Stopped using URIBL_RHS_DOB as of today

Posted at 8:50:59 PM in Other (7)

A email traffic was having a hard time getting through today because the above list manager was blocking legitimate site, such as me.com, icloud.com, microsoft.com and many many others claiming they were all Day Old Bread sites. Day Old Bread (DOB) is a list which is suppose to indicate what domains just became active. Supposedly, they scan registrar's for domains that either moved IP addresses or just showed up on the domain list. This is because many spammers like to move their domains around so services that block IP addresses will not block their new location. Phishing expeditions usually only live at one place for about a week and then are taken down. 

Using this list is beneficial when it works and like other blacklisting services, will run into problems that cause a high rate of false positives (emails tagged as spam when they aren't). I will probably start using the list again, but as for now, until it gets fixed (which they claim they have fixed it, but many disagree) it is only causing problems with the emails.

Written by Leonard Rogers on Monday, October 6, 2014 | Comments (0)

dccifd and copfilter error

Posted at 9:10:09 PM in Other (7)

I have been a big fan of copfilter addon to IPCOP for some time. I'm currently using copfilter Version: 2.0.91beta4. in IPCOP v2.0.6. I've been told not to upgrade to the newest version of IPCOP as it will not work with copfilter. So I wait.

One of the recent issues has been a constant warning:

 warn: dcc: dccifd -> check skipped: dcc: failed to connect to a socket /var/log/copfilter/default/opt/dcc/dccifd: Connection refused

I could not find anything to iron out this issue under copfilter, so I went directly to dcc commentary since the implementation in copfilter connects dcc with spamassassin. The files structure for that locations is not a file or a directory and is zero bytes. The permissions on the file are srw-rw-rw owned by copfilter. That part is fine. After searching around from that directories location, I found a test program in the bin directory called dccif-test which also said that the socket was not open connection refused. I finally found what I was looking for on this site which took some careful reading. "That socket is created by starting dccifd as a daemon." Though, it doesn't state how to do that, I decided to look for the executable file by that name, which I found under the directory libexec. Executing the file without parameters (I thought a parameter would be needed to run it as a daemon, but apparently not). I checked the process stack, ps aux | grep dcc and found dccifd running. After that the test on the socket worked fine. 

I was able to run start spamd with the socket running. I don't know why dccifd stopped running. It had been out for weeks. I was seeing unwanted spam where there should be, but now I know to check if dccifd is running at all and if not to start it. This resolved the dcc checks for me.

Written by Leonard Rogers on Tuesday, March 25, 2014 | Comments (0)

What is a Brute Force password attack

Posted at 3:19:58 AM in Other (7)

I'm writing this because of the frequent occurrences I find in my work where users still create easy to guess passwords. The reason the password works for so long is because no one cared to crack most of those accounts before, but we are seeing more and more email accounts hacked and the address list of the user stolen. Anyone's email address account is a valuable asset to these hackers because they can deliver targeted emails from a sender to his friends that he keeps on his address list. There's no more guess work and the hackers are not simply scraping web sites for email addresses anymore. What's even more concerning is that most of those people on the address list will create white lists to allow the sender's email to reach them.

So how do the hackers do it? Brute Force password attacks are simply computer programs or scripts that guess passwords starting with the easiest to guess. The scripts are smart, they know if a system is designed to lock accounts after a certain number of failed attempts, but a lot of small domains often don't have counters like this working, so the Brute Force attack can continue for as long as they want. Frequently, they don't have to try for very long, because the passwords people use are easy to guess. Generally, the guessing starts with passwords like password and 1234 and 12345 and password123, then they move to using passwords that are in the email address like jerry@cox.net they will try a password like jerry, jerry1, jerry2 and keep counting.

The other interesting thing is people really like to have ONE password for everything. Problem is... once a hacker finds a password, that password goes in a database and they use it on other accounts before they start randomly guessing. But random guessing isn't as effective as sequentially running up every word in the dictionary and then obfuscating those words and then concatenating two common words together. For example. The owner of The Doughnut shop has an account at cox.net. His address doesn't look like it's any part of his business, but his password is thedoughnut5678? That's not an actual account, but you get the idea.

I've seen these attacks on my servers where they come from different IP addresses (computers on the internet) but attack the same account. It make it difficult to block them based on the computer they are using. I've seen the different guesses where they try over and over again and then stop for a long while. I've even seen that they have tried to find email accounts by guessing in the same manner hoping they will find a hole. And they do find the holes, obviously...

