Badkey Corner

Vulnerability: Upgrade to BES v4.1 SP6 (4.1.6)

John Willemse — Tue, 22 Jul 2008 22:19:37 +0200

Vulnerability:

In the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. Upgrade to BlackBerry Enterprise Server software version 4.1 Service Pack 6 ( Version 4.1.6 )

Overview:
This advisory describes a security issue that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to.
The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.0.

Problem:
A security vulnerability exists in the PDF distiller of some released versions of the BlackBerry Attachment Service. This vulnerability could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.

Resolution:
Upgrade to BlackBerry Enterprise Server software version 4.1 Service Pack 6 (4.1.6).

Research In Motion (RIM) has also issued an interim security software update that resolves this vulnerability in earlier affected versions of the BlackBerry Enterprise Server and BlackBerry Professional Software.

More @blackberry.com

Postini / Google Messaging Security, X-pstn-levels Header Information

John Willemse — Fri, 18 Jul 2008 21:55:47 +0200

Here is the information on the Postini X-pstn-levels Header Information.
The Postini Junk mail filter now called 'Google Messaging Security (GMS)'

Note:
I did the implementation for 2 clients one with 13.000 and one with 3000, IBM Lotus Notes Clients, with 100% satisfaction!

X-pstn-levels Header:
The letter/number pairs that appear on X-pstn-levels tell you which filters (if any) were triggered and to what degree.
The letters that may appear on this line are:

General Transport Heuristics Filters:
GT1 = General transport heuristics most trusted
GT2 = General transport heuristics more trusted
GT3 = General transport heuristics trusted

Spam Filters:
S = General/bulk spam score
CV = Internal use only. This has no effect on the overall spam score or message disposition.
P = Sexually explicit (pornography) spam score
M = Make-money-fast (MMF) spam score
C = Commercial or “special offer” spam score
R = Racially insensitive spam score

Industry Heuristics Filters (optional feature):
FC = Financial Content score
LC = Legal Content score

Spam Scores:
A spam score of 100 on the S filter would indicate that this email contains nothing that triggers the general spam filter (it is a valid message).
The lower the score, the more likely that this message is spam.

Category Scores:
A message is assigned to a filter category when its score in that category is an 85 or below.

Example:
X-pstn-levels: (S: 0.00000/60.95723 CV:99.9000 R:95.91080 P:95.91081 M:64.93900 C:93.23770 )
X-pstn-settings: 5 (2.00000:8.00000) r p M c

The overall spam score is S: 0.00000. This is a Make-Money-Fast (M) spam message, as shown by the capital M in the X-pstn-settings line.
A score of 85 or below triggers a category filter and in this example the Make-Money-Fast score is M:64.9390.

The X-pstn-levels header will not be listed in the headers if one of the recipients has Bulk Email protection disabled.
This means that if the email message is sent to two users, one with the Bulk Email filter turned on and the other with it turned off, the message security service will not include this header.

Blatant Spam Blocking (BSB) Score:
A second numeric evaluation, the BSB score, appears after the spam score on the X-pstn-levels header. The BSB score is used by the spam engine to identify messages that should be bounced or blackholed by Blatant Spam Blocking. Unlike the spam score, the BSB score should not be evaluated directly.

Example:
X-pstn-levels: (S: 0.00010/62.95723 )The spam score (S:) is separated from the BSB score by a slash (“/”).
The BSB score will always appear, even if BSB is not turned on.

Should a message score as blatant spam, the BSB disposition of bounce or blackhole will result in a discarded message being discarded. So, there will not be any headers for those messages. The reason the BSB score was added is to make it clear to someone evaluating the headers that the message did meet the spam score criterion but failed to meet the BSB score criterion.

See this link on the About Header Tags

Note:
Compare link, $10 / user for each additional year of message retention. Need inbound email filtering only? Buy Message Filtering for just $3 / user / year

Badkey goes Fotofans.nl

John Willemse — Fri, 11 Jul 2008 23:58:20 +0200

Soon we will open a new Photo Club website: http://www.fotofans.nl

The site is not open and it will be a Dutch content site, see here the preview announcement, in Dutch:

Hier is verhaal van een van de leden,

Poldersessie met fotofans.nl 11-07-2008
Vanavond de eerste fotoshoot met de fotofans.nl club gehad. Bewapend met de D80's op naar de IJsseldijk om te kijken hoe de sunset daar is.
Na afloop de resultaten uiteraard meteen op badkey.com gezet!

