Security I want around my online banking experience…

UPDATE 3/7/12:  So hitting the banks up on twitter went no where, they didn’t even approve my comments.  I have a good disscussion going on in the “Internet Banking” group on LinkedIn if you want to join.  Next step might be a reddit post or possible emailing some of the bank CSOs directly.  Wish me luck.

5/5/12 I reached out to BofA’s CISO Patrick Gorman and was ignored. Don’t see much point in banging my head against the wall anymore.

Online banking and bill pay are two of the conveniences of the information age. I have memories of seeing my mom paying the monthly bills late at night filling out checks, opening and addressing envelopes, putting on stamps etc. She then of course had to manually balance her checkbook with a calculator. I cringe at the thought of having to spend several hours a month in such a manner, with online banking and bill pay it usually takes me 30 mins to send out the money with little or no writing or mailing. As with many conveniences, however it comes with a risk of potential abuse. Individuals certainly aren’t the only ones being victimized, especially vulnerable are small to medium-sized business who have relatively a lot of money compared to the average Joe Schomo like me and unfortunately for them they are not covered by the FDIC or the bank’s policy. Here’s a Bloomberg article from August last year that goes into several examples of theft and how the banks don’t always reimburse those companies like they do you when your CC is stolen. Bloomberg article

So without further ado here is what I humbly ask from my bank, 3 fairly quick wins that should be implemented as soon as possible. I’ll let you know if I hear anything back from them. I plan on hitting some of the bigger ones up on Twitter and LinkedIn to see if any of that social media mumbo jumbo works for me and my little blog.

Continue reading


Detecting emails spoofing your domain using Outlook Rules…

The concern over targeted emails from sophisticated attackers is only increasing after the Aurora attacks, not to mention the latest Google vs. China row, and RSA’s compromise. One technique the attacker’s use to make their targeted email more legitimate is to fake or spoof the email’s from address using the recipient’s own domain, so it is more likely to be opened. The constant message from security about the dangers of email can make opening a spoofed message cause much alarm for the average user, which of course is usually only evident after the message has been opened. Which is quickly followed by the usual questions, why am I getting this email Joe said he didn’t send it? It says I sent it! It’s not in my sent items, am I infected? Spoofing email addresses has a long history of being allowed by the SMTP protocol and many companies currently rely on that “feature” to deliver mail legitimately, think surveys, send this link to a friend, web page forms, mailing lists etc. So it’s not as simple as just blocking everything with an internal domain that comes from the Internet; because it’s not all bad. It’s also made more difficult in how SMTP works, where the MAIL FROM (aka. Smtp from, RFC2821, envelope from) is often is what is evaluated at the mail gateway/server level, but the user will just see the FROM (aka. RFC2822, message from).

Continue reading

Update to filter IP ranges in SMTP headers…

I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways.  One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.

 The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.”  It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.)   The IP from Nigeria (, is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure.  If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.

Received: from ([])  by with ESMTP; 25 Jun 2009 10:09:32 -0700
X-SenderBase: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMJAEZMQ0qApIMj/2dsb2JhbACONYhfgkyocIc9iE6EDQU
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911”
Received: from (HELO ([])  by with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [] by (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <>
Message-ID: <>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
MIME-Version: 1.0
Content-Language: en
Subject: Respond ASAP
X-Accept-Language: en
Priority: normal
Content-Type: text/plain; charset=”us-ascii”
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Filter Country IPs in SMTP Received Headers…

My displeasure for the “send me money” scammers has been documented in previous entries so I won’t bore you with that again, although I did want to talk about an idea I had to fight those losers.  Basically I want to write SMTP gateway Anti-SPAM policy that can filter for IP address ranges (dashed range or CIDR) in ANY received header.  I have a feature request into our vendor for this very ability and am looking forward to seeing how well it will work if they can make it happen.

My reasoning behind this is to fill in a gap that I see in the current Anti-SPAM tactics, which are mainly sender IP reputation and content matching.  419 emails seem to be best making it through those traps because the “last hop” before your SMTP server is some bot host here in US or the most commonly they are sent from a free email service directly (Yahoo, Gmail, Hotmail, etc) so sender reputation isn’t all that effective (neither is SPF, SenderID, DKIM) and since they are very businesslike text, content catching the Spammyness is also hard.   However, if I was able to look for trouble country IP ranges in any of the SMTP Received lines there’s a good chance I could catch many of these sent from or through foreign nations.

