Devilish Spam

Devilish Spam

 

Is there no end to the fees we are getting charged daily. Banks, airlines and now spammers are getting in on the act.

Check the spam image below and you can see there is a $250 “devilry fee” being charged.

This I think is totally ridiculous, usually the “devilry fee” is normally included from other spammers. Maybe they will offer a a “Spam Prime” option in the future???

 

Anyways, I had a laugh and wanted to share this with you all.

-Robin Bains

NotPetya Ransomware Attack Update and Info Links

Hi Everyone,

The NotPetya malware is still making the rounds. We haven’t had any reports of infections from our customers to date, but don’t let your guard down.

BarricadeMX and DefenderMX Lite have been doing a great job of filtering out the malware. Keep your guard up, the malware could morph at anytime (as they always do) so best to remind your users to not open any links for files.

Researchers are now saying that NotPetya was set loose not to make money, but cause destruction. Also, researchers are warning that the NotPetya authors have no way to send you decryption keys, so check your backups twice!

https://www.helpnetsecurity.com/2017/06/29/notNotPetya-decrypt-fail/

I’m adding some links below as they dive much deeper into how NotPetya works and the current state it’s in.

Here is a great one by MalwareBytes with a detailed analysis on how NotPetya works

https://blog.malwarebytes.com/cybercrime/2017/06/petya-esque-ransomware-is-spreading-across-the-world/

As always, check out here on our website for updates or subscribe to our Twitter, Facebook, Google+ and LinkedIn sites. Check the top of our site for direct links.

WannaCrypt 2.0 and Beyond

Hi Everyone,

We are happy to report that no FSL customers have reported back to us that they had or have been infected by the WannaCry virus. Credit goes to all the IT teams, Network Admins and everyone out there for protecting their end users, data and staying vigilant against during this outbreak. But this is no time to relax as apparently the 2nd wave of WannaCrypt (without the  Kill-Switch) is out and still infecting and cryptocurrency miner Adylkuzz is spreading.

There is enough information out there on this outbreak, so I won’t dive in the inner workings of WannaCrypt but we want to put a reminder that the next Ransomware/Worm/Malware is already being masterminded and being readied to deploy so best to check & double check your defenses.

Keep in mind that no single solution is the silver-bullet. Layers of security will give you more depth and protection but nothing will guarantee 100% protection.

Here is our Top 10 list of items you should check:

  1. Backup..Backup & Backup.  You’re only as safe as your last good backup. You can do everything right and still get infected. At that point, you’ll only have your backups to rely on and that would be the worst time to find out your backups weren’t running, are corrupted or unusable.  Make sure your backups are protected so that ransomware or virus can’t wipe them out.
  2. Is your Operating System patched and to the latest version. Sometimes you can’t control when patches will be released (Ahem..Microsoft) but do the best you can to make sure you’re up to date.
  3. End User Training – Make sure your users know how to respond properly to a suspicious email. Do they forward it to IT, delete it. Do they know not to click on any links. The Human Factor should be constantly addressed as we tend to get lax and that’s when things go wrong.
  4. Desktop AV should be installed and updated. Most AV suites have anti-malware features. Enable them and let your users know what to do when an alert does pop up.
  5. Increase your Email Security – Have you implemented SPF?. Is your configuration up to date and can you make settings changes to enhance security? Email is one of the ways malware can enter so make sure you’re covered properly.
  6. Enable HTTP scanning by using a HAVP or Squid.
  7. Disable Macros and ActiveX in the Microsoft Office Suite.
  8. Solutions like Applocker and Microsoft EMET(free) can help secure the desktop even further.
  9. Use Network Segmentation to prevent ransomware from spreading. If users don’t need access to certain networks, consider removing access to prevent further infection.
  10. Implement an Intrusion Detection/Prevention System. Properly configured, such a solution can detect and alert you to possible threats.

Here is a more comprehensive list put together by Helpnet Security.

We’ve implemented several methods for you to to get alerts, updates and articles.

