To combat this new form of SPAM, SDIC has long been trying different combinations of rules for Custom UC3M AntiSpam Service, available for activation on demand by both PAS / PDI as PUPILS. Early in the morning have been activated in the production of the service nodes AntiSpam these new rules. A total of 32 rules, which cover not only SPAM in pdf or image, but also junk ‘hidden’ messages in cases of postcards, currency references, job …

As always, we encourage you to use the Personalized Service UC3M AntiSpam, and we remind you that you can modify your level of permissiveness, common language, its own rules, and so on. to adapt and improve the detection rate.

Therefore, many honest marketers are being trapped and injured, although they have been ne the intended recipients of the anti spam.

With our monitoring system, anti spam, you can know exactly how to reduce the appearance of spam from your magazine or promotional email.

And as a result of it, you will know that their e-mail and electronic journals will be go directly to the inboxes of their customers and affiliates and not waste trash because of the anti spam … It’s not enough send them e-mail …
You make sure it reaches your inbox!

What you need you do to protect your business honestly and avoid anti-spam programs classify it as spam?

You must send copies of his magazine and mass mailings to my autoresponder special, and then receive a report detailing the nature of your correspondence that may be misinterpreted by anti spam programs.

Even if you do not have an electronic magazine, or send reports dedicated to mass e-mail, you should verify the validity of the signature file to use for your e-mail.

most commercial signature files contain enough anti spam triggers to make your cards are filtered by anti spam programs.

PAOS TO VERIFY THAT WILL POST FILTERS ANTI SPAM PROGRAMS

Send an email to spamcheck-RB@sitesell.net with the word TEST (in uppercase and without quotes) preceding the subject of your e-mail. I repeat it is very important … Begin the subject line with the word … TEST …. or my program for testing the anti-spam features will think your e-mail is spam. Then continue with the usual title of your email

For example, if your subject is:

“The best work at home”

You would write:

TEST “The best work at home”

In the body of the e-mail put the regular contents of your e-zine or e-mail.

Send your letter to: spamcheck-RB@sitesell.net

And that’s all there is to it! …

You will instantly receive a response from my anti spam program free. That report will be assigned a score and tell you what phrases your e-mail that make it worthy of the score. The higher the score, the more likely that your mail is set up correctly filtered by anti spam programs, so if you get a score greater than 8, you must remove your e-mail as instructed.

The anti-spam program that I use a report drawn up in English (unfortunately I can not soloucionar this), but as the report will highlight the sentences of your e-mail that you have earned a negative score, you can easily recognize them.

The main points to which you must pay attention and its translation are:
Report anti spam Castilian translation
Your TOTAL SPAM SCORE for your e-mail xx The score was anti spam e-mail was xx
The higher the score, the more likely the e-mail will be considered spam. Here’s how to interpret your score. The higher are likely to be considered spam. Here’s how to interpret your score
0-5 nice and clean, no problems except tiny ones below, no action required 0-5 Nice and clean, no problems except some minor does not require any action you
May 5-8 The strictest object; clean up the easy-to-find issues 5-8 THE stricter might object to your e-mail, clean things easy to find
8.12 getting into dangerous territory, clean up any big issues and the easy-to-find smaller penalties 8.12 is getting into dangerous territory, clean the large faults and easy to find things
12-16 likely over ISPs’ limits; review and clean 12-16 is above the range permitted by the ISP, check and clean

16 + major problems; overhaul needed – Systematically clean, point by point and then re-test (this may require two or three SpamChecks). 16 + has major problems, needs to be cleaned systematically, point by point, and then one or more anti-spam checks

If people who receive their unsolicited email, complain to your Internet service provider (ISP), or the company that hosts your website (your web server), you may end up losing both. This means your website will be closed and you lose all Internet connectivity.

Of course you can get another Internet access provider, but this may hurt you in three ways:
+ It will be a waste of time
+ It will cost money
+ Damage your reputation

Therefore this method of free promotion online may be the source of many problems, and the best thing you can do is not engage with him.

