Symptoms of Microsoft Exchange 2003 Outlook Web Access and martuz.cn JavaScript virus infection
Within the last few days one of our main Exchange 2003 Server Outlook Web Access became painfully slow.   Symptoms were related to main browser window in Internet Explorer displaying just the vertical bar that separates the folders and the message area and getting stuck there for about 30 seconds and then finally loading the rest of the page.   Double clicking and opening a message would pop open the blank message window with a http://your servername…. In the lower left hand status bar of the pop up window and finally after about 30 seconds would load the window.  Same thing would happen composing a new mail message in OWA.   Everything worked normally accept that tasks became slower for users in OWA.

Martuz.cn JavaScript virus infection detection
We are running the latest version of Symantec Norton Endpoint Security which did not report any virus, Trojans, or spywares on the Exchange 2003 server.   Looking further into the situation we noticed that when the browser window for the Outlook Web Access opened the task bar of the browser window would display http://yourservername…. and then would change to http://martuz.cn/vid/…  for a  few seconds and OWA window would finally open.   This indicated some infection.   Our analyses showed that OWA was running an infected java script within the OWA pages that caused the problem to appear.   Apparently Symantec End Point Security on had no clue about this infection and we are still unsure about how server got infected.  Googling and doing the research we have seen reports of PHP exploit or FTP exploit for the cause of the infection of the virus.

Martuz.cn JavaScript virus infection removal
First of all to see if you have the same problem as described here by logging into to the OWA account and watch at message on the bottom left side of the task bar of the browser window after the login which would say “Waiting for http://yourservername/exchange” if at any time it changes to waiting for http://martuz.cn… And then disappears you have the same problem.
Download and install the Microsoft Forefront Client Security trial version and install on the server, we left Symantec End Point Security running at the same time without any problem.   Scan your entire Exchange installation folder only on your server for a quick check.    If you see the message related to Gumblar Trojan then you server is infected.   Infected files will be in \Exchsrvr\exchweb\controls and or D:\Exchsrvr\exchweb\6.5.7651.60 or something similar.   Backup the entire exchweb folder just in case.  Chose the option to remove the virus infected file.   Re-install Exchange 2003 Service Pack which would re-populate the files removed by the anti-virus software.

Summary:
Martuz.cn / Gumblar is a JavaScript exploit that inserts itself into the legitimate OWA files.   There is no definite known cause of how this virus gets installed on the server.   Microsoft Forefront Security client seems to do a good job of detecting and removing the virus.  You need to re-install service pack in order to re-introduce the files removed during the virus removal.

Phishing is a fraudulent act committed by individuals who want to gain access to sensitive personal information for an array of purposes. Contrary to what many believe one of the best ways you can protect yourself from phishing isn’t to install defense programs or increase security measures, but instead to learn how to recognize a phish.

The most common form of phishing requires the use of email. These emails usually appear to originate from a well organized financial establishment and ask for personal information that if placed in the wrong hands automatically puts you at great risk. A “legitimate” phish will most likely ask you at one point and time for your credit card number, social security number, account number or password. Many times phishing effort s seem to come from sites with which you do not even have an account with, giving you all the more evidence which will allow you to discover if indeed the email is a phishing attempt. It isn’t uncommon for a phishing email to instruct you to click on a link which will redirect you to a site where you’re expected to enter personal information. Authentic organizations should and will never ask you to confirm this information via email.

Phishing usually takes place when an individual or group of individuals feel the need to collect sensitive and personal information for a wide variety of purposes including (but not limited to) online purchases, identity theft, misrepresentation and use of financial information.

How to Recognize a Phishing Attack

Since phishing emails are usually sent in mass quantities Internet criminals utilize generic names, for example: “First Phony Bank Customer”. This is done so that they do not have to type every single recipients name into the emails, as this can be very time consuming and hectic. If you don’t see your name anywhere in the email, then treat it with caution and suspicion. A phishing email usually contains a forged link somewhere within its contents instructing you to click on this link so that it may redirect you to a “safe” site so that you can then enter your personal information. One way to safeguard against forged links is to try and locate the “https”, because the “s” stands for secure. If you can’t locate https anywhere within the link, then try not to proceed.