Make sure you are on our mailing list. If you haven’t received alerts or notices in the past, check with us and we’ll add you or use the link below to sign up right now. If there is someone else at your organization that would benefit from our alerts, forward this email to them and have them sign up.  Click here to sign up.

Connect with us via Social Media. We post on Facebook, Twitter, LinkedIn & Google+.

As always, contact us at support (@) fsl.com if you have any questions or concerns.

Thank you,

Fort Systems Ltd.

www.fsl.com

MS Office Zero Day – Another Exploit

There has been a new Zero-Day MS Office exploit in the wild.  All users are vulnerable, including fully patched Windows 10 computers.

The exploit does not even require macros to be enabled making this much more serious than before.  The vulnerability is in the Object Linking and Embedding (OLE).

A RTF format file contains an embedded OLE2link object which tells Word to contact a remote server and download an executable .HTA file, which in turn download additional payloads, restarts word and shows a decoy document.

We are hoping a patch will be issued quickly to mitigate this attack-vector.

Here is some more information:

http://www.theregister.co.uk/2017/04/09/microsoft_word_ole_bug/

https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/

Please remind your users to be extra careful when opening or running attachments.

Fort Systems Ltd.

 

ClamAV Updates Error

ClamAV Updates Error

March 3rd, 2017 3PM EST

An update has been issued by ClamAV which can corrupt the AV Database.

We have a work around that needs to be put in place as soon as possible to prevent mail delivery issues.

This affects all customers using BarricadeMX, BarricadeMX PLUS and DefenderMX Lite.

Cleanfeed Customers are NOT affected as those systems have already been patched.

If you are on Platinum support and we have access to your system, we have already applied the update for you.  If you are unsure, just contact us at support@fsl.com

BarricadeMX and BarricadeMX PLUS

Directions:

  • Log in as user root.
  • Enter the command “cd /var/clamav”
  • Then issue the command “vi local.ign”
  • copy the following 3 lines EXACTLY into the editor and save the file making sure there are no extra spaces or characters added as this will cause an error and clamd will not start properly.

Doc.Macro.GenericHeuristic-5901772-0
Doc.Macro.GenericHeuristic-5913589-1
Doc.Macro.GenericHeuristic-5931846-1

  • Enter the command “service clamd restart”. Clamd will restart without any errors.
  • Enter the command “service MailScanner reload”

DefenderMX Lite

Directions:

  • Log in as user root.
  • Issue the command “cd /var/lib/clamav”
  • Then issue the command “vi local.ign”
  • copy the following 3 lines EXACTLY into the editor and save the file making sure there are no extra spaces or characters added as this will cause an error and clamd will not start properly.

Doc.Macro.GenericHeuristic-5901772-0
Doc.Macro.GenericHeuristic-5913589-1
Doc.Macro.GenericHeuristic-5931846-1

 

  • Issue the command “service clamd@haraka restart”. Clamd will restart without any errors.

If you are still experiencing any issues, please contact us immediately through your support channel.

Best regards,
Fort Antispam
www.fortantispam.com

Updates to DNS Real-Time Lists

Updates to DNS Real-Time Lists

January 26, 2017

Re: Updates to our Real-time DNS lists

Hi Everyone,

We constantly review effectiveness of the Real-time DNS lists that we use and as part of that process. We are very pleased to announce that we’re now offering the excellent Invaluement lists to everyone that already pays for DNS feeds from us, free until the end of 2017.

BarricadeMX PLUS Clients

You can add these lists by adding the following to your ‘DNS Blacklists or DNS BL’ settings in Setup -> BarricadeMX or in the BarricadeMX configuration:

invsip.ip.fslupdate.com
invsip24.ip.fslupdate.com

And add the following under ‘URI Blacklists or URI BL’:

invuri.uri.fslupdate.com

IMPORTANT** Remember to add a semicolon between entries.

The Invaluement lists work extremely well in our testing and compliment the Spamhaus feeds we already offer.

Additionally – for those that also subscribe to the Spamhaus domain blacklists, you can now get the new Spamhaus ZRD list (Zero-reputation Domains) as a free addition. We helped Spamhaus test this new list and it’s very effective at stopping ‘fresh’ domains that are created and used immediately on the same day, and then discarded.

