[ISN] Blacklists Aren't for Everyone

InfoSec News isn at c4i.org
Thu Mar 9 01:33:10 EST 2006


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

St.Bernard Software

8e6 Technologies


1. In Focus: Blacklists Aren't for Everyone

2. Security News and Features
   - Recent Security Vulnerabilities
   - Oracle Secures Search with Authorized Results
   - RedBrowser Trojan Targets J2ME-based Phones
   - Viruses Jump from PCs to Mobile Devices

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Share Your Security Tips

4. New and Improved
   - Limit User Privileges and Block Unwanted Apps


==== Sponsor: St.Bernard Software ====

The Next Generation in Patch Management
   At last, a unique solution that speeds the tedious tasks of system 
vulnerability management with automated patching and settings 
configuration features found in no other solution:
-  Manage an entire distributed network, including remote and 
disconnected machines, from a central console
-  Assign Roles and Rights for optimum IT staffing and security
-  Provide dual system security with integrated security settings 
-  Wake on LAN lets you successfully patch machines that are turned off
-  Low acquisition and renewal pricing and flexible licensing model
   Download your free trial today and find out how easy and cost-
effective securing your systems can be. Download Now!


==== 1. In Focus: Blacklists Aren't for Everyone ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about blacklist services (the article is at the URL 
below), and I received some responses that I'll share with you this 

One reader wrote to say that, lately, Spam and Open Relay Blocking 
System (SORBS) "is blocking almost all email from Yahoo, Hotmail, and 
some other large ISPs." He has quit using SORBS because it caused 
problems for a few clients. 

Another reader also wrote about his problem with SORBS. He said that 
"one of our main mail servers received a piece of spam with a forged 
 From address that went to one of [SORBS's] honeypots. We received an 
email to a nonexistent [email address] and sent a nondelivery response 
to the forged address at the honeypot. The result of a single email 
sent last November was that any [host on the Internet] using SORBS 
regarded our email server as a spam sender. The email had originated in 
Brazil and our email server was just the last link in the chain." He 
then described his ordeal in trying to get his server removed from 
SORBS's database.

At the SORBS site (URL below), you'll read that "affected IPs [of the 
mail server which sent spam] will only be delisted when US$50 is 
donated to a SORBS nominated charity or good cause. The charities and 
good causes SORBS approves will not have any connection with any member 
of the SORBS administrators, either past or present." I have no problem 
with donating to charity, but trying to force that on people is 
unprofessional and unreasonable. The reader found an alternative way to 
have his IP address removed from the SORBS database, but SORBS doesn't 
make the alternative clear on its Web site.

In my tests, the SORBS blacklist service was only marginally better 
than the service provided by dnsbl.net.au (DNS server: 
t1.dnsbl.net.au), so I might not continue using SORBS in light of what 
the two readers have revealed. 

A third reader wrote to "strongly disagree with your recommendation to 
use blacklists, even though they are effective. My opinion is based on 
the fact that it is very easy to get blacklisted even without reason 
and very difficult to get out of the blacklist. This can cause long 
delays with email delivery and sometimes businesses depend on it--even 
though they shouldn't. I also don't like the attitude of some of the 
service providers for blacklisting, it is very frustrating to contact 

What I recommend is that you do what works for your particular 
networks. If you find that blacklists work and aren't much of a 
management problem, then use them--they can be very effective. On the 
other hand, if you experience trouble with an entity such as SORBS, it 
might be best to drop that service in favor of another.

Some readers also offered comments about filtering particular 
languages. I think that some readers took offense to such filtering. I 
truly meant no offense. My point is simply that if no one in your 
organization reads a particular language, then any inbound mail in that 
language can be dropped. For example, approximately 48 percent of the 
email received by the mail servers I tested appears to be written in 
Asian languages--in particular, Japanese, Korean, and Taiwanese. None 
of the people that those mail servers support read any Asian languages, 
so we set the filters to drop all Asian language mail. As a result, 
processing overhead is reduced.