Legitimate organizations are very skeptical about asking for sensitive information through emails because it can easily end up in the wrong hands. Therefore if you receive a request for personal information within an email, then it is most likely a phishing attempt. Phishing emails are constructed on the very concept of urgency, meaning that a phish will try to inform you that something is in need of your dire attention. Usually Internet criminals try to instill this urgency by informing you that there has been a breach in your account, unwanted access by a third party, or the need to confirm your personal information.

Conclusion

Fraudulent emails can be found all over the Internet. Cyber criminals will never stop working in order to gain access to your computer, life, and personal information, therefore the information given above should be seen as a way to help protect yourself from the various forms of phishing attacks that many fall a victim of.

What is Spam?

Spam can be generalized and defined as unsolicited emailing that’s usually sent out to several email addresses in bulk. Spam emailers have created their own “gated” community within the Internet; they’ve separated themselves from all politics and rules pertaining to the Internet and have constructed their own methods. This is being produced by all sorts of individuals and organizations in order to reach a wide set of audience, as they use this method to send endless amounts of emails and advertisements that flood your mailboxes on a daily basis.

Effects on Businesses

It isn’t a secret that many businesses heavily rely on the Internet, thus allowing them to grow and expand as time progresses. However if a business’s backbone is the Internet then in return bandwidth is the Internets back bone and support as well. When a message is sent to a network this action takes up bandwidth. Depending on the size of the message and the quantity depends on the amount of bandwidth utilized. A larger than usual message or mass quantities of messages will normally take up a great deal of bandwidth, which consequently will slow down a business’s network and Internet.

There have been studies that suspect spam for accounting as much as 50% of some businesses networks, this means that these businesses are only using about 50% of their resources, thus in return possibly hindering their growth and increasing unnecessary expenditure. It is a mission at times to reduce or even eliminate spam, however obtaining the right spam filter is the solution. Spam filters rely on a set of rules, regulations and if I may say so “politics” in order to catch and filter out the impractical emails. Determining your businesses needs and assessing the budget is one of the first steps in order to gain control of the unwanted emails.

These are the negative effects, there aren’t any known positives in receiving spam except for the sender as they take advantage and overwhelm your mailbox. Protect yourself and your business from spam today and invest in a suitable spam filter. Along with the high rate of unproductive costs, and bandwidth usage there are potential security risks as well. If you were to mistakenly open a spam email containing a virus, Trojan horse, or spyware it could infect your computer and consequently spread throughout your entire network. Assess the risk of affording spam to enter your mailbox, and take part in filtering out unwanted & unsolicited emails.

A DNS Root Name server is a server that answers on behalf of the DNS root Zone, and redirects requirements for a given TLD (Top Level Domain) to that particular TLD’s name servers. The term “root name server” is normally used to describe the thirteen organizations often referred to as the “root server operators”. They implement the root namespace domain for the Internet’s official universal implementation of the Domain Name System. The original thirteen members in alphabetical order are; A - VeriSign Global Registry Services ,B - Information Sciences Institute ,C - Cogent Communications ,D - University of Maryland ,E - NASA Ames Research Center ,F - Internet Systems Consortium, Inc. ,G - U.S. DOD Network Information Center ,H - U.S. Army Research Lab ,I - Autonomica/NORDUnet ,J - VeriSign Global Registry Services ,K - RIPE NCC ,L - ICANN ,M - WIDE Project. Global

Incidentally, the letters A-M represent the 13 numeric IPv4 addresses at which the service is provided. Each operator is tasked with providing consistent DNS service to the Internet from their specific address.

The empty string after the final dot in a domain name is called the root domain, and all other domains like .org, .net, etc are enclosed within the root domain. A computer connected to the Internet resolves a domain name by asking every name server about the element to its left working its way from the right. The root name servers know which servers are responsible for the top-level domains like .com and .org, which have their own servers. These servers then query name servers responsible for particular domain names, which in turn answers queries for IP addresses of sub domains.

The root zone file is at the summit of a hierarchical distributed database called the Domain Name System (DNS). All the Internet applications use this distributed database to translate distinctive domain names like www.onsiteil.com into various identifiers that use the DNS.

