Tag Archives: Message Filter

Malware Attacks Targeting Hugo Chavez’s Death

Rumors of Venezuelan President Hugo Chavez’s death were rampant on the news and Internet over the past month, and last Tuesday, the Venezuelan Vice President confirmed that Chavez died after a two year battle with cancer. Chavez’s death has…

Phishers Target Myanmar with Wut Hmone Shwe Yee

Contributor: Avdhoot Patil
Phishers have already made their mark in Southeast Asia by targeting Indonesians. For the past couple of years, celebrities have been their key interest in the region. Aura Kasih and Ahmad Dhani are good examples. In March 20…

Upcoming Twitter Chat on Targeted Email Attacks

Join hashtag #MailSec and learn more about the dangers of targetted email attacks and how to prevent them.
Takedowns of large botnet rings in recent years have caused spam numbers to plummet. However, the drop in spam doesn’t make spammers any le…

Symantec Email Submission Client (SESC) 1.0: NOW AVAILABLE

 

Hi!
 
My last post back in October 2011 introduced the beta program for a new application for our messaging security customers.
I’m delighted to announce that we achieved our Generally Available (GA) milestone yesterday on March 19th meaning that the Symantec Email Submission Client is now available for all of our customers to download and install.  This is my first “1.0” product release so I’m particularly excited to see this product ship 🙂
 
Did I mention that this is provided at no extra charge?  Yup, free.
 
We had some excellent beta participants in this cycle, ranging from large enterprise customers to small businesses and we got some fantastic real world feedback which helped us ship an even better product than we originally scoped.
 
So, what is SESC?
 
The Symantec Email Submission Client (SESC) enables messaging administrators to streamline their process and procedures around one of the highest help desk call generators – missed spam.
 
Without blocking ALL email, no mail security vendor can claim to have a 100% catch rate.  Despite having an externally verified and market leading catch rate, Symantec understands that customers want to be able to report missed spam to us so that we are able to prevent the same spam attack hitting them again.
 
The SESC has been designed with the end user in mind, with the goal of making it SIMPLE TO SUBMIT.
 
Awesome! How does it work?
 
SESC integrates with Microsoft Exchange Server 2007 and 2010, utilising the flexible Exchange Web Services (EWS) platform to provide native support for all rich Exchange clients including Outlook, Outlook:Mac, OWA and Exchange enabled mobile devices.
By integrating directly with the backend of the messaging system, customers can avoid the costly admin overhead associated with deploying a plug-in or client to endpoint devices.
Because of the way EWS works, we are able to recommend that SESC is installed to a non-Exchange server so that there is no additionaly CPU burden placed on your mission critical infrastructure.  You can run SESC on any Windows 2008 R2 server, both physical or virtual (VMware ESX/ESXi or MS Hyper-V) are supported too.
 
What about the user experience?
 
Like I said, we want this to be as simple as possible and actually aimed to make it easier than deleting an item from your Exchange client.
To submit missed spam (aka false negatives) to Symantec, end-users simply move the offending message to an special folder in their mailbox.
This folder name is fully configurable by Administrators, who also have absolute control over which users are enabled for submissions.  Using their existing Active Directory infrastructure, Administrators can use pre-existing or new Groups or OU’s as well a providing a custom LDAP query to opt-in the users.
 
There are two working modes for SESC, Moderated Submissions and Direct Submissions.
With Direct Submission mode, every message moved to the submission folder by an end-user is submitted to Symantec.
With Moderated Mode, Administrators can delegate an approval process to one or more users.  In this mode, the end-user moves the message to the submission folder as normal.  This message is then made available to the ‘approval’ user who can decide whether the message should be submitted to Symantec or not.
This is particularly useful where data privacy may be a concern.
 
With SESC, customers no longer have to use the existing and rather convoluted method of submission; which involves supplying the entire missed spam message as an RFC822 attachment to ANOTHER email and sending it to the correct email address at Symantec.
 
The Symantec Email Submission Client is available today for the following products:
  • Symantec Messaging Gateway
  • Symantec Mail Security for Exchange
Simply sign into http://fileconnect.symantec.com and download the installer.
Note: Symantec Protection Suite Enterprise Edition customers will be able to download SESC from Fileconnnect from April 2012.
 
There are some really fantastic extensions to our submissions process coming in the next release of Symantec Messaging Gateway which not only extend the functionality of SESC but also help to improve your protection even more.  What’s more, the beta for Symantec Messaging Gateway 10 is due to kick off in May 2012 – if you are interested in participating please get in touch either in the comments below or you can email me ian_mcshane@symantec.com.
 
I’m excited to get more feedback as we start to think about the next releases of SESC so please do download, install it, check it out and let me know what you think either in the comments or directly by email.
 
Cheers!
 
Ian McShane
Senior Product Manager | Messaging & Web Security
Endpoint & Mobility | Symantec

Announcing the Symantec Email Submission Client Beta

One of the great things about working in the Messaging & Web Security BU is the amount of cool new technology and functionality we work on.  Some times, this is behind the scenes on our backend systems and other times this is new functionality for existing products.