We’ve all heard the saying, “The only things guaranteed in life are death and taxes!” Well, some people are beginning to think that we need to add a third item to that list of sure things. “The only things guaranteed in life are death, taxes and new security vulnerabilities with each incarnation of Microsoft’s Office Suite.” Yesterday, noted Bulgarian security consultant, Georgi Guninski, went public with a security advisory for Office XP users that would allow a malicious web developer unencumbered access to a victim’s e-mails. Simply by visiting a web page or opening a web enabled e-mail message, an Outlook user would unwittingly expose not only Outlook, but also the entire Windows system to the attacker. Further testing by KeyLabs, and after a subsequent security bulletin issued by Microsoft, we now know that this vulnerability affects Outlook 98 and Outlook 2000 as well as Outlook 2002 (part of the Office XP suite).

At the heart of the problem is the new “Microsoft Outlook View Control.” This ActiveX control allows Outlook features (i.e. e-mails, folders, calendar events, or contacts) to be displayed in web pages. Originally intended to only allow passive operations such as viewing data, this control unintentionally grants privileged access, which would allow the hacker to manipulate data. This bug goes far beyond simply manipulating e-mail messages. In our testing with KeyLabs, BugNet was able to go so far as to delete files from the victim’s computer as well as run executables – all without user intervention.

ActiveX Exploit

Exploiting this vulnerability involves creating a web page or HTML-enabled e-mail message with the embedded Outlook View ActiveX control. Once invoked, the control allows the HTML code (and any subsequent scripts) to run with elevated privileges on the victim’s system.

The Outlook View ActiveX control installs by default with Office XP, but also affects Outlook 98 and Outlook 2000. In our tests we found that the ActiveX control will download and install automatically (after the users verifies the Microsoft certificate) when IE encounters the object in a web page.

Make no mistake; this is a serious security breach. So much so that Microsoft issued a security bulletin without having a patch available. At the time of this writing, Microsoft is preparing a patch that will eliminate this bug, but also warns users that in the meantime, they should disable ActiveX controls in the Internet Zone.

Installing the previously released Outlook E-mail Security Update would eliminate half of this vulnerability. This security update was created over a year ago in answer to the e-mail borne worms and viruses like ILY. Installing this patch would eliminate e-mail as a vehicle of attack, but wouldn’t prevent a web page from infiltrating the system. For that, you will need to adjust IE’s security settings.

Workaround is the Only Option

We strongly recommend that users adjust their security settings appropriately. One simple way to do this is to adjust the security setting for the Internet Zone to High. Do this by starting Internet Explorer and clicking on Tools > Internet Options > Security. Select the Internet Zone and move the Security Level slider bar all the way to the top. This will lock down IE and prevent ActiveX and other scripting from running in the browser.

Be aware that by selecting IE’s highest security setting, many legitimate web sites will not function properly in the browser. Adding these web sites to the trusted sites zone will let them function as designed, yet still protect your system from rogue web sites.

Go into Microsoft Word and print up a whole bunch of signs that say “Check All Buffers.” Then go around and staple these signs to the cubicle wall, the monitor, or the forehead of all your programmers.

Why? Because for the fifth time in 2001 (plus once in December 2000), Microsoft has had to issue a Security Bulletin dealing with a threat or a bug caused by an unchecked buffer.

The latest problem surfaced in the Indexing Server in Windows NT 4.0. This product does full-text searches of files — not only looking for filenames, but for text within the files. If the search input is too long, it may crash the indexing service/server. If the input is too long, plus it is constructed in a certain way, it may allow an attacker to run some code on the computer. According to Microsoft, this particular attack probably couldn’t be pulled off from a network outsider connecting through the Internet; they would need an account on the network. (If network security is lax, it could be done from the outside.)

There is also a buffer problem in the Windows 2000 Indexing Service, where hackers could construct a query to the Indexing Service that would allow them to view files that would ordinarily be off limits. There are fixes for these two problems at http://www.microsoft.com/technet/security/bulletin/MS01-025.asp. Microsoft credits David Litchfield of @Stake and Mike Mulling for finding this problem.