We hebben vooral geleerd dat we een groothoeklens nodig hebben, iets tussen de 10 en 20 mm.
Daar gaan we er de volgende keer een paar van huren en dan op naar Kinderdijk!

Dat datum waarop dat gaat gebeuren verschijnt vanzelf op onze website http://www.fotofans.nl
Houd deze site de komende weken in de gaten en meld je aan als je mee wilt met een fotofans.nl fotoshoot!

The Badkey Team

Random Spam Generator. Test your spam filter on Blatant Spam Blocking (BSB)

John Willemse — Sat, 28 Jun 2008 18:18:24 +0200

Here is a link that generates 100% Blatant Spam (BSB).
Just copy the information into the body of a new message and it should be blocked by the spam filter

Link: Wikipedia Spam

Note:
I just found The Badkey Link on Planetlotus.org

Mail Box Cleaner v2 - Remove dead mail from server mail boxes

John Willemse — Thu, 26 Jun 2008 21:13:50 +0200

Dead mail (which from experience consists mostly of spam) can fill server mail boxes and the only way to get rid of it is to manually delete it. This database is a tool for Lotus Notes administrators to remove dead mail from the server's mail box(s) on a regular basis.

Function:
This database is a tool for Lotus Notes administrators to remove dead mail from the server's mail box(s) on a regular basis.
A scheduled database agent firstly builds a list of the dead mail and creates a log document containing the details of each dead mail, and then deletes all the dead mail.

Features:

Removes dead mail from one or more server mail boxes. (i.e.. mail.box, mail1.box, mail2.box, etc.)
Can be scheduled to run at any interval
Reports are created in the database which can also be emailed
Old reports are purged after a specified interval
Documents are selected via a configurable selection formula

Installation:

Place this database anywhere under the Notes DATA path of your server
Change the ACL to your needs
Sign the database
Modify the Settings document as required
Set the agent schedule interval (default is every 30 minutes)
Enable the agent

Note: Internal Badkey.com Link to the database

Developer: John Buoro

More @VirtualObjectives.com.au

Restricting inbound SMTP connections

John Willemse — Thu, 19 Jun 2008 21:29:40 +0200

APNIC is one of five Regional Internet Registries currently operating in the world. It provides allocation and registration services which support the operation of the Internet globally. It is a not-for-profit, membership-based organisation whose members include Internet Service Providers, National Internet Registries, and similar organisations. APNIC represents the Asia Pacific region, comprising 56 economies.

APNIC allocates resources in the following ranges within the Asia Pacific region.

Restricting inbound SMTP connections:
Some users and organizations may attempt to send bulk spam mail to your site. You can use Inbound Connection Controls to prevent Domino from accepting unwanted mail and keep your servers from redistributing it.

Complete the following fields on the Router/SMTP - Restrictions and Controls - SMTP Inbound Controls tab in the Configuration Settings document. If you enter an IP address, use brackets -- for example, [205.159.212.144]. You can use an asterisk in an IP address, but only for an entire octet -- for example, [205.159.212.*].

The following graphic shows an example of how you might fill in these fields:

Verify sender's domain in DNS: Leave this disabled, this is the 'old' reverse lookup.

By Chris Linfoot

"First, "Verify connecting hostname in DNS". Leave it disabled!

It is true that enabling it will defeat some spam, but it will also defeat a lot of real email (because too many systems used to send business email still have incorrect or missing DNS). As a corollary to this, it will also accept a lot of spam because so much spam comes from systems that do have well formed DNS but just shouldn't be sending any direct-to-MX email.

"Deny connections from the following SMTP internet hostnames/IP addresses" is an often overlooked feature of D7, distinct as it is from the private blacklist, but is a useful supplement to local and DNS blacklisting.

