ECN Electrical Forum - Discussion Forums for Electricians, Inspectors and Related Professionals

ECN Shout Chat
Top Posters(30 Days)
Admin 17
Recent Posts
Old decora style outlets
by Admin. 03/25/17 11:40 AM
ESA Arc flash course
by TheShockDoctors. 03/24/17 10:15 AM
fuse rejectors
by HotLine1. 03/24/17 07:53 AM
Another Forum Update
by Admin. 03/22/17 03:04 PM
Dining room plugs
by watersparkfalls. 03/21/17 10:31 PM
New in the Gallery:
SE cable question
Popular Topics(Views)
231,471 Are you busy
166,174 Re: Forum
160,628 Need opinion
Who's Online Now
0 registered members (), 62 guests, and 10 spiders.
Key: Admin, Global Mod, Mod
Previous Thread
Next Thread
Print Thread
Rate This Thread
#170186 - 10/29/07 10:10 AM PDF files infected, be aware!  
Gloria  Offline
Member
Joined: May 2004
Posts: 364
Budapest, Hungary
A malicious PDF file called report.pdf, debt.2007.pdf, overdraft.2007.10.26.pdf, or similar, has been massively spammed through e-mail. The PDF is spiced with exploit CVE-2007-5020 that downloads ms32.exe, which in turn downloads more components.

Massive spamming did not eventually lead to major problems, since the secondary download location was swiftly taken down preventing the downloader from functioning.

The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report



Link:
http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml


The world is full of beauty if the heart is full of love

Tools for Electricians:

#170189 - 10/29/07 10:43 AM Re: PDF files infected, be aware! [Re: Gloria]  
Trumpy  Offline


Member
Joined: Jul 2002
Posts: 8,211
SI,New Zealand
Thanks Gloria,
That's handy to know. whistle


Let's face it, these days if you're not young, you're old - Red Green grin

#170200 - 10/29/07 12:25 PM Re: PDF files infected, be aware! [Re: Trumpy]  
gfretwell  Offline


Member
Joined: Jul 2004
Posts: 9,057
Estero,Fl,usa
Another advantage in running old software I guess. That would just pop up an Adobe error on a W/98 IE6 machine. I get those a lot when I try to open new PDFs. It says you might not get all the stuff they sent but I can still see the document most of the time.


Greg Fretwell

#170331 - 10/31/07 08:25 PM Re: PDF files infected, be aware! [Re: gfretwell]  
Alan Belson  Offline
Member
Joined: Mar 2005
Posts: 1,803
Mayenne N. France
I got one entitled "Income Tax deferred" or some such twaddle.
I 100% bin all e-mails without opening them unless I know the sender.
Don't be tempted- always bin without opening.
Empty your bin regularly.

I had 4 years of a spam-free diet till I let a mate on vacation use my machine to "check his e-mails".
We now get half a dozen a day offering Viagra or Enlargement of certain portions of the anatomy, all of which go in the rubbish unopened. The problem is they use a different name each time so you cant bin them on automatic. On the other hand, Lydia Trashcan or Carlos Fanackerpan kinda gives the game away. They are too stupid to use a common name like John Smith, who most of us probably know one of!



Wood work but can't!

#170333 - 10/31/07 09:45 PM Re: PDF files infected, be aware! [Re: Alan Belson]  
JoeTestingEngr  Offline
Member
Joined: Nov 2005
Posts: 782
Chicago, Il.
That's funny! I get all these emails telling me I can make millions on a stock or enlarge that certain area. This went contrary to all my early learning that I didn't need an enlarged area (or a Corvette) if I had a million $$$.
Joe


#170347 - 11/01/07 12:14 PM Re: PDF files infected, be aware! [Re: JoeTestingEngr]  
gfretwell  Offline


Member
Joined: Jul 2004
Posts: 9,057
Estero,Fl,usa
Delete any cookies you are sure you don't need. I prompt for cookies as a default and won't take any I don't absolutely need. That dropped my spam a whole lot. The second thing is, don't google while you are logged in.
If you are logged into Yahoo, AOL, MSN or any similar service and you do a search, that search is sent to spammers with your login address. The reason Google is at $700 in the market is because they understand they are sitting on a valuable commodity, a list of customers and everything they have expressed an interest in.


Greg Fretwell

#170372 - 11/01/07 08:13 PM Re: PDF files infected, be aware! [Re: gfretwell]  
techie  Offline
Member
Joined: May 2005
Posts: 246
palo alto, ca usa
Or do as I do.. I run a non-MS OS (FreeBSD unix), and use a non-GUI MUA (Elm). I can receive attachments, but nothing happens until I save them, and open them with my choice of
application (under FreeBSD).

A lot of spam is very obvious. it's pure HTML, and appears as gibberish in Elm. >99% of the pure HTML email I receive is spam.

I do get a lot of spam, but then again my email addresses have been public knowledge for many years (one has been in use for 16 years..) I run my own mailservers, and I reject
a lot of mail at the SMTP level, based on the IP address of the sender.

