One of our users is a victim of backscatter and has been reporting them to the abuse mailbox at work.
Backscatter is the unsolicited mail that occurs when a spammer sends out email as you and poorly configured email server return all manner of notices to you. Its funny to watch the Barracuda spam firewall spamming the employee with the message Undeliverable: **Message you sent blocked by our bulk email filter** and an RFC rejection. Along with that is the usual ‘out of office’ and non-deliverable reports.
I figured there really isn’t much we can do. I decided that maybe its time to adjust the SPF record and change it from a ~all to a -all setting. Surprise, Surprise, I found that there was not a SPF record for the domain in question. I’m not sure if I dropped the ball on that or if our external DNS provider did something crazy again. At any rate, that is getting fixed but given how few people use the SPF record, I dont think it will be a lot of help.
Posts tagged ‘DNS’
Backscatter
DNS Security
The Symantec Security Response weblog has a good entry today on DNS security. Its worth reading. The problem I see is that its short on solutions. Sure its a nice observation that SSL will warn you, but what else can you do?
I appreciate that they didn’t go with the “use OpenDNS” kneejerk response that I see a lot. Depending on your ISP, the OpenDNS servers may be more secure. But if you’re a large company, you want your ISP to be certified and accredited. That may be easier to force your ISP to obtain (you’re paying them a lot of money after all). As the article states, the DNS response is still vulnerable to spoofing
There were a couple of points not covered by the article.
1. What if you get infected and the infection changes your DNS server settings. Will you catch that?
2. DNSSEC if it were ever implemented would provide some protection. I would have been interested in the author’s take on that.
OpenDNS Porn Blocking
I learned something new from Brian Kreb’s Security Fix found at WashingtonPost.com. In today’s entry he writes that OpenDNS has added a voluntary feature to block porn.
OpenDNS is a free DNS service that purports to be faster and more reliable than the ISP DNS you are probably using by default. Also they add in some anti-phishing and anti-typo features to protect their users. They make money by hijacking the result if you type in a non-existing webpage such as www.asdfasfdasdfasfasdfasfd.com.
Anyway, if you register your IP address with OpenDNS, you can sign up to have those dns requests checked by their St Bernard implementation.
I set it up this afternoon. It was easy to add their DNS servers into my Linksys Router (sveasoft talisman firmware), but I didn’t see a way to set up DDNS updating without putting a DDNS updater on my desktop. I would have preferred to do that on the router.
This is a good free setup to stop unintentional access. If you’ve got people trying to get around it, you’re better off having a filtered ISP or running a proxy server that is physically protected (along with the cable modem) to prevent bypassing.
Shoes Dropping May 8th
The Microsoft Security Response Center writes today that the DNS server patch is on target for May 8th.
“support for the legacy WSUSSCAN.CAB expired in March 2007, you need to ensure that your detection and deployment tools now support the new WSUSSCN2.CAB file. There will be no support for the security update for this issue in the old WSUSSCAN.CAB architecture. ”
If you use MBSA 2.0 in offline-scan mode, you will need to use MBSA 2.0.1. If you use the SMS 2003 Inventory Tool for Microsoft Updates (ITMU), you need to ensure you’re using version 3 of that tool.
Next, a reminder that as part of our standard Microsoft Support Lifecycle, support for Windows Server 2003 expired on April 10, 2007 with the April monthly bulletin release. Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 are the currently supported versions.”
While I think the ITMU requirement came up last month, I suspect a lot of people will be caught flat footed with the Windows 2003 RTM expiration.
Microsoft DNS Exploits
SANS is reporting that successfull attacks were seen on April 4th against Windows DNS servers at two U.S. Universities.
We’ve disabled remote management of DNS. It would be a bad thing™ if our domain controllers were compromised. Don’t forget to check for other places you might use Microsoft DNS. Some systems up on our DMZ are running Microsoft DNS. Fortunately those are all firewalled correctly.
http://support.microsoft.com/kb/935964
8:50 and already a rough morning
I got a call this morning while driving into work that the domain we receive the most mail on is not getting email. Naturally since I recently requested some changes in the way we receive mail that was blamed first.
It turns out they were right, in a way. I had requested that we update DNS so we no longer have a wildcard MX record. With a wild card mx record, you could address mail to anyserver.example.com (obviously not our real domain) and it would be delivered to our MTA. Since this causes us to process a lot of unnecessary email I thought we should remove that.
We use split DNS and run our external DNS through our ISP. When AT&T/SBC performed the update instead of removing the wildcard mx record, they removed example.com.
So we’re getting no email addressed @example.com. The negative response cache TTL is 2 hours. So even after we get SBC to fix the record, we may not get email for a while.
At least this is a reminder that people should be using our new domain name instead of the old example.com.
If we had been monitoring our external MX records, we would have seen them go away and possibly gotten it fixed before most peoples cached response expired.
The DNS and The Stationary
We got a call from the Director this week. It seems the new stationary had been ordered using the domain only. For example, example.com was used instead of www.example.com. (using example.com in place of my company domain name, obviously).
Currently example.com resolves to the firewall in the external DNS. I had just commented last week that we might want to change that. Most sites on the Internet, including this one, allow you to just type the domain name and you’re taken to the website. But I didn’t really want to fight any non-essential battles so I let it go.
So it became an issue when the communications department created new stationary without checking if the name they were using actually worked. Its not such a big deal externally. The DNS guy said its not kosher to have two A records. But after I pointed out that every other domain on the Internet (including one we owned) did it this way, he grudgingly agreed. That’s when we hit the next hurtle. You see the Active Directory domain is example.com. Internally if you do a nslookup on the A records for example.com you get a list of the domain controller IP addresses. We haven’t found a way around that problem yet.
At least I can laugh that such a common mistake continues to happen.
Holy Cow, Sunbelt Doesn’t Pile on MS
Its posts like this that keep Sunbelt in the list of blogs I read regularly. In the post they explain why a recent security writers claim “IE7 is still the spyware writers dream” is actually hype.
The vulnerability is that if the bad guy has write access to your computer, he can get a dll run by IE7 because they are not requiring FQDNs to load a dll. While this might make it tougher to clean your computer, the bad guy must already have infected your computer to have write access. This is not like the WMF exploit or all the bad activeX controls that were in previous IE versions.
Six Apart Forums WMF exploit
This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.
The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at IPTools.com, I found that the iframe is calling http://traffnew1.biz/dl/adv670.php (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.
If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that.
Gamedaily.com was hit by this bad guy on May 8th. They were also running Invision. So this has been occurring for a while.
ShmooCon: Network Black Ops
Dan Kaminsky received fame a few months ago by querying DNS cache results to see how many DNS servers worldwide had cached the resolution of the fqdn used to check in by machines with the Sony rootkit. He talked about that as well as IP Fragmentation attacks, DNS poisoning, and the trouble you get into when scanning all the dns servers on the internet.