The root zone file also lists the names and numeric IP addresses of the valued DNS servers for all the top-level domains. Examples of such domains are COM and ORG. In case a given name server does not have information on a specific authoritative server, it transfers the query to a root name server.

Other name servers’ forward queries for which they do not have any information about authoritative servers to root name servers. The root name server then answers with a referral to the authoritative servers for the appropriate Top-Level Domain.

Unless there is a very good reason not to, always install Exchange on hardware supported by Microsoft.  Consult Microsoft’s Windows Server Catalog (formerly the “Hardware Compatibility List,” or HCL) for a complete list of compatible, supported hardware.  In order for a system to be considered supported, it must be listed in the Windows Server Catalog.  Systems containing some supported and some unsuported software are considered unsupported by Microsoft.  In addition to ensuring a smoother installation or upgrade, using supported hardware also means you will receive better technical support from Microsoft or other vendors should the need arise in the future.  Using unsupported hardware can cause problems ranging from intermittent mail outages to total and complete loss of data.

• Exchange Server 2008 requires both 64-bit hardware and 64-bit Windows.  See “Exchange 2007: Frequently Asked Questions” for more information.
• Exchange Server 2003 cannot run on 64-bit Windows.  See “Choosing Exchange Server 2003 Hardware for Reuse with Exchange Server 2007“ for recommendations from Microsoft on choosing the best hardware for Exchange.
• See “Microsoft support policy on hardware not in the Windows Catalog (Windows HCL)” (KB142865) for more information on Microsoft position on unsupported hardware.

2. Misconfigured DNS

Because Exchange relies heavily on both Active Directory and DNS, a simple configuration problem in either one will cause major headaches for your new or upgraded Exchange environment.  Here are a few of the common configuration mistakes when it comes to DNS and your Exchange environment:

• All Windows 2000 Servers must be on Service Pack 3 or Windows Server 2003, including Global Catalogs (GCs).  It is also Microsoft’s recommendation that at least one GC be placed in each site containing an Exchange mail server.
• Verify your Mail Exchanger (MX) records are correct and that no MX record points to the Fully Qualified Domain Name (FQDN) of an Exchange server.  See “How to Verify that MX Records Do Not Point to the FQDN of an Exchange Server.”
• If it exists, remove the root zone under Forwarded Lookup Zones in the DNS management console, as it will prevent Exchange from sending mail (outbound mail).  See “How To Remove the Root Zone (Dot Zone)“ (KB298148) and “‘Host Unknown’ message when sending outbound Internet mail” (KB289045) for information on removing the root (AKA “dot”) zone.
• See “Exchange Server 2003: Verifying DNS Design and Configuration“ for more information on verifying your DNS configuration.

3. Misconfigured Active Directory

Active Directory (AD) plays a crucial role in the configuration, performance, administration, and security of Exchange Server 2003 and Exchange Server 2008.  There are several “gotchas” to watch out for when configuring Active Directory for use with Exchange.

• Be certain that Active Directory Connector (ADC) is installed, and that you are using the version appropriate to your installation or upgrade.  The ADC is responsible for replicating Exchange information to and from AD, and must be upgraded to the version included in Exchange 2003 prior to upgrading Exchange itself.
• Check your domain level(s).  Exchange Server 2003 is supported in 5 AD domain levels which basically break down into 2000/2003 mixed or native and mixed 2000 and 2003 domains.
• See “Overview of operating system and Active Directory requirements for Exchange Server 2003” (KB822179) for a complete list of requirements.

4. Disabled Message Tracking

Message Tracking is one of Exchange’s best features for troubleshooting mail delivery problems.  Microsoft describes Message Tracking as follows: “Message Tracking Center, when it is enabled, logs information about the sender, the mail message, and the message recipients. Specifically, you can review statistics such as the time the message was sent or received, the message size and priority, and the list of message recipients. You can also log the subject line of e-mail messages. The Message Tracking Center searches for messages such as system messages, public folder messages, and e-mail messages.” ¹  Unfortunately, Message Tracking is not enabled by default on Exchange 2000 or Exchange 2003.  If you are running Exchange Server 2007, and the system has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role Message Tracking is enabled by default.