While at the Microsoft Security Site, pick up the fixes for these other buffer checking/overrun problems:

A Common Problem

These are the recent problems. Going to the Microsoft Knowledge Base and searching for the phrase “unchecked buffer” turned up twenty-two hits, although some of the items are redundant. (One article may talk about an unchecked buffer, while another lists the Service Pack where it is fixed.) Searching for the phrase “buffer overflow” turned up 200 hits. There are actually far more, but the Microsoft Search Engine tops out at 200. Think there may be some sort of chronic problem here?

Now, I’m not a professional programmer, so I’m not sure how difficult it actually is. But I would certainly try to implement some sort of rule: Anytime you create a buffer, check it. What happens when it overflows? What happens when they send it bad data — because the phrase “malformed request” shows up even more frequently in the security bulletins than “unchecked buffer”? Countless exploits have been devised around these things, so wouldn’t it be easier to check it first?

Maybe Microsoft needs to hire a special group just to do this. Make them an elite squad, “The Buffer Checkers”; maybe they can even hire Sarah Michelle Geller as their spokesperson. You know, “Buffy the Buffer Slayer.” Or maybe they just want to keep on issuing security bulletins every month about fixes for unchecked buffers. At least it keeps their name in the headlines.

Windows 2000 Server Message Block (SMB), Microsoft’s Eric Schultze has clarified the fixes necessary to guard against it. To recap: SMB is a NetBIOS protocol widely used in Windows networking to share files, printers, and other services. A new hacker tool, SMBRelay, exploits several legacy security options embedded in the NetBIOS/SMB protocols that would allow an attacker to interpose between the client and host, and “hijack” a secure session.

The exploit can be blocked by closing down NetBIOS ports at the firewall. The critical ports are UDP 137 and 138, TCP 139, TCP and UDP 445. Inside the firewall, we recommended upgrading NT systems to NTLMv2 (NT LAN Manager version 2), a 128-bit encrypted version of NT LAN Manager (NTLM). However, according to Eric Schultze, NTLMv2 “won’t prevent” an SMBRelay-type man-in-the-middle attack. Other than port filtering, the only way to secure exposed NetBIOS host-client communication is to enable SMB Server Signing. This prevents the remote host from establishing the necessary “back channel” with the target host.

SMB Server Signing supports both mutual authentication and message authentication by placing digital signatures into each SMB session, which is then verified by both the client and the server. If SMB Signing is enabled WHEN POSSIBLE on the server, then clients also enabled for SMB Signing will utilize the protocol during subsequent sessions. Otherwise they will default to legacy standards. If SMB signing is enabled ALWAYS on the server, a client will not be able to establish a session unless it is also enabled for SMB signing.

To enable SMB Signing in Windows 2000, go to the Control Panel and select Administrative Tools > Local Security Settings > Local Policies > Security Options. Under Policy double-click on Digitally sign server communications (always) or Digitally sign server communications (when possible), and select Enabled. SMB Signing can be set up in Windows NT and Windows 98 by adding a pair of keys to the Registry.

As the mighty Mississippi recedes from the sandbag levees in Iowa, a serious breach in the dam of that other force of nature, Microsoft, comes to the fore. eEye Digital Security announced on May 1 its discovery of an unchecked buffer in the Internet Printing Protocol (IPP) of IIS version 5.0 for Windows 2000. The buffer overflow in this case exposes the Extended Instruction Pointer (EIP) CPU register, allowing an attacker to compromise the security of Microsoft’s premier web server platform.

Not Fit to Print

IPP is a component of the Internet Server API (ISAPI), an IIS programming interface that enables web pages to run programs (such as databases) on the server. eEye Digital Security associate Riley Hassel, utilizing eEye’s Retina CHAM technology, detected the buffer overflow error in the IPP .printer ISAPI filter. The .printer extension supports the Internet Printing Protocol, an industry-standard protocol that allows for web-based (HTTP) control of networked printers.

eEye Digital Security discovered that packing a buffer of approximately 420 bytes within the HTTP header could trigger the buffer overflow and overwrite the EIP register. This would then give an attacker access to protected memory space on the server. Overwriting a CPU register inevitably leads to a crash; however, because Windows 2000 automatically restarts IIS in such cases–in order to maintain web site “uptime”–it thus inadvertently facilitates the planting of “Trojan” code for subsequent execution.

