[ISN] Fight Spam with Blacklists

InfoSec News isn at c4i.org
Fri Mar 3 05:29:30 EST 2006


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 


St.Bernard Software


1. In Focus: Fight Spam with Blacklists

2. Security News and Features
   - Recent Security Vulnerabilities
   - Over 45,000 New Malware Threats Discovered in 2005
   - Phishing Sites Increase Significantly in December 2005
   - Combining LogParser and Sed

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread
   - Share Your Security Tips

4. New and Improved
   - Block Bots and Other Web Malware


==== Sponsor: Availl ====

Ensure instant access to files at all remote servers and eliminate 95% 
of your network traffic.
   Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or 
Replication technologies? Do you have remote sites with common data or 
file needs?  
   Get a free software trial, and register for the free seminar.


==== 1. In Focus: Fight Spam with Blacklists ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

I'd guess that the biggest spam headache we all face is false 
positives--messages that are inadvertently flagged as spam. False 
positives can be a significant problem, particularly for businesses. 
After all, you don't want business associates to think you're ignoring 

I recently wrote in the Security Matters blog about my findings with 
one particular mail server's various filters (at the URL below). The 
system uses a dozen filters to help eliminate unwanted email. One thing 
to keep in mind about filters is that what works for one entity might 
not work as well for another. You should try several filters and 
monitor your systems to determine what works best to eliminate the 
particular types of unwanted mail you receive.

That said, my findings for the organization in question might be 
interesting to you. After observing the filters process more than 
254,000 messages, I found that the most effective one for this 
particular organization is a simple language filter. The filter drops 
messages written in character sets that aren't used by the 
organization. Language filters might not be appropriate for every 
business, particularly those that have international relations, but 
many businesses might find such filtering useful.

The second most effective filter is an IP blacklist filter. IP 
blacklist filters query blacklist service providers about a given IP 
address, including the address of the message sender and any addresses 
that relayed a particular message along its delivery route. If the 
result of the query shows that the IP address is on the service 
provider's blacklist, then the probability is high that the message is 
spam. Some blacklist service providers also track addresses that are 
known to send viruses, Trojan horses, worms, back doors, and other 
sorts of malware. These blacklists can be useful in helping you keep 
such nuisances off your network.

A reader of the Security Matters blog asked which blacklists are used 
by the organization that I wrote about, so I thought I'd share those 
names here. The list of blacklist service providers is ordered based on 
the success rate of discovering blacklisted IP addresses: 


Another type of blacklist filtering is simple Uniform Resource 
Identifier (URI) filtering. Message content is scanned to locate all 
URIs in the body. Then those URIs can be checked against URI blacklist 
services to see whether any belong to known spammers. At the time I 
conducted my tests, I knew of only one URI blacklist provider, Spam URI 
Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org. 
Since then, I've learned about another URI blacklist service provider, 
URIBL.COM, whose DNS server address is multi.uribl.org. I just started 
using URIBL.COM last week, so I'm not yet sure how well it performs. 

Keep in mind that blacklist filters can also produce false positives. 
However, most people agree that using a blacklist filter is highly 
effective. Other types of filters you might investigate or write your 
own scripts for are ones that check for weird spelling patterns (such 
as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for 
standards compliance.

For an explanation of how blacklist filters work, see "Dynamic 
Blacklists Demystified," at the first URL below. For links to other 
articles about blacklist filters on our Web site, use the second URL 

Jeff Makey publishes a monthly report that shows which IP blacklist 
services perform best for his environment. Bookmark his report page URL 
(listed below) and check out the report once in a while--over time, you 
might learn about new IP blacklist service providers that you didn't 
know existed.


==== Sponsor: St.Bernard Software ====

Filtering the Spectrum of Internet Threats: Defending Against 
Inappropriate Content, Spyware, IM, and P2P at the Perimeter 
   Because of the proliferation of Web-based threats, you can no longer 
rely on basic firewalls as your sole network protection. Attackers 
continue to evolve clever methods for reaching victims, such as sending 
crafty Web links through Instant Messaging (IM) clients or email, or by 
simply linking to other Web sites that your employees might surf. This 
free white paper examines the threats of allowing unwanted or offensive 
content into your network and describes the technologies and 
methodologies to combat these types of threats. Get your free copy now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Over 45,000 New Malware Threats Discovered in 2005
   According to Panda Software, more than 123 new malware threats were 
discovered every day in 2005. That adds up to more than 45,000 new 
malware threats being discovered last year. The figures represent a 240 
percent increase over 2004, in which some 13,000 new threats were 
recorded by the company. Panda thinks there's a specific reason for the 
trend. Read about it in this news article on our Web site. 

