[ISN] Fight Spam with Blacklists
isn at c4i.org
Fri Mar 3 05:29:30 EST 2006
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
1. In Focus: Fight Spam with Blacklists
2. Security News and Features
- Recent Security Vulnerabilities
- Over 45,000 New Malware Threats Discovered in 2005
- Phishing Sites Increase Significantly in December 2005
- Combining LogParser and Sed
3. Security Toolkit
- Security Matters Blog
- Security Forum Featured Thread
- Share Your Security Tips
4. New and Improved
- Block Bots and Other Web Malware
==== Sponsor: Availl ====
Ensure instant access to files at all remote servers and eliminate 95%
of your network traffic.
Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or
Replication technologies? Do you have remote sites with common data or
Get a free software trial, and register for the free seminar.
==== 1. In Focus: Fight Spam with Blacklists ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
I'd guess that the biggest spam headache we all face is false
positives--messages that are inadvertently flagged as spam. False
positives can be a significant problem, particularly for businesses.
After all, you don't want business associates to think you're ignoring
I recently wrote in the Security Matters blog about my findings with
one particular mail server's various filters (at the URL below). The
system uses a dozen filters to help eliminate unwanted email. One thing
to keep in mind about filters is that what works for one entity might
not work as well for another. You should try several filters and
monitor your systems to determine what works best to eliminate the
particular types of unwanted mail you receive.
That said, my findings for the organization in question might be
interesting to you. After observing the filters process more than
254,000 messages, I found that the most effective one for this
particular organization is a simple language filter. The filter drops
messages written in character sets that aren't used by the
organization. Language filters might not be appropriate for every
business, particularly those that have international relations, but
many businesses might find such filtering useful.
The second most effective filter is an IP blacklist filter. IP
blacklist filters query blacklist service providers about a given IP
address, including the address of the message sender and any addresses
that relayed a particular message along its delivery route. If the
result of the query shows that the IP address is on the service
provider's blacklist, then the probability is high that the message is
spam. Some blacklist service providers also track addresses that are
known to send viruses, Trojan horses, worms, back doors, and other
sorts of malware. These blacklists can be useful in helping you keep
such nuisances off your network.
A reader of the Security Matters blog asked which blacklists are used
by the organization that I wrote about, so I thought I'd share those
names here. The list of blacklist service providers is ordered based on
the success rate of discovering blacklisted IP addresses:
Another type of blacklist filtering is simple Uniform Resource
Identifier (URI) filtering. Message content is scanned to locate all
URIs in the body. Then those URIs can be checked against URI blacklist
services to see whether any belong to known spammers. At the time I
conducted my tests, I knew of only one URI blacklist provider, Spam URI
Realtime Blocklists (SURBL), whose DNS address is multi.surbl.org.
Since then, I've learned about another URI blacklist service provider,
URIBL.COM, whose DNS server address is multi.uribl.org. I just started
using URIBL.COM last week, so I'm not yet sure how well it performs.
Keep in mind that blacklist filters can also produce false positives.
However, most people agree that using a blacklist filter is highly
effective. Other types of filters you might investigate or write your
own scripts for are ones that check for weird spelling patterns (such
as "s.A v.e. B 1 g.!!!") and SMTP header validators that check for
For an explanation of how blacklist filters work, see "Dynamic
Blacklists Demystified," at the first URL below. For links to other
articles about blacklist filters on our Web site, use the second URL
Jeff Makey publishes a monthly report that shows which IP blacklist
services perform best for his environment. Bookmark his report page URL
(listed below) and check out the report once in a while--over time, you
might learn about new IP blacklist service providers that you didn't
==== Sponsor: St.Bernard Software ====
Filtering the Spectrum of Internet Threats: Defending Against
Inappropriate Content, Spyware, IM, and P2P at the Perimeter
Because of the proliferation of Web-based threats, you can no longer
rely on basic firewalls as your sole network protection. Attackers
continue to evolve clever methods for reaching victims, such as sending
crafty Web links through Instant Messaging (IM) clients or email, or by
simply linking to other Web sites that your employees might surf. This
free white paper examines the threats of allowing unwanted or offensive
content into your network and describes the technologies and
methodologies to combat these types of threats. Get your free copy now!
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Over 45,000 New Malware Threats Discovered in 2005
According to Panda Software, more than 123 new malware threats were
discovered every day in 2005. That adds up to more than 45,000 new
malware threats being discovered last year. The figures represent a 240
percent increase over 2004, in which some 13,000 new threats were
recorded by the company. Panda thinks there's a specific reason for the
trend. Read about it in this news article on our Web site.
Phishing Sites Increase Significantly in December 2005
The Anti-Phishing Working Group (APWG) published its Phishing
Activity Trends Report for December 2005. According to data gathered by
the group, more than 7197 new phishing sites were created in December
2005 and attacks are becoming more sophisticated.