To use the Spamhaus ZRD, add the following under ‘Domain Blacklists or Domain BL’:

fci2ohsclqcp5w24r3jeg4wsma.zrd.dq.spamhaus.net

(due to the nature of this list, you have to query Spamhaus directly using their data feed query service instead of via our mirrors).

Here are screenshots of a sample BarricadeMX PLUS configuration:

 

Platinum Support clients can optionally have us update their settings. Email support@fsl.com to start the process.

DefenderMX Clients

All DefenderMX clients with RBL Subscription will have these setting updated automatically. No manual update is required.

Cleanfeed Hosted Clients

No update from your end is required. These new lists are now active.

As always, if you have any questions or concerns, please email us at support@fsl.com.

Fort Systems Ltd.
www.fortantispam.com

FSL Support Access IP Changing

Between October 25 and November 4th we will be moving our Washington, DC office. One of the consequences of this move will be that we will be losing the dedicated IP address for dc1.fsl.com [74.93.209.150], the server that we use to login and support DefenderMX and BarricadeMX servers at your site.

Several months ago we sent out the information on the server that will be replacing dc1.fsl.com a while back and asked that you allow us to access your FSL server(s) from gw.fsl.com [69.63.143.54]. This server is located in a very secure data center in Baltimore MD.

To provide your systems  with timely support,  before we move, we now ask that you allow non-root access for our support username, fsl, from gw.fsl.com [69.63.143.54] and our new backup login server, repo2.fslupdate.com [69.63.142.92] through any Firewalls, Routers and Firewall software.

After November 3 2016, you can remove our access from dc1.fsl.com [74.93.209.150].

We would prefer to login as user fsl using secure ssh keys and gain root access, when needed, by using sudo. If you are not familiar with sudo, please refer to this link.

We will be happy to setup the user and sudo for you if we have access to your DefenderMX and BarricadeMX servers, just send a request to support@fsl.com and include the contact information for the the person(s) who will be coordinating the changes that need to be made to your systems.

For those of you who want to configure the systems yourselves. the necessary  steps to give us secure access are:

Read More »

ClamAV Updates Required

September 9, 2016 9:00AM EDT

Dear Clients,

An update has been issued to prevent any ClamAV failures.  We urge you to update your systems as soon as possible to prevent any service disruptions.

All updates are in the repository and available now.

Only clients using BarricadeMX and BarricadeMX PLUS are affected. DefenderMX customers are not affected.

If you are on Platinum support and we have access to your system, we will apply the update for you.  If you are unsure, just contact us.

Directions:

Read More »

Block of JAVA / JAR File Types

We have noticed a new type of Malware that is typically currently being quarantined as High Scoring Spam. To be more pro-active and block these types of files outright we STRONGLY recommend you take the following actions below.

DefenderMX Lite Users

Add the following extensions on the Configuration >> Attachments Page

1. Add *.jar to the Filename Rules:
2. Add *.jar to the Archive Filename Rules:

Click here to see a screenshot sample page.

For all Platinum Support customers, please email support@fsl.com and we can make arrangements to enable.

BarricadeMX PLUS Users

  1. Navigate to Setup >> MailScanner >> Attachments
    2. \.jar$ to Deny Filenames
    3. \.jar$ to Archives: Deny Filenames
    4. application\/java-archive to Deny File MIME Types
    ** NOTE: forward slash and back slash embedded**
    5. application\/java-archive to Archives: Deny File MIME Types
    ** NOTE: forward slash and back slash embedded**

    6. At bottom of screen click “Update” button
    7. Click “Commit Changes”
    8 Click “Apply Changes”

    Click here to see a screenshot sample page.

For all Platinum Support customers, please email support@fsl.com and we can make arrangements to enable.

BarricadeMX Users

Contact support@fsl.com to schedule the installation of your update** to DefenderMX Lite.

Cleanfeed Users

We have already enabled these changes on our servers. No action on your part is required.
Best regards,
FortAntispam