If the source is a known dynamic dialup/cable/dsl address, or is assigned to an entity in china, korea, africa, EV1.net/EV1servers.net, wanadoo/france telecom, BT, interbusiness.it, etc, or appears on any of a dozen DNSBLs it is rejected immediately, before my server agrees to accept it.

I have a local reject list of over 26,000 ip networks generated based on received spam over the last 5-6 years.
Some countries/isp's are listed based on a zero-tolerance policy, based on 100% spam/0% content/0% abuse response.
If I find ip space assigned to them, it gets listed in my reject list.

If the sender has no reverse DNS, reverse DNS that points to a nonexistent domain, or reverse DNS that does not match the forward DNS for the given hostname, then it is rejected.
If the host fails to wait for the SMTP HELO, it is rejected for violating RFC822.

future additions include the rfc-ignorant list, which lists isp's that do not have functional abuse or postmaster addresses.

anything that leaks through gets forwarded to Spamcop as a complaint. I currently don't use spamassassin to filter spam.

I prefer to reject at the initial SMTP transaction, which means that the sender should receive a bounce from their server, as opposed to a delayed bounce sent from my server to a probably forged address.

Any challenge-response emails that I receive are considered spam, as that system is in many ways as bad or worse than the spam itself, and can be used as an attack vector.
(send a spam using my (forged) address to a site using challenge-response, and I get the challenge, even though the source address was forged.)

Last edited by techie; 11/01/07 08:14 PM.

#170387 - 11/02/07 12:40 AM Re: PDF files infected, be aware! [Re: techie]  
gfretwell  Offline


Member
Joined: Jul 2004
Posts: 9,057
Estero,Fl,usa
I use my real address everywhere including newsgroups and I really don't get that much spam. Nothing like I used to get when I was browsing from within AOL.
I also have a web site and it is interesting how they scoop up addresses there. This is the HOA web site, I just manage it. They set up a lot of boiler plate addresses when they got the original site (president@xxx, Treasurer@xxx). Nobody had actually figured out how to use them until I got the job. Some of the mailboxes were empty, some were stuffed. Anything on a "contact" or an "index" page gets spam. I also noticed a bulletin board on the index page and one page down collects spam but if it is 3 levels deep it doesn't.


Greg Fretwell

#170702 - 11/09/07 05:13 AM Re: PDF files infected, be aware! [Re: gfretwell]  
Gloria  Offline
Member
Joined: May 2004
Posts: 364
Budapest, Hungary
Alan! LOL laugh true.
techie: I suppose you can be angry at some friends who don't write to you anymore, maybe you should check your spams some times. I have found a friend's e-mail in my spam few months after she sent it, I was a bit upset.

Anyhow, the last few weeks the number of daily spams decreased by about 70%, it can be the success of Gmail, or the arrest of a few of those guys.
One more thing, I use dynamic IP, so I guess banning IP is not really a solution.


The world is full of beauty if the heart is full of love

#170758 - 11/11/07 04:21 AM Re: PDF files infected, be aware! [Re: Gloria]  
techie  Offline
Member
Joined: May 2005
Posts: 246
palo alto, ca usa
Maybe I wasn't clear.

Mail is either accepted or rejected.

Any mail rejected is never received by my server. The remote server receives a rejection, and the transaction is immediately terminated. The sender receives an immediate bounce, and knows that they need to use another communication channel.

If the mail is accepted by my server, it ends up either in my mailbox, or if it is sent via one of the mailing lists that I subscribe to, it gets sorted directly into a folder associated with that list for later reading.

I don't have any filters that mark mail as spam after it is received. Once the mail is received, I am the filter, and as such there is no mis-tagged email, or email mistakenly filed in the spam folder.

My system only checks the IP of the host that is connecting to my server. It does not check to see if the email originated from a dynamic IP address, and was relayed through an ISP's mail server, only if the address that is connecting to my server is a dynamic IP.

[Internet Postmaster hat on]

Given the exponential growth of trojaned PC's, and drive-by spamming, there is absolutely no reason why a mail server should accept any email from dynamic IP space, unless that IP space belongs to the ISP running the server. (ie: Cox's servers should accept mail from Cox's IP space.)

Best practices dictate that ISP's should pro-actively filter outgoing SMTP traffic originating from within their dynamic IP space, and require that all outgoing SMTP traffic be passed to their mail servers, where virus filters can be applied before the mail is allowed out into the wild.

Legitimate mail servers should be on static IP's. There is no valid reason why a mail server should be on a dynamic IP.



Member Spotlight
RonKipperDatacom
RonKipperDatacom
Kansas City, KS
Posts: 30
Joined: January 2013
Show All Member Profiles 
Featured:

2017 NEC and Related
2017 NEC
Now Available!

Shout Box
Powered by UBB.threads™ PHP Forum Software 7.6.0
Page Time: 0.015s Queries: 15 (0.003s) Memory: 0.8142 MB (Peak: 0.9952 MB) Zlib enabled. Server Time: 2017-03-26 03:27:40 UTC