgvw.dll
Windows XP: regsvr32 C:\Windows\system32\shimgvw.dll
Please note that attacks can come in attachments with files that have any extension. For example, any graphic extension can be used. One reported attack used GPEG (extension .jpg). Even though the file has extension classifying it as a JPEG-file, Windows recognizes the content is actually a WMF and attempts to execute the code it contains.
Microsoft stresses that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."
We hope that there will be few such BASF users in view of recent training that everybody got with spam and fake financial letters.
Still please be careful as in this case following the links is as dangerous as clicking on the attachment. For example, even if you just attempt to visit an file site using Internet Browser viewing the list folders can trigger its payload as the attacker can maliciously put infected icons and they will be "executed" when you open the link.
Usual payload associated with this exploit is spyware. The file with working exploit that supposedly was already in the wild today was called "HappyNewYear.jpg". It attempts to download the Bifrose back door, researchers said.
Before patch is applied to all systems please be especially vigilant with emails that contain attachments or if a email try to persuade you to follow some html link:
- Be somewhat suspicious (but not paranoid, this is a holiday season after all :-) of any graphical files attached to a e-mail message. Do not use "preview" functionality in your email client as it renders files automatically and thus triggers exploit.
Note: WMF exploit that can be disguised as any graphic file (for example attachment can have extension BMP, DIB, GIF, EMF, JFIF JPE, JPEG, JPG, PNG, TIF, TIFF or even WMF)
Please remember that malicious files can also be converted to ZIP, RAR, ARJ or other archiver format, or imbedded into the composite document (PDF, RTF, DOC. XLS) to bypass mail gateway filtering.
Although this is probably redundant recommendation and everybody is aware about this, don't trust the "From" address in a e-mail message that came from internet (has globe as the post stamp in the left corner of the header in Lotus Notes). For any unusual or suspicious message you can check the headers to see from what server the message actually came (it often is forged). There is a flood of financial scams that pretends coming from eBay, PayPal or some bank and ask you to verify your account or use some other social engineering trick.
To view e-mail message header information while in Netsape Messanger use View -> headers -> All (in Microsoft Outlook View -> all Headers).
- The most interesting header is the "Received" header. There are usually several of them that can help you to track the origin of the message (the situation is better and simpler on home PCs as you can view all the headers in their natural order at once).
The most interesting is the header that follows (sometimes precede depending on some unknown to me Lotus Notes setting) the "Received" record your ISP (here this record is in blue and corresponds to optonline.net ISP):Received: from www.hosting.com (www.hosting.com [184.108.40.206]) by mta28.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with SMTP id <0ISJ00JH19ZF7EA2@mta28.srv.hcvlny.cv.net> for firstname.lastname@example.org (ORCPT email@example.com); Tue, 03 Jan 2006 15:23:40 -0500 (EST) Received: from unknown (HELO omc2-s29.bay6.hotmail.com) (220.127.116.11) by df04.dot5hosting.com with SMTP; Tue, 03 Jan 2006 20:23:39 +0000 Received: from hotmail.com ([18.104.22.168]) by omc2-s29.bay6.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 03 Jan 2006 12:23:38 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 03 Jan 2006 12:23:38 -0800 Received: from 22.214.171.124 by by5fd.bay5.hotmail.msn.com with HTTP; Tue, 03 Jan 2006 20:23:38 +0000 (GMT) Date: Tue, 03 Jan 2006 20:23:38 +0000
Legitimate messages have the next header that "makes sense" and that can expect from a particular user. In case of from address firstname.lastname@example.org it should be hotmail.com But we have
Received: from unknown (HELO omc2-s29.bay6.hotmail.com) (126.96.36.199)
by www.hosting.com with SMTP; Tue, 03 Jan 2006 20:23:39 +0000
Forged letter often have questionable origin: foreign (often some remote country in Asia or Europe), some university or a user of n major ISPs clients that is different from the what you expect from "from envelope (like mail from hotmail user coming from AOL, or AOL user from optonline.net, etc). The latter are hijacked PCs called zombies:
- "allegro.no ([188.8.131.52]) ....
" arena.sci.univr.it ([184.108.40.206]) ...
Often you can see only IP address without any DNS name; that should be highly suspicious:
For example here is a fake PayPal letter header:Received: from www.hosting.com (www.hosting.com [220.127.116.11]) by mta24.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with SMTP id <0IRQ00EAF2AUOR00@mta24.srv.hcvlny.cv.net> for email@example.com (ORCPT firstname.lastname@example.org); Sun, 18 Dec 2005 20:47:19 -0500 (EST) Received: from unknown (HELO goliath.hostingwithus.net) (18.104.22.168) by www.hosting.com with SMTP; Mon, 19 Dec 2005 01:47:18 +0000 Received: from mail.cvworkingfamilies.org ([22.214.171.124]:16900 helo=secure) by goliath.hostingwithus.net with esmtpa (Exim 4.52) id 1Enkxf-0002Z6-3W; Sat, 17 Dec 2005 16:55:32 -0600 Date: Sat, 17 Dec 2005 17:59:27 -0500 From: "PayPal Inc." <email@example.com> Subject: =?UNKNOWN?Q?PayPal=AE?= UPDATE TEAM To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Message-id: <0IRQ00EAG2AVOR00@mta24.srv.hcvlny.cv.net> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/html; charset=Windows-1251 Content-transfer-encoding: 8BIT X-Priority: 3 X-MSMail-priority: Normal Delivered-to: email@example.com X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - goliath.hostingwithus.net X-AntiAbuse: Original Domain - softpanorama.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - paypal.com X-Source: X-Source-Args: X-Source-Dir: Original-recipient: rfc822;firstname.lastname@example.org
You can see that in this particular case the letter probably originated at goliath.hostingwithus.net (see X-AntiAbuse header below althouth it can be faked (you can trust only the second header after the header that lists your ISP)
Make sure your version of Antivirus and Antispyware software is current and both have current signatures:
- Unless you already have something installed home users can install Microsoft Windows AntiSpyware (Beta) Tool -- free and pretty good anti spyware tool from Microsoft. It has on option to automatically update them on your PC to ensure that they are up-to-date: but don't assume it guarantees safety. Spyware is a very tricky type of malicious software. Home users can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability.
- Home users in the U.S. and Canada who have legitimate copy of Windows and believe they may have been affected by this vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses.
Ensure that your home PC has all the patches and software updates from Microsoft (you now can configure your home PC to get and install updates automatically via Windows update feature ( see Security at Home Updates & Maintenance at Microsoft website).
Microsoft Security Advisory (912840) Published: December 28, 2005 | Updated: January 3, 2006
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform.
Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.
Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.
Based on strong customer feedback, all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.
Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread.
Softpanorama hot topic of the month
|Links||Recommended Books||Recommended Skeptical Materials||Independent Organizations and Publications||Articles||Vendors||Reference|
Softpanorama hot topic of the month
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September, 19, 2017