Preventing Flood Damage

With the necessary information in hand a “properly” executed attack could infiltrate an IIS server with code that would bind system-level commands to a port on the server, allowing the attacker total access to the machine. These types of buffer overflows are not logged, so any IPP-based exploits would not be exposed to casual administrator perusal. And because the attack is buried in an HTTP header–requiring only an open HTTP (80) or HTTPS (443) port for access–traditional firewalls would not protect against it.

eEye Digital Security informed Microsoft of the problem prior to publication, and both companies have come up with solutions. eEye, of course, would like you to deploy their SecureIIS Application Firewall, designed specifically to protect against buffer overrun, parser evasion, and directory traversal attacks. The Microsoft patch, described in Microsoft Security Bulletin MS01-023, secures the unchecked buffer. The patch can be downloaded from the Microsoft site.

Move to Higher Ground

Windows 2000 IIS administrators who cannot install the patch should remove the mapping for Internet Printing ISAPI extension. As described in the Secure Internet Information Services 5 Checklist, this involves removing the .printer entry in the Internet Services Manager. Applying the high security template, hisecweb.inf, removes the mapping, and can be downloaded from the site above. The Checklist should also be consulted for other possible security risks. To paraphrase Microsoft’s own comments on the subject, “Unless you have a mission-critical reason to use [an unused script mapping], you should remove [it].”

If you’ve been waiting for a really good reason to upgrade the security of your Windows network, one Sir Dystic, of the infamous hacker group Cult of the Dead Cow, has come up with one. His utility, SMBRelay, coupled with Security Software Technology’s L0phtCrack password-cracking software, vastly simplifies the process of breaking passwords collected from Windows-based LAN and Internet hosts.

Unblocking the SMB

SMBRelay takes advantage of a long-known vulnerability in the Server Message Block (SMB) file sharing protocol. SMB is layered onto NetBIOS, the networking application interface first created by IBM and adopted by Microsoft for DOS. When you share a Windows directory or drive over a local area network, you are most likely utilizing SMB over NetBIOS over NetBEUI, IPX, or TCP/IP.

Both SMB and NetBIOS have evolved over time, and Microsoft has endeavored to maintain backward compatibility with its older “dialects.” But this backward compatibility means that when a SMB session is initiated, a more primitive “plain text” level of authentication can often be negotiated that provides for maximum exposure of the password data.

Additionally, because SMB was developed to facilitate file and print sharing on local networks, a Windows client will automatically attempt to log onto an SMB server. In the process, the host and client will exchange password hashes. These pairs of password hashes (the challenge from the host plus the response from the client) can be “sniffed” and saved for later cracking.

Middleman Grabs Authentication

More insidious than network sniffing is session hijacking. An attacker makes himself the “man in the middle” by virtually interposing himself between the client and host. To expedite things, the attacker can send a client of the targeted host an HTML e-mail message with a link to a NetBIOS share on the web server. As the target’s computer attempts to establish a NetBIOS connection, the attacker steps in, intercepts the client’s credentials, and passes them off as his own.

Sir Dystic’s SMBRelay automates the process by functioning first as a data relay between the client and host, sending on all but the authentication data. Then the attacker disconnects the client and binds the host to a new IP relay address that the attacker can log on to, all the while maintaining the original client’s host privileges. At the same time NTLM password hashes exchanged by the client and host are collected and saved to a text file.

Taking It to the Next Level

The primary weakness with NetBIOS, also inherited by LAN Manager, lies in its willingness to negotiate security to the lowest common denominator when handling SMB sessions. For this reason, password hash collecting and man-in-the-middle attacks on the NetBIOS/SMB protocols are not new. Microsoft has admitted that, “Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords.”

To this end Microsoft developed NT LAN Manager version 2 (NTLMv2), a 128-bit encrypted version of NT LAN Manager that does not depend on the exchange of password hashes for authentication. To lock out weaker protocol dialects, however, NTLM must be disabled so that session authentication defaults to NTLMv2. Enabling NTLMv2 exclusively on Windows networks is covered in Microsoft Knowledge Base article Q239869.

