The Electrical Contractor Network

ECN Electrical Forum
Discussion Forums for Electricians, Inspectors and Related Professionals

Books, Tools and Test Equipment for Electrical and Construction Trades

Register Now!

Register Now!

We want your input!

Featured:
   

2017 NEC and Related
2017 NEC
Now Available!

   
Recent Posts
Industrail Control Panel bonding per 409.108
by sparkyinak
Yesterday at 03:17 PM
Calling all Non-US members!! (Non-US only)
by aussie240
12/07/16 02:39 AM
Photo Upload Tutorial
by DanK
12/06/16 11:35 PM
Sprinklered equipment 26-008
by bigpapa
12/02/16 04:24 PM
On Delay Relay with Auto Reset
by Potseal
12/01/16 09:59 AM
New in the Gallery:
12.5A through 0.75mm˛ flex (just out of curiosity)
Shout Box

Top Posters (30 Days)
gfretwell 13
HotLine1 9
Texas_Ranger 8
sparkyinak 8
Trumpy 6
Who's Online
0 registered (), 192 Guests and 6 Spiders online.
Key: Admin, Global Mod, Mod
Topic Options
Rate This Topic
#170186 - 10/29/07 07:10 AM PDF files infected, be aware!
Gloria Offline
Member

Registered: 05/01/04
Posts: 395
Loc: Budapest, Hungary
A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.

Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.

The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report



Link:
http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml
_________________________
The world is full of beauty if the heart is full of love

Top
Test Equipment:

Large Selection of Test Equipment For Electrical, HVAC, Test & Measurement
Large Selection of Test Equipment For Electrical, HVAC, Test & Measurement

#170189 - 10/29/07 07:43 AM Re: PDF files infected, be aware! [Re: Gloria]
Trumpy Offline

Member

Registered: 07/05/02
Posts: 8540
Loc: SI,New Zealand
Thanks Gloria,
That's handy to know.
_________________________
Let's face it, these days if you're not young, you're old - Red Green grin

Top
#170200 - 10/29/07 09:25 AM Re: PDF files infected, be aware! [Re: Trumpy]
gfretwell Offline

Member

Registered: 07/20/04
Posts: 9045
Loc: Estero,Fl,usa
Another advantage in running old software I guess. That would just pop up an Adobe error on a W/98 IE6 machine. I get those a lot when I try to open new PDFs. It says you might not get all the stuff they sent but I can still see the document most of the time.
_________________________
Greg Fretwell

Top
#170331 - 10/31/07 05:25 PM Re: PDF files infected, be aware! [Re: gfretwell]
Alan Belson Offline
Member

Registered: 03/23/05
Posts: 1801
Loc: Mayenne N. France
I got one entitled "Income Tax deferred" or some such twaddle.
I 100% bin all e-mails without opening them unless I know the sender.
Don't be tempted- always bin without opening.
Empty your bin regularly.

I had 4 years of a spam-free diet till I let a mate on vacation use my machine to "check his e-mails".
We now get half a dozen a day offering Viagra or Enlargement of certain portions of the anatomy, all of which go in the rubbish unopened. The problem is they use a different name each time so you cant bin them on automatic. On the other hand, Lydia Trashcan or Carlos Fanackerpan kinda gives the game away. They are too stupid to use a common name like John Smith, who most of us probably know one of!
_________________________
Wood work but can't!

Top
#170333 - 10/31/07 06:45 PM Re: PDF files infected, be aware! [Re: Alan Belson]
JoeTestingEngr Offline
Member

Registered: 11/04/05
Posts: 786
Loc: Chicago, Il.
That's funny! I get all these emails telling me I can make millions on a stock or enlarge that certain area. This went contrary to all my early learning that I didn't need an enlarged area (or a Corvette) if I had a million $$$.
Joe

Top
#170347 - 11/01/07 09:14 AM Re: PDF files infected, be aware! [Re: JoeTestingEngr]
gfretwell Offline

Member

Registered: 07/20/04
Posts: 9045
Loc: Estero,Fl,usa
Delete any cookies you are sure you don't need. I prompt for cookies as a default and won't take any I don't absolutely need. That dropped my spam a whole lot. The second thing is, don't google while you are logged in.
If you are logged into Yahoo, AOL, MSN or any similar service and you do a search, that search is sent to spammers with your login address. The reason Google is at $700 in the market is because they understand they are sitting on a valuable commodity, a list of customers and everything they have expressed an interest in.
_________________________
Greg Fretwell

Top
#170372 - 11/01/07 05:13 PM Re: PDF files infected, be aware! [Re: gfretwell]
techie Offline
Member

Registered: 05/17/05
Posts: 240
Loc: palo alto, ca usa
Or do as I do.. I run a non-MS OS (FreeBSD unix), and use a non-GUI MUA (Elm). I can receive attachments, but nothing happens until I save them, and open them with my choice of
application (under FreeBSD).

A lot of spam is very obvious. it's pure HTML, and appears as gibberish in Elm. >99% of the pure HTML email I receive is spam.