Combining LogParser and Sed
Scrolling through the Windows event logs for specific information
can be burdensome, and most administrators probably review the logs
only when something bad happens or when something is broken. In this
article on our Web site, Jeff Fellinge shows a method for extracting
interesting data from event logs by using LogParser and parsing the
data by using Sed.
==== Resources and Events ====
Dev Connections provides world-class education for developers,
architects, DBAs, and IT professionals.
*WinConnections (2 conferences for the price of 1): April 9-12,
2006, Orlando, Florida, http://list.windowsitpro.com/t?ctl=22687:4FB69
*DevConnections (4 conferences for the price of 1): April 2-5, 2006,
Orlando, Florida, http://list.windowsitpro.com/t?ctl=22688:4FB69
*DevConnections Europe coming to Nice, France, April 24-27, 2006.
EARLY BIRD SPECIAL ends 1 March!
Learn why new features in Windows Server 2003 R2, including large
clustering, increased RAM, and 64-bit support, make it the ideal
platform for your collaboration tools. Live event: March 28; 12:00 pm
Find out or what policies help or hurt in protecting your company's
assets and data. View this on-demand seminar today!
Learn how to leverage new features in SQL Server 2005 to extend your
existing backup and restore capabilities. View the on-demand Web
Implement real-time processes in your email and data systems--you could
also win an iPod Nano!
==== Featured White Paper ====
Get the tips you need to prepare for and comply with the PCI Data
Security Standard, including how to define the 12 major requirements
and how those requirements affect IT.
==== Hot Spot ====
Cyclades AlterPath(TM) KVM/netPlus KVM over IP Switches
Cyclades AlterPath(TM) KVM/netPlus is the industry's first KVM
solution to offer Cyclades AdaptiveKVM(TM) technology that combines
Microsoft(R) Remote Desktop Protocol (RDP) functionality with KVM over
IP access. Download Cyclades AdaptiveKVM white paper at
www.cyclades.com/wit and visit us at FOSE 2006 Washington, D.C., March
7-9, Booth 2807.
==== 3. Security Toolkit ====
Security Matters Blog: How to Nip a Little More Spam in the Bud
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=22683:4FB69
Most spam filtering systems do a good job of tagging spam, but many can
be tweaked for better detection and better performance. I ran a test on
more than 254,000 email messages to see which filters work best. My
tests were conducted against live incoming email on a legitimate mail
server. Read what I found in this blog article.
by John Savill, http://list.windowsitpro.com/t?ctl=22682:4FB69
Q: How can I use a script to delete a computer from a domain?
Find the answer at http://list.windowsitpro.com/t?ctl=22681:4FB69
Security Forum Featured Thread: Running WSUS
A forum participant would like to establish Windows Server Update
Services (WSUS) on his Windows Server 2003 backup server. He knows that
WSUS requires Microsoft IIS and wonders whether he should use a
dedicated server and whether there are any related security concerns.
Join the discussion at
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Announcements ====
(from Windows IT Pro and its partners)
VIP Subscribers have it all!
Become a VIP subscriber and get continuous, inside access to ALL the
online resources published in Windows IT Pro, SQL Server Magazine, and
the Exchange & Outlook Administrator, Windows Scripting Solutions, and
Windows IT Security newsletters--that's more than 26,000 articles at
your fingertips. You'll also get a valuable one-year print subscription
to Windows IT Pro and two VIP CD-ROMs per year that contain the entire
article database. Don't miss out--sign up now:
Save 44% Off the Windows Scripting Solutions Newsletter
For a limited time, order Windows Scripting Solutions and SAVE up to
$30 off the regular price. You'll get 12 helpful issues loaded with
expert-reviewed downloadable code and scripting techniques, as well as
hundreds of tips on automating repetitive tasks. You'll also get FREE,
unlimited access to the full online scripting article database (more
than 500 articles). Subscribe now:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Block Bots and Other Web Malware
Websense announced enhanced features in Websense Web Security Suite
6.2 and Websense Web Security Suite--Lockdown Edition 6.2, which are
scheduled to ship in Q2. The new versions of the Web security and Web
filtering software will block access to Web sites that host bot
command-and-control centers, eliminate non-HTTP bot network traffic,
block the launch and spread of bots, and extend protection to mobile
employees. Websense also launched Websense Web Protection Services.
Comprising three security services--SiteWatcher, BrandWatcher, and
ThreatWatcher--Websense Web Protection Services give Websense Security
Suite customers a view of their Web servers and external-facing Web
sites and protection of customers' online brand. For more information,
go to http://list.windowsitpro.com/t?ctl=2268A:4FB69
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=22686:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
More information about the ISN