==== Sponsor: 8e6 Technologies ====

Stop Spyware Now - Free White Paper!
   Spyware remains a problem for most companies, disrupting 
productivity, wasting time and money. Now 8e6 Technologies' free White 
Paper proposes breakthrough solutions to counteract the Spyware 
problem: recognize potential infections, stop unauthorized programs at 
the source. Get the Free White Paper:


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Oracle Secures Search with Authorized Results
   Oracle announced its new enterprise search engine, Secure Enterprise 
Search 10g. One difference between Oracle's solution and other search 
engines is that Oracle's will return only the results that a person is 
authorized to access.

RedBrowser Trojan Targets J2ME-based Phones
   The first malware was discovered that intentionally targets mobile 
phones that use Sun Microsystems' Java 2 Platform, Micro Edition 
(J2ME). Dubbed RedBrowser, the Trojan horse program tries to send text 
messages to a high-cost toll number in Russia. According to Kaspersky 
Lab, the mobile phone owner is charged between $5 and $6 for accessing 
the toll number. 

Viruses Jump from PCs to Mobile Devices
   Docking your mobile device to your PC is no longer without 
considerable risk. The Mobile Antivirus Researchers Association (MARA) 
reported the first virus that can jump from a PC to a Windows CE or 
Windows Mobile device. The virus was sent to MARA anonymously.


==== Resources and Events ====

DevConnections Europe Early Bird Special extended through 15 March
   Four conferences for the price of one! Don't miss DevConnections 
Europe--coming to Nice, France, April 24-27, 2006.

Use virtualization technology to leverage your IT assets, address 
critical business needs, and get the most out of your existing hardware 
with Windows Server 2003 R2. Live Event: April 4, 12:00 pm EST

Learn the best ways to manage your email security (and fight spam) 
using a variety of solutions and tips.

Efficiently replicate file changes across WANS without worrying about 
your remote server backups using the improved Distributed File System 
in WSS R2. Live Event: March 14, 12:00 pm EST

SPECIAL PODCAST OFFER: Expert Ben Smith describes the benefits of using 
server virtualization to make computers more efficient.


==== Featured White Paper ====

Manage your data growth, improve reliability, and speed data recovery 
using continuous data protection.


==== Hot Spot ====

Automate IT security compliance now!
   FREE White Paper demonstrates how you can reduce time spent on IT 
policy compliance by as much as 90%, while improving your security 
posture. Cambia's agentless software continuously discovers all changes 
to network assets, intelligently determines which changes pose a risk 
to security and compliance and works with administrators to fix 
breaches quickly.  


==== 3. Security Toolkit ==== 

Security Matters Blog: Network Security Toolkit 1.4.0
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=230BF:4FB69

   This excellent bootable toolkit has been updated with several useful 
enhancements, including an updated OS, new Web interfaces, and updates 
to included applications. Learn more in the blog article.

   by John Savill, http://list.windowsitpro.com/t?ctl=230BE:4FB69 

Q: How can I delegate permission for a user or group to control certain 

Find the answer at http://list.windowsitpro.com/t?ctl=230B9:4FB69

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

Windows IT Pro Magazine Article Library--access available
   Sign up for a Monthly Online Pass and get INSTANT access to all 
articles, tools, and helpful resources published on WindowsITPro.com, 
including exclusive subscriber-only content. You'll get 24/7 access to 
the full Windows IT article library (includes more than 9,000 articles) 
and get the latest digital issue of Windows IT Pro delivered right to 
your inbox. Sign up now:

Windows IT Pro Magazine--SAVE 58%
   Windows IT Pro is a must-have in 2006! Subscribe now and plug into 
the largest independent Windows IT community in the world. Along with 
loads of how-to articles, time-saving advice, and expert tips and 
solutions, you'll gain exclusive access to the entire online Windows IT 
Pro article library FREE. This is a limited-time offer, so order now:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Limit User Privileges and Block Unwanted Apps
   Winternals Software announced the release of Protection Manager, 
which enables granular control of user and application privilege levels 
and blocks all unauthorized executables. You install Protection Manager 
on a central console and deploy it to clients throughout the network. 
Then for each user role, you can specify one of four execution 
attributes for each application: denied from executing under any 
circumstances, allowed to execute with administrator privileges when 
required, allowed to execute in the user's context with limited user 
privileges, or allowed to execute normally. Protection Manager is 
licensed by server and workstation and works with Windows Server 2003, 
Windows XP, and Windows 2000 computers; for more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=230C3:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list