See: “How to enable message tracking in Exchange 2000 Server and in Exchange Server 2003“ (KB246856) for more information.

5. Misconfigured Anti-Virus Software

It should go without saying that any Windows mail server should have a properly configured and up-to-date anti-virus solution.  One has only to look at the abundance of viruses to be convinced the effort of maintaining anti-virus software is well worth the time, effort, and expense.  Misconfigured anti-virus software, however, especially on such highly-visible and highly-used systems as mail servers, can affect problems from minor performance issues to major catastrophic failures.  Properly configuring the parameters of your anti-virus software can be an art as much as a science.  On the one hand, if your anti-virus configuration is too inclusive, or too stringent, it may cause a severe performance penalty on the system.  If, on the other hand, the configuration excludes too many processes, services, directories or files, or its policies are too lax, it may be vulnerable to attack.  In many cases, this second case is the worse possible scenario a system can be in, simply because an anti-virus solution is installed and configured, therefore it is assumed that the sysem is safeguarded against such attacks.

• See: “Exchange [Server 2000] and antivirus software” (KB328841), “Overview of Exchange Server 2003 and antivirus software“ (KB823166) or “Exchange 2007: Managing Anti-Spam and Antivirus Features “ for more information.

A denial of service (DoS) attack is an attempt to deny a user from accessing the available computer resources and services. It can be targeted towards a single system or a group of systems. In the event that a great number of systems are attacked, it’s called a distributed denial-of-service attack (DDoS).

Whereas the motives and means of carrying out the attacks are varied, the primary goal is to deny legitimate users from accessing information, resources and services.

A denial of service attack is typically carried out by an individual or group of individuals who deliberately prevent a computer system from functioning properly using various means. They usually target Internet Sites or services being hosted on reputable web servers. Common sites and services prone to attack are banks; DNS root name servers and online payment gateways.

Perpetrators of DoS attacks use various means and methods to carry out their acts. There are typically two means of attack, the wired and wireless means. Wired means of attacks are usually carried out on wired networks whereas the wireless means of attack is carried on wireless networks.

The methods of attack range from attacks on electronic mail to attacks on routing devices and the web.

There are generally five basic types of attacks:

• Interference with the physical network connections
• Using up a commuters resources, like disk space and band width.
• Disrupting system configuration
• Disrupting and obstructing communication channels between users of a system.
• Interfering with state information

A denial of service attack (DoS) or DDos can manifest itself in various ways. One of the most common signs is slow network performance usually caused by “flooding” the network. You can notice this in the time taken to open a file or access a website. A website might also become unavailable or difficult to access. You email might abruptly start receiving huge amounts of spam. However, the above signs might as well be due to other reasons not associated with a denial of service (DoS) attack. A network problem might be a result of faulty hardware or system/software upgrade by the system administrators.

If you think that you are experiencing a denial of service (DoS) attack, seek technical advice or assistance. In any case, report the incident to your system administrator or ISP provider.

RBL is an abbreviation for “Real-time Black List”. An RBL is a list of ‘known’ SMTP servers notorious for sending SPAM. The List is regularly updated with new potentially harmful entities. These entities might be a list of domain names, IP addresses and viruses that are known to cause or associated with potentially harmful activities. When the user receives a message, the email server can look at the IP address of the originating SMTP server, and search for it in a black list. If the IP address is found in the black list, traffic from that particular IP address it’s automatically blocked.

In the past, blacklist solutions come in the form of software. Traditionally, there existed only two major forms of software that used Real Time Black Lists: antivirus and anti-spyware software. However, new advanced blacklist solutions which use heuristics like the DNSBL (DNS Black List) have come up.

There are many advantages associated with using Real Black Lists; one major advantage of RBLs is that they don’t entail any major work from the user. You don’t need to have specialty training. Other advantages include; automatic update of the blacklist, total security against known threats, no need for definition file updates. It also acts as an extra layer of protection because it does not rely entirely on definition files.