This time, however, I’m really excited to announce the beta program of a brand new application:

Symantec Email Submissions Client

This application allows you to automate the submission of missed spam (aka false negatives) to Symantec, directly from your end user mailboxes.

Symantec Email Submission Client takes advantage of the Exchange Web Services framework built into Microsoft Exchange Server to provide a submissions solution that:

  • Does NOT require any installation to you endpoint devices.
  • Does NOT require any updates to be managed/pushed to your endpoint devices. 
  • Does NOT require any complex end user training.
  • Does NOT require any additional licensing from Symantec.  

 

Deploying the Symantec Email Submission Client allows you to:

  • Provide your end users with a consistent answer to the question “What do I do with this spam message?”
  • Reduce helpdesk calls by providing a simple process for your end users to follow.
  • Increase antispam effectiveness and block even more threats from entering your environment.
  • Take full advantage of our antispam technology today and in future Messaging Security product updates. 

 

In order to participate in this beta program, you must be running Microsoft Exchange Server 2010 or 2007 SP1 (or above).

To receive more information and to register for this beta program, use the following link:

http://symbeta.symantec.com/callout/?callid=6DFF3025F2654CE0AB37629981C7988E

 

When the final release ships, the Symantec Email Submission Client will be provided to all customers using a Symantec mail security product as part of your existing product entitlement.  This includes customers using:

  • Symantec Messaging Gateway (formerly known as Symantec Brightmail Gateway)
  • Symantec Mail Security for Microsoft Exchange
  • Symantec Protection Suite

 

This beta program supports our commitment to product quality and customer satisfaction, enabling customers to download pre-release versions of our products and to provide feedback directly to members of the Symantec product team.

Symantec Web Gateway 5.0 – Forward Thinking Protection against Advanced Threats

I am pleased to announce that Symantec Web Gateway 5.0 is now available!  Nearly half of our production deployments have already upgraded to the new version and the software is now available to all customers. 
This release brings not only a s…

???????????????

      No Comments on ???????????????

2 日ほど前から、シマンテックは悪質な脅威の拡散を狙った電子メール攻撃の急増を確認しています。確認されたサンプルはすべて、UPS または Post Express から送られてくる、配送に関する正規の注意メッセージや通知を偽装しています。メッセージの本文では、荷物を受け取るためには詳しい情報や処理が必要であるとして、ZIP 形式で圧縮された実行可能ファイルを開くように求めます。

このスパム攻撃で確認されたヘッダーの例を以下に示します。

差出人: “United Parcel Service” <info***3@ups.com>
差出人: “UPS Customer Services(UPS カスタマーサービス)”<***@secureserver.net>
差出人: “United Parcel Service” <***@dhl.com>
差出人: “Neil Molina” United Parcel Service <[詳細は削除済み]@[詳細は削除済み]>
差出人: “Kimberley Miner” United Parcel Service <[詳細は削除済み]@[詳細は削除済み]>

件名: United Parcel Service notification 40983(UPS 通知 40983)
件名: Delivery Status(配送状況)
件名: UPS: Your Package(UPS: 荷物)
件名: United Parcel Service notification(UPS 通知)
件名: United Postal Service Tracking Nr.(UPS 追跡番号)

差出人: “Post Express Support(Post Express サポート)” <postmail-int[詳細は削除済み]@[詳細は削除済み]>
差出人: “Post Express Information(Post Express 情報)” <postmail-usa. [詳細は削除済み]@[詳細は削除済み]>
差出人: “Post Express Report(Post Express レポート)” <postmail-usa. [詳細は削除済み]@[詳細は削除済み]>
差出人: “Post Express Office(Post Express オフィス)” <postmail-usa. [詳細は削除済み]@[詳細は削除済み]>
差出人: “Post Express Information(Post Express 情報)” <postmail-usa. [詳細は削除済み]@[詳細は削除済み]>

件名: Post Express Office. Package is available for pickup. NR03909(Post Express オフィス: 集荷準備中 NR03909)
件名: Post Express Office. Delivery refuse. NR4245855(Post Express オフィス: 配送拒否 NR4245855)
件名: Post Express Office. Track your parcel. NR06678(Post Express オフィス: 荷物追跡 NR06678)
件名: Post Express Office. Error in the delivery address. NR4061172(Post Express オフィス: 送付先住所の間違い NR4061172)
件名: Post Express Office. Get the parcel NR31215(Post Express オフィス: 荷物 NR31215 をお受け取りください)

受け取ったユーザーが圧縮ファイルを開いて実行すると、以下の脅威がインストールされます。

UPS tracking number.exeTrojan.FakeAV として検出)
UPS notify.exeBackdoor.Cycbot として検出)
Post_Express_Label.exeTrojan.Sasfis として検出)

以下に、スパムの例を 2 つ示します。


 

シマンテックがこの攻撃を詳しく解析したところ、悪質な電子メールは世界各地から送信されており、それが急増したのは Rustock の活動停止後にスパマーがボットネットを再構築しているためであると判明しました。

上述したようなメールを受信した場合に、不審な添付ファイルを開いたりダウンロードしたりしないという基本的な習慣を守るようにしてください。また、コンピュータやネットワークへの侵入を防ぐために、すべてのセキュリティパッチをインストールし、ウイルス対策定義を常に最新状態に保つことをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

???????????????????