So, Brute Force, doesn't mean anything other than constantly banging at the door until they manage to get it open and as long as your accounts are connected to the internet, they can bang away for as long as they want because it isn't a person doing it, it's an organization. They share information and write programs that do all the boring work and then send little virus' that allow them to access other computers that allow them to remain petty much anonymous.

So, what do we do about it?

I use this site to create passwords that are random, long and completely unguessable, leaving the hackers to go completely random. And i use a little black book, something I never wanted to do, but I can't remember one of the passwords generated by this site, much less all the different ones. For those who are  more techy, you might try looking into 2 Step Verification for those sites that allow it. See Google's implementation for example.

Written by Leonard Rogers on Monday, August 26, 2013 | Comments (0)

Software Informer

Posted at 9:31:07 AM in Other (7)

 A plague of Software informer apps apps which can be found on Sofware Informer's web site seem to be appearing on PCs throughout my support realm. No one knows how these "odd" apps got installed on their PCs. (Note: Software informer appears to be a adware site. Meaning, they offer to track user input about software. However, the site is loaded with ads, some of which lead the visitor to believe that some links may give them more info, but is an ad which will generate revenue for the owners.)

The first app I found on a client's computer was mrvlusgtracking. This site indicates that it might be tied into yahoo chat somehow. My client didn't install it, so I'm removing it. But I also found two more applications, one of which my client did install.

Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/20080 1.1.1.0). According to my client it is a game she downloaded. I looked this one up and ended up on the Software Informer web site again. Not a good sign with the other items that the user didn't install. (Actually, it's a great sign for that owners of that web site. They show up pretty high on the google search for these odd programs. These kind of free apps tend to install software that people didn't intend to have installed.)

And one my client didn't install: 

Windows Driver Package - Digital Check Corporation (TSUSB2) USB (04/02/2010 1.10.0000).

Now the problem with this last one is that my client does have a digital check deposit hardware and software installed from Bank of America. Not sure what the relation is, but it's coming off the PC.

 

Written by Leonard Rogers on Wednesday, June 15, 2011 | Comments (0)

Undoing a botched cut and paste operation Ctrl-C, Ctrl-V

Posted at 4:22:40 PM in Other (7)

Everyone probably already knows this, but I just discovered it.  I frequently  high-light my material and copy it into the windows clipboard when I go to save my work. To do this, I press Ctrl-A to highlight everything, then Ctrl-C to copy.  That way, if I lose the material when the save doesn't work, I can just paste it back in with Ctrl-V.  If the program won't open again, I can paste my work into almost any other application and I can save it in that software.  

Doing this over and over often means that there is something in the buffer already and as I sometimes do, I will press the wrong key.  That will destory the contents that is in the high-lighted area and since I didn't get chance to copy it, it's lost.  Gone forever.  Or so I thought.

I have long known that Ctrl-Z is the short cut in most programs that means Undo.  However, if it's not on the menu, I assumed it wasn't available.  Chrome doesn't even have a menu bar which compounds the problem.  Right clicking usually opens a dropdown menu for options in the area where you right-clicked.  It also didn't have the Undo option.  

Well, I just lost my data a few minutes ago, by accidently pressing Ctrl-V after I had highlighted the area and lost all my changes and in it's place put data from a previous cutting.  That was frustrating and I was ready to close the window and I decided to try the Ctrl-Z anyway.  And guess what???

It worked!

Written by Leonard Rogers on Thursday, February 24, 2011 | Comments (3)

slapbackguitar.com forums down :(

Posted at 2:04:51 PM in Other (7)

Getting a Unable to load the 'ThemeStrings.english-utf8' language file. error message when I try to access the forums on slapbackguitar.com.  This is the stable forums package being offered by the same guy that wrote bp blog.  Not a secure feeling.  I can't tell if it's a hack or an error in design.

Hope it's backup soon.

Written by Leonard Rogers on Thursday, February 10, 2011 | Comments (0)

Print Server Properties

Posted at 1:32:17 PM in Other (7)

In Microsoft Windows 7, the print server properties option doesn't show up on the options bar until you've selected a printer.  To access that option, you have to be in devices and printers, then highlight any printer and additional options will appear.

Written by Leonard Rogers on Saturday, January 29, 2011 | Comments (0)