Saturday, May 10, 2008

winzipices.cn - check your site

A bunch of sites are infected with malware according to this article:

https://webmail.intermedia.net/services/go.php?url=http%3A%2F%2Fwww.networkworld.com%2Fnews%2F2008%2F050708-web-attack-worm-infecting-hapless.html%3Fnlhtsec%3Drn_050908%26nladname%3D050908securityal

You can see sites that are infected by simply searching on "winzipices.cn" in Google but do NOT go to those web sites or your computer will be affected as described in the article.

You can see if your own site is infected by typing into goole: "site:[yourdomain.com] winzipices.cn".

Google in the past has put warnings on infected sites - hopefully they will do so with all of these soon.

Sunday, May 04, 2008

How to Eliminate A Lot More Spam

Here's how you can eliminate a large percentage of the spam you are still getting:

#1 Get Postini - I got the $12/yr security service that allows the following configurations.

#2 On your inbound server configuration in Postini - if you mainly only communicate the US block out entire blocks of IPs in other countries you do not need where a lot of spam orginiates such as (you may want to block more or less depending on your communication patterns):

41.0.0.0-41.255.255.255
77.0.0.0-89.255.255.255
189.0.0.0-202.255.255.255
58.0.0.0-62.255.255.255
192.0.0.0-192.255.255.255
125.0.0.0-125.255.255.255

#3. If there's a particular person you do need to communicate with in these countries add them to your white list so they don't get blocked by the above.

#4. When you set up Postini you will change your MX records and then you will realize there's a lot of spam getting inserted directly into your mail server that is not even using your MX records. All this spam can be prevented by changing the firewall rules for your mail server to only accept mail from Postini IP addresses.

#5. You may want to only accept messages from mail hosts that support TLS because any legitimate mail provider will support this. Any hacked mail servers that are some admin throwing mail server software on a machine out of the box without setting it up properly to prevent relay - might not have have TLS running. TLS will also secure your messages in transit which is the real purpose. If someone claims they cannot send to you because they are not using a mail server that supports TLS - tell them to get a new mail provider.

#6. If any other spam squeaks through, look at the mail header to get the ORIGINATING IP address and block it out at Postini and you won't get mail from that possibly hacked email provider any longer.