      No Comments on ???????????????????

シマンテックセキュリティレスポンスは最近、一見して無害そうなプログラムがさまざまな URL でホストされていることを確認しました。このプログラムファイルが異例だったのは、多くのシマンテックユーザーが同じファイルを解析のために送信してきたという事実です。

このプログラムの基本的な動作は、職業適性アンケートに回答させたうえで、次のいずれかの URL にユーザーをリダイレクトするというものです。

hxxp://groupinc-upland.biz/registration/1
hxxp://artby-group.biz/registration/1
hxxp://artby-gorup.net/registration/1
hxxp://callisto-ltdco.net/registration/1
hxxp://kresko-group.biz/registration/1
hxxp://kresko-group.net/registration/1
hxxp://targetmarket-groupllc.net /registration/1
hxxp://neoline-llc.net/registration/1
hxxp://neoline-groupco.cc/registration/1

適性テストのダウンロードと回答を行わずに、これらのページをただ閲覧することはできません。

このプログラムは、登録ページにアクセスするための一意の URL を生成します。

このプログラムで気になる点は、入力を求められる情報の仔細さです。

100 ドルの特典と引き換えに、オンラインバンキングの口座情報として URL、ログイン名、パスワードまで要求されます。

最後のステップでは、入力したアドレスに電子メールが送信され、契約に合意したうえで身分証明か公共料金請求書のスキャンコピーをアップロードするように求められます。

契約書には、この仕事の目的が次のように記載されています。

「The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to effect payments to the Company’s partners by Western Union or MoneyGram money transfer system within one (1) day(契約者は、当社の顧客からの支払いを個人の銀行口座で受け取り、現金を引き出したうえで、Western Union または MoneyGram の送金システムを利用して 1 日以内に当社のパートナーへの支払いを実効させる責任を負うものとする)」

また報酬についても触れられています。

「The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to 2300 USD per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary to 3000 USD.(契約者は、30 日間の試用期間を条件として当社と契約する。試用期間中、当社は 1 カ月当たり 2,300 米ドルの基本給と、支払い処理操作 1 件ごとに 8% の手数料を契約者に対して支払うものとする。試用期間の終了後には、3,000 米ドルを上限として基本給の見直しと昇給を行うことに当社は合意する。)」

そして、オンラインバンキングの口座情報を入力すると特典の 100 ドルが手に入るということを思い出してください。

いわゆるマネーミュールは、取引の分け前を手に入れ、残りの現金を第三者の口座に送金します。このような行為は不正であり、これまでにも多くの例で、法的に責任を問われる結果になっています。

http://www.theregister.co.uk/2010/09/30/zeus_money_mules_charged/

http://www.wired.com/beyond_the_beyond/2010/10/the-zeus-money-mules-the-federal-complaints/

この詐欺行為が行われている間、重要な情報はすべて HTTPS ではなく HTTP で送信されているので、銀行口座情報は平文で送信されている点にも注意が必要です。

一般的に、ユーザー自身が意図して取引を開始した場合を除いて、個人情報(パスワードや銀行口座などの情報)は誰とも、またどんなサイトでも共有すべきではありません。個人情報の入力が必要なページにアクセスする場合でも、URL に HTTPS が含まれているかどうかを調べて、サイトが暗号化を利用していることを確認してください。また、ブラウザに鍵マークが表示されていれば、SSL が使われていることがわかります。

シマンテックでは、このアンケートアプリケーションを Fakesurvey として検出します。

http://jp.norton.com/security_response/writeup.jsp?docid=2011-032307-1016-99&tabid=2

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Mail & Web Security – 2011 Projects

      No Comments on Mail & Web Security – 2011 Projects

I can’t believe we’re already one month in to the new year!  It has been a busy January for the Mail & Web Security business at Symantec, as we plan for a full slate of product releases in the coming months.  We have releases planned for all three of our Brightmail products, our web gateway solution, and our groupware products planned in 2011. We also have follow-on releases planned for our exciting new Next Generation Network Protection platform for service providers.

The threat landscape continues to evolve in dynamic and unexpected ways.  We saw a remarkable drop in spam levels right after Christmas when some major botnets stopped sending out spam for a few weeks.  The botnets did not go away, however, and we’ve seen spam bounce back in recent weeks.  Check out www.symantec.com/brightmail/iqservices to see a clear illustration of this drop and recover, as well as a number of recent blog postings on threats.  Don’t forget our monthly State of Spam & Phishing Report, which is posted to www.symantec.com/spam. And don’t forget our more general blog on the threat landscape from the Symantec Security Response team, posted here on Connect at https://www-secure.symantec.com/connect/symantec-blogs/sr.

Stay tuned for some exciting announcements about our portfolio in the coming months.  If there any questions you would like us to tackle on this blog, please drop us a note in the comments below – we look forward to continuing the dialogue!

On behalf of the entire mail and web security product team at Symantec, I wanted to wish you all a very Happy New Year – we may be a bit late for the traditional New Year holiday, but we are just in time for the Chinese New Year – gong hay fat choy!