However, there are some drawbacks associated with using Real Time Black Lists. Your network is left under the control of a third party vendor and constantly updating the list might consume a good chunk of the available bandwidth. A large email from a good source might be mistakenly deleted or blocked. The scanning of all incoming and outgoing IP traffic might slow down the system. Works stations and networks might be vulnerable to day-zero attacks.

White list

A white list is a list of accepted e-mail addresses or domain names/IP addresses that the user deems are acceptable to receive email from and should not be deleted. The most popular list is the e-mail white list. E-mail white lists contain a list of of e-mail addresses or domain names from which e-mail blocking software will allow traffic to be received. The white list is an option for those who don’t like using Real Time Black Lists.

There are many advantages associated with using a white list.The system performs faster because there is no constant scanning of outgoing or incoming traffic. You don’t need to install unlicensed software. No executable programs like spyware or Trojan horses will ever get installed on your system. There is also no need for virus or spyware definition updates; therefore, systems are constantly protected from day-zero virus attacks.

One drawback of using a white list is that you might miss an important message from a credible source that you have not included in the white list.

The contents of emails that spammers have been sending within the past few years have been evolving with incredible craftiness. These emails seem to surpass simple-minded spam filters that we blatantly continuously install. We read spam, curse spam, and have come to hate spam, but what if there was an existing spam filter that evolved along with the endlessly developing spam, leaving it one step ahead every time?

What is the origin of Bayesian Spam Filters?

There was a man that lived from 1702 to 1761 who’s name was Thomas Bayes, an English Presbyterian minister and mathematician. After he died the Royal Society published one of his most important findings in 1763 as the Philosophical Transactions. His findings simply stated that if a deadly disease existed such as Cluvitis (non-existent) and the symptoms were fever, runny nose, toothache, and more, just because you manage to get a runny nose that doesn’t mean you have Cluvitis. However, if you were to acquire another series of symptoms at equal intervals such as a fever, then this would greatly increase the chances that you might have Cluvitis.

Bayes Law tries to outline the exact probability that you may test positive for Cluvitis. Now if you were to embrace the same concept and fast forward a couple hundred years later into the future (precisely to 2002) you’ll find yourself basking in Paul Graham’s proven theory that applies this same strategy and concept to Spam Filters, thus the Bayesian Spam Filter was conjured up.

Graham developed a concept that showed how Bayes Law could be applied to actually find and categorize legitimate emails. Since one of the major factors of the Bayesian Spam Filter is that it evolves as the spam itself becomes more advanced, the more spam messages as well as legitimate emails that the filter receives the higher the changes are of calculating and finding illegitimate emails multiply. Simply said, the more emails it receives, the more accurate it becomes.

At first you’ll have to mildly train the filter in order for it to effectively decipher what legitimate and illegitimate email is. After the first couple emails that this process was widely applied to, the Bayesian Spamming Filter will take care of the rest. The reason Bayesian email filters work is because these filters aren’t dependant in any way on invariable change. It doesn’t depend on the spelling or grammar, it’s main focus is on the things that are being said within the email!

For example, if the word shopping extensively appeared within non-spam emails, the obvious chances are that it isn’t a spammed email. This is all thanks to the Bayesian Spam Filters ability to automatically adapt when need to be. Now we’re going to enter into how your Bayesian Spam Filter can come to disappoint you. The only bad thing about this spam filter is that well simply said it’s not indestructible (as most of our childhood dreams seemed to have been at one point and time), yes it has an incredible ability to evolve and adapt as time passes, however a spammer can still make it past well-trained Bayesian filters if they’re able to wittingly (and annoyingly) mask their emails to perfectly look like regular emails.

Although, since spammers aren’t accustomed to sending out perfect emails, there is still a slight chance that an email won’t get passed the great Bayesian guard.

Dealing Effectively with Spam

Any business that believes spam is merely an annoyance in the office is sadly mistaking. A 2007 report by Nucleus Research shows that spam costs organizations in the United States $712 per employee every year. According to Nucleus, that adds up to an estimated $70 billion annually in lost productivity. The amount of time employees spend going through their inbox trying to distinguish junk mail from messages that require a response is invaluable time that could be spent handling more important tasks. Not only that, the flood of email that seems to grow larger has the power to tax the corporate network by gobbling up disk storage, bandwidth and other precious resources. Trying to manage all the extra emails and find a solution to the problem could also have a tremendous impact, particularly on a small business.