I do get a lot of spam, but then again my email addresses have been public knowledge for many years (one has been in use for 16 years..) I run my own mailservers, and I reject
a lot of mail at the SMTP level, based on the IP address of the sender.

If the source is a known dynamic dialup/cable/dsl address, or is assigned to an entity in china, korea, africa, EV1.net/EV1servers.net, wanadoo/france telecom, BT, interbusiness.it, etc, or appears on any of a dozen DNSBLs it is rejected immediately, before my server agrees to accept it.

I have a local reject list of over 26,000 ip networks generated based on received spam over the last 5-6 years.
Some countries/isp's are listed based on a zero-tolerance policy, based on 100% spam/0% content/0% abuse response.
If I find ip space assigned to them, it gets listed in my reject list.

If the sender has no reverse DNS, reverse DNS that points to a nonexistent domain, or reverse DNS that does not match the forward DNS for the given hostname, then it is rejected.
If the host fails to wait for the SMTP HELO, it is rejected for violating RFC822.

future additions include the rfc-ignorant list, which lists isp's that do not have functional abuse or postmaster addresses.

anything that leaks through gets forwarded to Spamcop as a complaint. I currently don't use spamassassin to filter spam.

I prefer to reject at the initial SMTP transaction, which means that the sender should receive a bounce from their server, as opposed to a delayed bounce sent from my server to a probably forged address.

Any challenge-response emails that I receive are considered spam, as that system is in many ways as bad or worse than the spam itself, and can be used as an attack vector.
(send a spam using my (forged) address to a site using challenge-response, and I get the challenge, even though the source address was forged.)


Edited by techie (11/01/07 05:14 PM)

Top
#170387 - 11/01/07 09:40 PM Re: PDF files infected, be aware! [Re: techie]
gfretwell Offline

Member

Registered: 07/20/04
Posts: 9045
Loc: Estero,Fl,usa
I use my real address everywhere including newsgroups and I really don't get that much spam. Nothing like I used to get when I was browsing from within AOL.
I also have a web site and it is interesting how they scoop up addresses there. This is the HOA web site, I just manage it. They set up a lot of boiler plate addresses when they got the original site (president@xxx, Treasurer@xxx). Nobody had actually figured out how to use them until I got the job. Some of the mailboxes were empty, some were stuffed. Anything on a "contact" or an "index" page gets spam. I also noticed a bulletin board on the index page and one page down collects spam but if it is 3 levels deep it doesn't.
_________________________
Greg Fretwell

Top
#170702 - 11/09/07 01:13 AM Re: PDF files infected, be aware! [Re: gfretwell]
Gloria Offline
Member

Registered: 05/01/04
Posts: 395
Loc: Budapest, Hungary
Alan! LOL \:D true.
techie: I suppose you can be angry at some friends who don't write to you anymore, maybe you should check your spams some times. I have found a friend's e-mail in my spam few months after she sent it, I was a bit upset.

Anyhow, the last few weeks the number of daily spams decreased by about 70%, it can be the success of Gmail, or the arrest of a few of those guys.
One more thing, I use dynamic IP, so I guess banning IP is not really a solution.
_________________________
The world is full of beauty if the heart is full of love

Top
#170758 - 11/11/07 12:21 AM Re: PDF files infected, be aware! [Re: Gloria]
techie Offline
Member

Registered: 05/17/05
Posts: 240
Loc: palo alto, ca usa
Maybe I wasn't clear.

Mail is either accepted or rejected.

Any mail rejected is never received by my server. The remote server receives a rejection, and the transaction is immediately terminated. The sender receives an immediate bounce, and knows that they need to use another communication channel.

If the mail is accepted by my server, it ends up either in my mailbox, or if it is sent via one of the mailing lists that I subscribe to, it gets sorted directly into a folder associated with that list for later reading.

I don't have any filters that mark mail as spam after it is received. Once the mail is received, I am the filter, and as such there is no mis-tagged email, or email mistakenly filed in the spam folder.

My system only checks the IP of the host that is connecting to my server. It does not check to see if the email originated from a dynamic IP address, and was relayed through an ISP's mail server, only if the address that is connecting to my server is a dynamic IP.

[Internet Postmaster hat on]

Given the exponential growth of trojaned PC's, and drive-by spamming, there is absolutely no reason why a mail server should accept any email from dynamic IP space, unless that IP space belongs to the ISP running the server. (ie: Cox's servers should accept mail from Cox's IP space.)

Best practices dictate that ISP's should pro-actively filter outgoing SMTP traffic originating from within their dynamic IP space, and require that all outgoing SMTP traffic be passed to their mail servers, where virus filters can be applied before the mail is allowed out into the wild.

Legitimate mail servers should be on static IP's. There is no valid reason why a mail server should be on a dynamic IP.

Top



ECN Electrical Forums - sponsored by Electrical Contractor Network - Electrical and Code Related Discussion for Electrical Contractors, Electricians, Inspectors, Instructors, Engineers and other related Professionals