Using strong passwords

Over the past few months we’ve seen an enormous jump in the number of password-guessing attacks on our mail servers.  The attackers are spammers who are trying to get access to legitimate accounts so they can send spam.

We have software in place that identifies and blocks these attacks, but if a password is too easy to guess the attacker can guess it before the ‘this is an attack’ threshold is reached.   When this happens, the victim gets a flood of bounce messages for email they never sent, and when we detect the hijacking we have to lock the account and coordinate with the victim to set a new password, an inconvenience for everybody.

There’s a somewhat geeky but appropriate cartoon that describes a technique for generating passwords that are hard to guess but easy for you to remember at http://xkcd.com/936/.

If your account is on mail.his.com or one of our other Zimbra servers, you can change your password by logging on to webmail and clicking the ‘Preferences’ tab.

Bogus “Delivery Status Notification”

There is a trojan making the rounds that masquerades as a Delivery Status Notification. It contains the line:

Note: Forwarded message is attached.

The attachment is an html attachment which carries various javascript browser exploits/trojans.

Postini is aware of the situation, and Postini Spam Engineering continues to monitor for new variants and will release additional filters as necessary.

If you get one of these messages, do not click on this attachment, or it will infect your computer.

If you did click on one of those, do:

  • update your virus definitions
  • run a complete computer scan, make sure all trojans that may have been downloaded are removed or quarantined.
  • change your password(s), use strong and secure ones. Email us at support@his.com if you need a password reset.

Bogus emails from his.com

Some  HIS customers reported getting emails pretending to be from his.com and containing a bogus alert message.

From: “his.com support” <admin@his.com>
Subject: his.com account notification
or
Subject: Returned mail: see transcript for details
From: domains@megginson.com

We are blocking them on our SPAm filters. However, if you received one of those

Do not click on any link or  attachment, or your computer will get infected.

———————————

Here is the text of the bogus messages we’ve seen lately:

From: “his.com support” <admin@his.com>

Subject: his.com account notification
Dear Customer,
This e-mail was send to notify you that we have temporanly prevented

access to your account.
We have reasons to beleive that your account may have been accessed by

someone else.
Please run attached file and Follow instructions

———————————

Subject: Returned mail: see transcript for details
From: domains@megginson.com

Dear user of his.com,

Your e-mail account was used to send a large amount of unsolicited commercial e-mail during the last week.
Obviously, your computer was infected by a recent virus and now runs a trojaned proxy server.

Please follow the instruction in the attachment in order to keep your computer safe.

Have a nice day,
The his.com support team.

———————————

Verizon blocking port 25

We’ve received a number of reports from Verizon DSL customers that they’ve suddenly lost the ability to send mail.   Verizon started blocking port 25 (the SMTP port, used to send email) for DSL and FIOS customers in some areas in 2009, and evidently they’ve now made this system-wide.  There’s a Verizon writeup at:

http://www22.verizon.com/ResidentialHelp/HighSpeed/General+Support/Top+Questions/QuestionsOne/124274.htm

The solution is to change the settings in your email software to use port 587 instead of port 25 for SMTP.   If you continue to have problems and can’t send mail, open a support ticket at http://info.his.com/support/support.his.com.html or, if you’re using a Verizon DSL or FIOS connection, call Verizon.

Verizon is doing this to help stop the flood of spam coming from virus-infected customer PCs.  A number of other residential internet providers (Cox, Roadrunner, Comcast, BellSouth, Earthlink, NetZero) are doing this as well.

Facebook Phishing Email

We’ve started seeing email that looks like this:

Image of Facebook Phishing Email

(This is just a screengrab image – the links above aren’t live).

The message looks real enough (which is the idea) but it did not come from Facebook.  The link actually goes to servers in 15 locations in Korea, Japan, Brazil, Hungary, Poland and the Ukraine, where you’ll be asked to enter your Facebook login info and while you’re at it you’ll be exposed to a variety of malware designed to harvest passwords and make you part of this botnet.

Postini should be catching these so you may not see one  unless you’ve added ‘facebookmail.com’ to your approved senders list, in which case the messages will come through unfiltered.