Phishing Sites Increase Significantly in December 2005
   The Anti-Phishing Working Group (APWG) published its Phishing 
Activity Trends Report for December 2005. According to data gathered by 
the group, more than 7197 new phishing sites were created in December 
2005 and attacks are becoming more sophisticated.

Combining LogParser and Sed
   Scrolling through the Windows event logs for specific information 
can be burdensome, and most administrators probably review the logs 
only when something bad happens or when something is broken. In this 
article on our Web site, Jeff Fellinge shows a method for extracting 
interesting data from event logs by using LogParser and parsing the 
data by using Sed. 


==== Resources and Events ====

Dev Connections provides world-class education for developers, 
architects, DBAs, and IT professionals.
   *WinConnections (2 conferences for the price of 1): April 9-12, 
2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22687:4FB69
   *DevConnections (4 conferences for the price of 1): April 2-5, 2006, 
Orlando, Florida, http://list.windowsitpro.com/t?ctl=22688:4FB69
   *DevConnections Europe coming to Nice, France, April 24-27, 2006. 

Learn why new features in Windows Server 2003 R2, including large 
clustering, increased RAM, and 64-bit support, make it the ideal 
platform for your collaboration tools. Live event: March 28; 12:00 pm 

Find out or what policies help or hurt in protecting your company's 
assets and data. View this on-demand seminar today!

Learn how to leverage new features in SQL Server 2005 to extend your 
existing backup and restore capabilities. View the on-demand Web 
seminar now!

Implement real-time processes in your email and data systems--you could 
also win an iPod Nano!


==== Featured White Paper ====

Get the tips you need to prepare for and comply with the PCI Data 
Security Standard, including how to define the 12 major requirements 
and how those requirements affect IT.


==== Hot Spot ====

Cyclades AlterPath(TM) KVM/netPlus KVM over IP Switches
   Cyclades AlterPath(TM) KVM/netPlus is the industry's first KVM 
solution to offer Cyclades AdaptiveKVM(TM) technology that combines 
Microsoft(R) Remote Desktop Protocol (RDP) functionality with KVM over 
IP access. Download Cyclades AdaptiveKVM white paper at 
www.cyclades.com/wit and visit us at FOSE 2006 Washington, D.C., March 
7-9, Booth 2807.


==== 3. Security Toolkit ==== 

Security Matters Blog: How to Nip a Little More Spam in the Bud
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=22683:4FB69

Most spam filtering systems do a good job of tagging spam, but many can 
be tweaked for better detection and better performance. I ran a test on 
more than 254,000 email messages to see which filters work best. My 
tests were conducted against live incoming email on a legitimate mail 
server. Read what I found in this blog article. 

   by John Savill, http://list.windowsitpro.com/t?ctl=22682:4FB69 

Q: How can I use a script to delete a computer from a domain?  

Find the answer at http://list.windowsitpro.com/t?ctl=22681:4FB69

Security Forum Featured Thread: Running WSUS
   A forum participant would like to establish Windows Server Update 
Services (WSUS) on his Windows Server 2003 backup server. He knows that 
WSUS requires Microsoft IIS and wonders whether he should use a 
dedicated server and whether there are any related security concerns. 
Join the discussion at

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

VIP Subscribers have it all!
   Become a VIP subscriber and get continuous, inside access to ALL the 
online resources published in Windows IT Pro, SQL Server Magazine, and 
the Exchange & Outlook Administrator, Windows Scripting Solutions, and 
Windows IT Security newsletters--that's more than 26,000 articles at 
your fingertips. You'll also get a valuable one-year print subscription 
to Windows IT Pro and two VIP CD-ROMs per year that contain the entire 
article database. Don't miss out--sign up now:

Save 44% Off the Windows Scripting Solutions Newsletter
   For a limited time, order Windows Scripting Solutions and SAVE up to 
$30 off the regular price. You'll get 12 helpful issues loaded with 
expert-reviewed downloadable code and scripting techniques, as well as 
hundreds of tips on automating repetitive tasks. You'll also get FREE, 
unlimited access to the full online scripting article database (more 
than 500 articles). Subscribe now:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Block Bots and Other Web Malware
   Websense announced enhanced features in Websense Web Security Suite 
6.2 and Websense Web Security Suite--Lockdown Edition 6.2, which are 
scheduled to ship in Q2. The new versions of the Web security and Web 
filtering software will block access to Web sites that host bot 
command-and-control centers, eliminate non-HTTP bot network traffic, 
block the launch and spread of bots, and extend protection to mobile 
employees. Websense also launched Websense Web Protection Services. 
Comprising three security services--SiteWatcher, BrandWatcher, and 
ThreatWatcher--Websense Web Protection Services give Websense Security 
Suite customers a view of their Web servers and external-facing Web 
sites and protection of customers' online brand. For more information, 
go to http://list.windowsitpro.com/t?ctl=2268A:4FB69

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=22686:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list