Things are grim, and while it looks as if spam is here to stay, there are a few ways you can minimize the affect it has on your business.

Spam Filtering

The epidemic of spam has led to the emergence of many anti-spam products. Aside from the outright spam filters, several mail clients come included with spam filtering capabilities, allowing you to designate certain words that are to be flagged and filtered away from your inbox. For example, emails bearing common spam phrases such as “click here” can be immediately sent to a quarantine folder, giving you the opportunity to check out the message to make the determination for yourself.

RBLs

Short for Real-time Blackhole Lists or Blacklists, RBLs are another method of preventing spam from reaching the company inbox. Unlike software products that use a number of filtering techniques, RBLs stop unsolicited mail at the server. An RBL contains a list of IP addresses that are known or suspected of distributing spam. These determinations are typically made by catching the senders in spam traps. This is a great way to minimize all those bothersome emails as some services have efficiency ratings of 90% of more. Two of the most popular RBL providers are BrightMail and SpamCop.

Good Practices in the Office

While blacklists and filtering programs help at cutting down on the amount of spam affecting your business, the internet habits of your employees may play the biggest factor. It is vital that all staff members understand that spam messages should never be replied to. Doing so will only let the sender know that your email address is valid, prompting them to send even more messages and possibly share the address with others in the spam community.

Employees should also be instructed to never use the company email account in any message boards or social networking sites on the web. Spammers are very advanced theses days and utilize special programs to scan popular hangouts for email recipients. If you must participate in such group settings, be sure to use your personal email account to keep the spammers away from the business inbox.

Conclusion

Even the U.S. government understands that spam is a huge problem as legislation has been passed with new laws in the works. Until we find a way to put a lid on this mess for good, the best advice is to make use of quality software and services combined with good ole common sense

In order to be effective at distinguishing spam from legitimate emails, a spam filter needs to rely on various methods. Some of today’s most popular programs utilize blacklists and whitelists to filter out junk mail. As you’ve probably guessed, these counterparts are the exact opposite of one another. Senders listed on the blacklist are denied access to a particular email address while those on the whitelists are allowed. When combined with techniques such as Bayesian filtering and pattern matching, these lists better assure that a much lower volume of spam reaches your inbox.

Types of Blacklists

Whitelists are pretty dry and cut, but blacklists come in many different forms. Below are details one some of the most common types of blacklists:

IP Blockers: IP blacklists or blackhole lists, are huge repositories of IP addresses known for distributing spam. The organizations who manage these repositories use a variety of mechanisms to find out who is sending spam. These techniques range from human reporting to setting up decoy email accounts. Many spam filters are configured to examine incoming email and trace its origin. If it comes from an IP address of a known spammer, it is flagged accordingly and moved to a quarantine folder. IP addresses can be blocked by email server, local machine or an entire country.

DNS Blacklists: DNS (Domain Name System) blacklists contain lists of IP addresses that act as the source of spam messages. By using this list, the spam filter can deny access to individual domains or websites. DNS blacklists are usually established and managed by anti-spam organizations.

Email Blacklists: Also known as spam blacklists, email blacklists contain information on email addresses and mail servers used by spammers. Using this type of list gives a spam filter the ability to deny access at the server and automatically discard unsolicited mail. Unfortunately, it could also deny legitimate messages as well.

Factors to Consider

Although using a spam filter equipped with blacklist and whitelist functionality will definitely help at keeping spam out, take note that such a system isn’t always accurate. In order to block a higher amount of unwanted email, spam filters must receive frequent updates as spammers grow more sophisticated by the day. Some create new email addresses to deliver spam from and others concoct new keywords that allow them to slip through the filter. The good thing is that blackslists are continuously updated by various Internet Service Providers and organizations. When your spam filter is regularly updated, the blacklist has a better chance of keeping out spam while the whitelist does a better job at reducing false positives and allowing genuine email to reach you.