Eliminating Unnecessary Services

One aspect of making a software product “user friendly” is anticipating all the possible ways in which it might be used. For Microsoft, this means covering a lot of bases, and so installations of the Windows 9.x operating systems tend to throw in the kitchen sink. But as a result, you will be left with a lot of services running you probably don’t need; worse, they could pose considerable security risks.

To start with, on standalone machines NetBIOS and NetBIOS shares should be turned off. Secure Design has a page on Basic Windows 9.x Security that runs down the steps you can take to shut down unneeded Windows network services.

As a further check of your computer security, a number of security firms such as Sdesign and Gibson Research will scan your computer over the Internet for open ports and exposed NetBIOS traffic.

The SMB and other NetBIOS exploits depend on attackers finding an open NetBIOS port on the targeted machine. According to SDesign, 22 percent of the systems they scan are open on port 139, which is required for NetBIOS connections. Security consultants recommend blocking TCP/UDP ports 135, 137, and 139, and UDP port 138 at the firewall to prevent SMBRelay-type cracking attempts.

Many ISPs block these ports in order to ensure their own network security and that of their customers. In any case, especially those home users with “always-on” high-speed Internet service should deploy a personal firewall. All the major anti-virus software companies sell personal firewalls, and Zone Labs provides its popular ZoneAlarm personal firewall free to individuals and non-profit organizations.

Symantec recently contacted ?regarding its April 11th, 2001 analysis of pcAnywhere securities issues and pointed out several features we glossed over in our (albeit brief) discussion of pcAnywhere 10.0. To summarize Symantec’s claims and our responses:?

1. pcAnywhere 10.0 client-host traffic can be encrypted using internal pcAnywhere, symmetric, or public key encryption.

The encryption Symantec refers to prevents network monitors or “sniffers” from capturing a remote pcAnywhere session. But unless you select public key encryption, and then do not publish the key, it will not provide any additional protection from other pcAnywhere users. A login attempt will report the level of security being used.

2. pcAnywhere 10.0 requires that users password protect their pcAnywhere hosts. A “null” password is not accepted.

pcAnywhere 10.0 requires that users password protect new Callers, not new hosts. Password protection of the host is optional. And both levels of password protection can be defeated via the .CIF file “back door.”

3. Authentication options offered with pcAnywhere 10.0 include Active Directory, NDS, Novell Bindery, LDAP, FTP, HTTP, and NT Domain.

4. Random searches for pcAnywhere hosts can be prevented by going to Tools > Options > Host Communications and clicking the “Do not display host in TCP/IP search results” box.

This is an important feature for pcAnywhere users wishing to ensure their privacy over local area networks and the Internet.

5. pcAnywhere users can add a further level of security by limiting connections to within a specific subnet or even a specific TCP/IP address or host name.

This is perhaps the easiest-to-implement safety feature for both home/small business and corporate users. Go to Tools > Options > Host Communications. In the TCP/IP options box you can enter a list of valid connections. Callers from addresses other than those listed will be rejected, regardless of permissions and passwords.

6. If you use the pcAnywhere 10.0 Packager to create custom pcAnywhere hosts, “Integrity Checking” will check the installation every time pcAnywhere is launched for changes in the registry, pcAnywhere objects, executables and DLL’s. Integrity Checking prevents .CIF files from being copied into the pcAnywhere data directory and circumventing security settings.

“Integrity Checking” applies only to Packager-created hosts. Packager installation requires Windows NT or Windows 2000. Otherwise, pcAnywhere 10.0 does not distinguish between a CIF file generated by its own host and a .CIF file generated elsewhere. In fact, you can copy a foreign .CIF file to the \pcAnywhere directory while the host is running and the host will incorporate the new password and login “on the fly.” Subsequently (until and unless either the new Caller or the .CIF file is deleted), all new hosts will incorporate that .CIF file’s defined Caller.

This porous “back door” necessitates careful attention to all the other security measures pcAnywhere offers and incorporates.

Remember the scene in “Mission Impossible 2″ where the guy in the plane rips off the mask and exposes Ethan Hunt’s nemesis? So too are Windows users also having problems distinguishing between good and bad applications. As security analyst Georgi Guninski has recently shown, malicious users can play a devastating trick on Windows systems using a CLSID extension, and thereby disguise a potentially dangerous COM object as a lowly .TXT file.?