Why? Because systems blocked by DNS and local blacklists will see your custom error response and thus senders will know why they were blocked. In many cases you want them to know - that is why you use the custom error response - but in some cases you just don't want to accept messages and may not want to say why."

By Chris Linfoot

"First, "Verify sender's domain in DNS". Turn it on.

This just ensures that inbound mail comes from an envelope sender that can actually accept replies and not something completely bogus. Real senders always want to accept replies. Spammers often do not and may spoof a completely invalid address. Thus the risk of false positives is nil but this will keep out a small amount of spam and some malware."

as a Private Domain fliter:

Mail from the domain:
host smtp.badkey.com[XXX.XXX.XXX.XXX] said: 554
Your email was not delivered because the host which attempted delivery, is listed in Badkey private DNS blacklist filter.
Please see http://www.badkey.com for more information and assistance. (in reply to MAIL FROM command)

More @ibm.com/developerworks and IBM Redbook: Lotus Domino 6 spam Survival Guide for IBM eServer

Note: For information on how to block or accept connections for specific hosts using a NOTES.INI parameter, refer to the document titled " Preventing SMTP Denial of Service Attacks from Specific IP Addresses" (#1105201).

Supporting Information:
Domino is operating in accordance with RFC 821 and RFC 2821. Any attempts to prematurely disconnect the client/sender violates section 4.1.1 of RFC 821, which explicitly states that disconnection should occur only after a QUIT command is issued by the client. For further information, refer to the following:

RFC 821, section 4.1.1
RFC 2821, section 4.5.3.2

Addressing the challenge of responsible Internet resource distribution in the Asia Pacific region.

More @apnic.net

Note just as an example: (Domino ND8)
*.ru
*.ro
*.in
*.br
*.cn
*.jp
*.il
[58.0.0.*]
[59.0.0.*]
[60.0.0.*]
[61.0.0.*]
[112.0.0.*]
[113.0.0.*]
[114.0.0.*]
[115.0.0.*]
[116.0.0.*]
[117.0.0.*]
[118.0.0*]
[119.0.0.*]
[120.0.0.*]
[121.0.0.*]
[122.0.0.*]
[123.0.0.*]
[124.0.0.*]
[125.0.0.*]
[126.0.0.*]
[169.208.0.*]
[202.0.0.*]
[203.0.0.*]
[210.0.0.*]
[211.0.0.*]
[218.0.0.*]
[219.0.0.*]
[220.0.0.*]
[221.0.0.*]
[222.0.0.*]

Badkey uses zen.spamhaus.org and country block based on APNIC

John Willemse — Tue, 17 Jun 2008 21:37:10 +0200

After using zen.spamhaus.org see here the report for:
06/01/2008 - 06/15/2008

The Badkey Team

blocked using 88.blacklist.zap

John Willemse — Tue, 17 Jun 2008 20:23:49 +0200

Frontbridge’s 88.blacklist.zap,

blacklist.zap is a private blacklisting service. The sender's IP has been blocked for one reason or another, usually for sending spam.
That doesn't mean you sent it, only that the address you are using is part of an address block that's been blacklisted.
Frontbridge is a mail exchange service is used by the receiver's company.

Frontbridge is a messaging and email service acquired by Microsoft in 2005.

http://www.microsoft.com/presspass/press/2005/jul05/07-20FrontBridgePR.mspx
and is now http://www.microsoft.com/exchange/services/default.mspx

EDIT - contact your ISP and let them know about the block. It usually takes a couple of days to resolve that kind of stuff. Until then, use an alternate email service.

*** If you have received an error message regarding 88.blacklist.zap, they are quick to help with delisting issues-- you should send an email to the email address below and include the IP address: "Frontbridge Delisting Requests"

Steps you can take to ensure that your IP address is not blacklisted
Getting spam complaints from your subscribers is the main reason for getting blacklisted. Here are some things to you can do to prevent getting these complaints.

1. Double opt-in – Having your subscriber’s double opt-in is not only a Streamsend policy, but is the best way to ensure the right people receiving your email blasts. By having your subscribers confirm their subscription to your email blast you prevent any addresses from fraudulently being added to your lists.