See some of the free webmail providers include this line to show the IP address of the computer that sent the through the browser.

Received: from [] by via HTTP; Sun, 31 May 2009 17:00:44 PDT

Being able to filter on the CIDR ranges ( or in any received line, not just the last one with sender reputation, would greatly increase the granularity for keyword lists.  For example you can write a 419 keyword policy but you will get MANY false positives if you apply it to all email, whereas I’d like to check it only if the email was sent from or through for example Nigeria, China,  Romania,  Russia, or Poland IP ranges.  Pseudo policy below….



If (dictionary-contains (‘SPAM_Keywords_BodyorAttachments’)) AND

If (header-dictionary-received-contains (‘NigerianIPs’))


Quarantine (‘419 from Nigeria’);


I’ll update my blog if I’m able to apply this and how effective it is.

One Man’s SPAM is…

As the saying goes, is another man’s Ham, or something like that. So I’m migrating the city from product OLD to product NEW, and have been anticipating getting off OLD for sometime. However, there’s been a hitch, seems NEW has a different philosophy on Marketing/Newsletter/Bulk type email. So when we made the final switch over for our test domain (250 users) we started getting complaints and samples of all this HTML type email coming in from Macy’s, EWeek, Hotwire, Management seminars, Foreclosure Auctions, etc. So in talking with reps for NEW their company has always seen that as not officially SPAM. Which I understand, clearly some of the samples were legitimate opt-in emails, however there were more then a few in that grey area; emails that were at best opt-out but more like the address being bought or used without permission. Now OLD does create many false positives (FPs) but it’s the situation our customers are used to (9 years running OLD) so no matter where the fault lies, it’s our job to continue providing that level of service to our customers. Also I’d like to give them the ability to see their own marketing mail to release/delete as they see fit (End User Quarantines). So if some guy in Iran tries to charge 2 tons of yellow cake from Nukes-R-Us on your credit card you don’t miss the notification email because it had too much HTML in it.

NEW is coming out with a feature that will allow for the identification of those type of emails so they can be tagged as SPAM. Great, but it’s not available immediately, so I had to come up with a stop gap and wanted to share that here in case anyone googles how to stop HTML ladened emails at the gateway. I created a Reg Ex used in a filter, that will trip after 5 HTML links to pictures and .asp files in an email, the filter will then add a header so that you can route it wherever you want, including the bit bucket.

I invite anyone to leave a comment on how to improve the regex as I’m not guru at writing them. I was thinking it might be more effective (ie. less expensive) to have only the possible URL characters instead of the lazy .* anyway feel free to leave a comment (I’d be my first).


It is working pretty well, very low FP HAM but obviously not catching everything. I’ve quarantined 1211 emails in 24hrs to the test domain of 250 users, while seeing < 5 FPs.

UPDATE 10-29-08: In addition to the above filter I also discovered it’s a good idea to look for the header List-UnSubscribe only when List-Subscribe doesn’t exist.  This is because legitmate mailing lists (bugtraq, dshield) most often have both where bulk/marketing emails probably only have the first one. So something like this….

If header (‘List-UnSubscribe’) AND if (NOT header(‘List-Subscribe’))

{ action }

UPDATE 11-7-08:  Those marketers are still peddling their wares, so take this Opt-out suckers


That catches dynamic URLs x number or more of times.  That can be lot of FPs but it kills the bulk email big time.

Email Scammers…

   You know it’s hard for me to talk about the 419, stock pump/dump, bank phishers and the rest, without using excessive profanity which isn’t quite appropriate for a blog.  So recently there was a customer of mine that forwarded an email through the SMTP gateways I manage that was caught in a custom word filter list.  While I tried determine if I should release the email it became apparent the scam has already been effective to the tune of 900.00.  And the Nigerian loser was trying to get an extra 300 out of the victim.  The scam involves posting a house for rent on Craig’s list, after searching for real houses for rent or sale in the area.  So if the mark drives by the address the pics match and there is a for rent or sale sign out front.  The response to the initial inquiry about the house, is usually about getting called away on business to Nigeria and needing first month’s and security deposit sent through Western Union.  I’ve been seeing more and more of these idiots trying whatever they can to steal money from others as if they are entitled to it; because they were born in a 3rd world country anything they do to “the rich” in America is justified.  I really can’t understand the upbringing these people must have had to be able to sleep at night ripping people off.  Although I know it’s not true, it’s really hard to not generalize and see the entire country of Nigeria as a bunch of cheats, crooks, and liars when you are exposed to the these emails on a daily basis. 