Microsoft’s Component Object Model (COM) architecture has been built into all Windows systems since the debut of Window NT 3.5 and Windows 95. It ties disparate desktop tasks together by providing programmers with a library of standardized functions not dependent on any one programming language. Most Windows users experience COM as OLE automation, as when you embed an Excel spreadsheet in a Word document, and as ActiveX controls that add interface enhancements (such as 3-D toolbars) to programs, and animate ActiveX-compliant Web pages.

Like books in a library, COM objects require the equivalent of a Library of Congress or Dewey Decimal classification to refer to each object separately. This is the purpose of the CLSID, or CLasS ID, a 128-bit number that uniquely identifies a COM object and instructs the operating system how to execute it. What makes this especially dangerous is that a COM object can easily be crafted to rewrite the Windows Registry, delete files, wipe out the hard drive, and wreak all sorts of other havoc.

Not What It Seems

What Georgi Guninski discovered was that a CLSID appended to an otherwise innocuous .TXT extension doesn’t show up in Windows Explorer, even with “Hide file extensions for known file types” turned off. Guninski provides a proof-of-concept file on his site called TESTHTA.TXT. The file is actually an HTML Application (HTA) file, with a full file name TESTHTA.TXT.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}. The number in brackets is the CLSID, but it is not displayed in Windows Explorer under normal circumstances. Double-click on it and it will execute, not as a text file, but in whatever way the CLSID tells it to.

Windows still knows what it is though. List the file in Windows Explorer using the View > Details option, and Windows Explorer will report the file in the Type column as an “HTML Application.” When set to Details mode, Windows Explorer knows that testhta.txt is not an ordinary .TXT file.] Right-clicking on the file and selecting Properties yields the same results. And when unzipping the test file we found that WinZip reported the entire file name, including the CLSID extension.

BugNet has expanded on Guninski’s demonstration exploit, and has created a myriad of similar exploits in an attempt to ascertain the seriousness of this vulnerability. With relative ease we were able to create an Excel spreadsheet with built-in startup macro that erases files off of the hard disk. We created a registry merge file that granted us Administrative rights on a Windows 2000 domain server. We even found a way to trash the entire registry, making it unusable. Despite the menacing nature of these files, they each hide innocently behind a harmless file name like README.TXT. Download a vulnerability .WAV demonstration file off our web site.

The way someone might exploit this vulnerability is to create a gaffed file and place it in a shared network folder. People browsing to the folder would only see the innocuous filename. However, double-clicking on the file would unleash the ravages contained therein. The only protection is for the user to vigilantly look at the file icon to make sure that it matches the file type. For example, a README.TXT file should have the icon of the application that is associated with text files. On most systems, this would be Notepad. Any deviation from this should alert the user of a potential problem. Given the eagerness of e-mail users around the world to open a JPEG file of Anna Kournikova, even with the .VBS extension, doesn’t inspire much hope that CLSID laden Trojan files will become a thing of the past. The only viable solution would be for Microsoft to create a patch. Given their response to our request, it appears they are looking into it.

User Beware

In response to our inquires, a Microsoft spokesperson stated that Microsoft was “thoroughly investigating this issue” just as they do with “every report [Microsoft] receives of security vulnerabilities affecting [its] products.” However, the company believes at this point that any further speculation on the issue “would be irresponsible and counterproductive” to its goal of “protecting customers’ information.”

The solution, of course, is not to let COM objects hide behind otherwise harmless-looking file extensions. But this is an old game really. E-mail worms have often spread by baldly disguising Visual Basic scripts as image files. The giveaway is the .VBS appended to the .JPG extension. The CLSID is a bit trickier because at first glance it doesn’t show up as part of the filename. But look closer and it can’t hide its true nature. E-mail attachments reveal the entire CLSID filename, so it is likely that future authors of viruses and worms will append files as .ZIP or self-extracting .EXE files.

In any case, beware of any file with an extension followed by a long number in brackets. The shepherd knows his sheep, the old saying goes, and it is up to you to ferret out the fakes. Don’t double-click it until you double-check it.