2. Control frequency of emails – If you haven’t sent to your list in a several months, some subscribers may forget that they had signed up, and complain. You will want to keep in contact with them so they recognize your messages when they arrive in their inbox.

3. Ensure You Have Valid Emails – ISP’s monitor how many soft and hard bounces occur during an email blast. Make sure that you have a clean list to start. This generally shouldn’t be a problem, but some clients have a double-optin list, but haven’t sent messages for a long time. In these cases you may wish to send slowly over time for your first couple of email blasts so that our system can clean your list without ISPs getting blacklisted.

4. Don’t use subject lines that can appear to be spam – With spam being as big of a problem as it is these days, people sometimes assume a message is spam without getting past the subject line. You will want to be sure to avoid terms that sound as though they could be used for spam (ex. Don’t miss this free opportunity! / Great deals on new products!)

5. Make sure your from name and address are familiar – If there is any confusion as to where your message is coming from, your subscribers would be much less inclined to report you as a spammer if they could contact you directly.

6. Ensure opt-out URL is CLEARLY visible – Even if a subscriber has double-opted in to your mailing list, they may eventually decide they’d like to unsubscribe. If you don’t give them the option to do so, their next step may very well be likely to report your message as spam.

The Badkey Team

Badkey Back On-Line

John Willemse — Wed, 11 Jun 2008 23:45:58 +0200

.. wow so nice a new Provider and a 'new' ADSL modem. It was a bad modem. Now we are running on a temp replacement.

Our thanks for the temp replacement, Discovery Networking. Have a look at their website at:
http://www.discoverynetworking.nl

The Badkey Team

Microsoft AntiSpyware

John Willemse — Fri, 30 May 2008 22:34:57 +0200

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected and minimizes interruptions and helps you stay productive. Now with 2 free support incidents for Windows XP and Windows Server 2003.

Windows Defender detects and removes known spyware from your computer, which helps make your Internet browsing safer.
The software uses automatic definition updates provided by Microsoft analysts to help detect and remove new threats as the threats are identified.

Improvements in Windows Defender:
Enhanced performance through a new scanning engine.
Streamlined, simplified user interface and alerts.
Improved control over programs on your computer using enhanced Software Explorer.
Multiple language support with globalization and localization features.
Protection technologies for all users, whether or not they have administrator rights on the computer.
Support for assistive technology for individuals who have physical or cognitive difficulties, impairments, and disabilities.
Support for Microsoft Windows XP Professional x64 Edition.
Automatic cleaning according to your settings during regularly scheduled scans.

Benefits of Windows Defender:
Helps detect and remove spyware
Spyware detection. Quickly and easily finds spyware and other unwanted programs that can slow down your computer, display annoying pop-up ads, change Internet settings, or use your private information without your consent.
Straightforward operation and thorough removal technology. Eliminates detected spyware easily at your direction. If you inadvertently remove programs that you actually want, it's easy to get them back.
Scheduled scanning and removal. Runs these processes when it's convenient for you, whether it's on-demand or on a schedule that you set.

Improves Internet browsing safety:
Helps stop spyware before it infiltrates your computer. Offers a continuous safeguard designed to target all the ways that spyware can infiltrate your computer.
Works without distracting you. Runs in the background and automatically handles spyware based on preferences that you set. You can use your computer with minimal interruption.

Helps stop the latest threats:
Expertise you can rely on. A dedicated team of Microsoft researchers continuously searches the Internet to discover new spyware and develop methods to counteract it.
Stops new threats quickly. A voluntary, worldwide network of Windows Defender users helps Microsoft determine which suspicious programs to classify as spyware. Participants help discover new threats quickly and notify Microsoft analysts, so that everyone is better protected. Anyone who uses Windows Defender can join this network and help report potential spyware to Microsoft.
Automatically stays up to date. To help protect your computer from the latest threats, you can choose to have updates that counteract new spyware automatically downloaded to your computer.

Windows Defender detects and removes known spyware from your computer, which helps make your Internet browsing safer.
The software uses automatic definition updates provided by Microsoft analysts to help detect and remove new threats as the threats are identified.

Windows Defender
Microsoft Security Intelligence Report
How to install and set up Windows Defender

The Badkey Team