  Craig’s list highlights that anyone asking for payment from Western Union is a scam link.  But unfortunately people are busy and trusting when it sounds like a good deal.  All I ask is please be vigilant out there, the Internet is not only the happy joyous place social networking sites want you to believe it is. It has a dark side and like many forms of negativity it often comes with a “pretty face” and a good deal.  Here’s an example reply from one of these morons link.

PS. And in case you needed more convincing here’s an article about a convicted SPAMMER that escaped from minimum security prison recently and then proceded to kill himself, his wife, and toddler.  Just goes to show the cowards these individuals really are. link


The city is currently getting hit with a SPAM run mostly from oversea’s IPs, this isn’t exactly earth shattering news but I blog about it here because of an interesting phrase in the email, “[RBN Networks Antivirus]” Full SPAM here. I recommend you filter for that phrase if you administer an Anti-SPAM gateway.  The acronym RBN makes most info sec people think about the Russian Business Network a loosely based malware purveyor/ISP haven for bad people.   They haven been known to hock a fake AntiVirus product “XP Antivirus” great blog & link here which of course is not a product you want to use.  The emails contain that phrase as well as a warning saying RBN Networks Antivirus has removed a virus and you should delete the email.  This is interesting because most SPAM emails that I see don’t recommend you delete the email.  I started thinking about the reasons they would do such a thing, could it be because once you get the email their task has already been completed? (ie. valid email address harvesting).  Could they be trying to legitimize the AV product for when they SPAM links for download to the same people whose email addresses don’t return an SMTP error?  There are also links in the word salad to what must be compromised webservers because the domains seem to have valid sites  on them, however the sub-directory starts with a “.” and is full of random characters, so I’m guessing they (RBN) were able to put some kind of counter on the site to know when a users email client tries to resolve that URL which would also go far to verify if the email address was human monitored.  This is only conjecture as I don’t really have time currently to investigate further.  I’m going to submit to the fine folks at and perhaps they will have some time to see what the latest RBN tactic is trying to do.

No Clicking for You…

Please don’t be that guy, you know the one who posts fake Credit Card data to a phishing site because they believe it’s some how “fighting back.” BAD IDEA folks. I’ve seen this error in common sense, if you will, because of IPS filters that use Reg Ex to catch such SB1386 type data being sent over HTTP not HTTPS, a clear sign of either a company that doesn’t deserve your business or Phishing. So here are the top 2 reasons why such a thing is bad for the Information Security weekend warrior.
1. Once you’ve clicked on the Phishing link in email they have won.
You just validated your email address is monitored by a human; it’s now worth 10x as much to SPAM gangs. Who are they? Click here. Those SPAMMed HTML links often have code behind them that has been dynamically generated to contain the recipient of that particular SPAM imbedded in them. So when you click the Phishers link it’s like saying, SPAM ME please, I read and click on anything!
2. You will most likely get malware sent to you.
OK so the goal of people behind this organized crime is to get credentials (username and password) they don’t care how that is done, they don’t even care what credentials they get. It’s cheap to try them at every bank, ecommerce, and webmail site out there. You don’t reuse passwords do you? So whether you fill out their fake form with all your personal information or they can implant a Trojan on your machine and keylog that info a week from now, what’s the difference? As soon as the site comes up expect to have many invisible iframes pointing your browser to all kinds of obfuscated scripts trying to exploit application vulnerabilities (not just OS stuff anymore my friends) as well as trying social engineer you to download a much needed codec or the like.
So moral of the story is you’re only tempting fate, should you try to clog the bad guys database with illegitimate info. In the end you may very well get owned faster then your grandma who just got a popup asking her to “CLICK RUN” to get a free virus scan on her Win98 machine. The real experts (one of whom I don’t claim to be) use completely sandboxed virtual machines with many safeguards for them and the Internet to do this kind of stuff. I suggest anyone who doesn’t reverse engineer malware on a weekly basis leave such things up to them. And luckily for the average ecitizen there are many very intelligent people who do just that. Suggested Links Below….
PS Don’t expect your shiny new <insert AV vendor> 2008 to protect you 100% either, AV is a necessity for the average user on Windows but isn’t an invincible shield against foolish bravery.  (do a search for Tom Liston, then click the links for “Follow the bouncing Malware” very well done albeit a few years old now.)