Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Focus Your IT Resources
http://www.ibm.com/e-business/playtowin/n326

VeriSign – The Value of Trust
http://www.verisign.com/cgi-bin/go.cgi?a=n26110107130057000
(below IN FOCUS)


SPONSOR: FOCUS YOUR IT RESOURCES

Learn how better infrastructure management practices can speed the integration of e-business enterprises, while providing assurance of continuous availability, flexibility and scalability. Get the IBM white paper, "Infrastructure Resource Management: A Holistic Approach," at http://www.ibm.com/e-business/playtowin/n326


November 6, 2002—In this issue:

1. IN FOCUS

  • Antispam Honeypots Give Spammers Headaches

2. ANNOUNCEMENTS

  • Attend Our Free Tips & Tricks Web Summit
  • The Storage Solutions You've Been Searching for!

3. SECURITY ROUNDUP

  • News: Wi-Fi Alliance Announces WEP Replacement
  • News: Win2K Passes Security Test

4. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Stop Windows from Caching a .dll File After I Close the Program That Was Accessing It?

5. NEW AND IMPROVED

  • Email and File Encryption Program for Windows
  • Provide Secure Transmission over the Internet
  • Submit Top Product Ideas

6. HOT THREADS

  • Windows & .NET Magazine Online Forums
  • Featured Thread: How Can I Remove or Disable the View Menu Item?
  • HowTo Mailing List
  • Featured Thread: Server Losing Permissions in Domain

7. CONTACT US

See this section for a list of ways to contact us.


1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

  • ANTISPAM HONEYPOTS GIVE SPAMMERS HEADACHES

  • Filtering spam is a good idea, but keeping filtering rules up-to-date without eliminating legitimate email traffic takes skill and effort. In addition to using mail filter software, you can fight spam in other ways, such as by using an antispam honeypot.

    As you know, honeypots are traps or decoys that deliberately lure intruders to help prevent unwanted activity against network sources. Honeypots also gather forensic evidence, thereby helping us better understand intruder methodologies. Other Windows & .NET Magazine authors and I have written about various types of honeypots in use today. You can find links to honeypot-related articles at the URLs below:
    http://www.secadministrator.com/articles/index.cfm?articleid=26114
    http://www.secadministrator.com/articles/index.cfm?articleid=25679
    http://www.secadministrator.com/articles/index.cfm?articleid=22911
    http://search.winnetmag.com/query.html?col=secadmin&qt=honeypot

    Last week, Security UPDATE reader Brad Spencer brought antispam honeypots to my attention. Antispam honeypots are services that pose as legitimate mail servers to thwart spammers. Spencer, who runs an antispam honeypot (see the first URL below), described to me what antispam honeypots do, how they operate, and where you can get one or find out how to build one. According to Spencer, the real heroes of this technology are Michael Tokarev, who operated an antispam honeypot in Russia (see the second URL below) and Jack Cleaver, whose program you'll read more about in a moment.
    http://fightrelayspam.homestead.com
    http://www.corpit.ru/cgi-bin/h0n5yp0t

    An antispam honeypot operation first detects potential spammers, then thwarts their efforts to send spam through the mail server. Spammers often use mail systems that allow open mail relaying to deliver spam. An open relay lets anyone use the mail server to deliver email messages to anyone else, which is a spammer's dream. In the past, people offered open relays as a courtesy to Internet users to help facilitate easy email delivery. Now, operating an open relay will eventually land your mail server on a blacklist that might prevent legitimate email from arriving at your system. For more information about blacklists, visit the Mail Abuse Prevention System (MAPS) Web site at the URL below.
    http://west1.mail-abuse.org

    Typically, spammers test a mail server for open relaying by simply sending themselves an email message. If the spammer receives the email message, the mail server obviously allows open relaying. Honeypot operators, however, can use the relay test to thwart spammers. The honeypot catches the relay test email message, returns the test email message, and subsequently blocks all other email messages from that spammer. Spammers continue to use the antispam honeypot for spamming, but the spam is never delivered. Meanwhile, the honeypot operator can notify spammers' ISPs and have their Internet accounts canceled. If honeypot operators detect spammers who use open-proxy servers, they can also notify the proxy server operator to lock down the server to prevent further misuse.

    If enough users take time to operate antispam honeypots and contact ISPs and open-proxy server operators, they'll systematically make spamming more difficult. Spencer believes that eventually spammers will find it so hard to distinguish honeypots from actual open relays that at least some of them might quit such activities altogether.

    Two tools that can help you set up and run an antispam honeypot are a Windows-based version of Sendmail (see the first URL below) specifically configured as a honeypot and Cleaver's Jackpot Mailswerver program (see the second URL below). Jackpot is written in Java and runs on any system that supports the Java platform.
    http://www.sendmail.com
    http://jackpot.uk.net

    Spencer uses a UNIX-based version of Sendmail to operate his antispam honeypot. (I haven't used the Windows version recently but assume that it's still a direct port that works well.) Spencer details his configuration methods for using Sendmail on his related Web page. Spencer also describes what happens when you operate Sendmail as he does and what to do when Sendmail traps a potential spammer's message.

    Jackpot is an SMTP mail server that prevents spam delivery and saves mail traffic information for evidence and research. Jackpot also creates Web-based reports that simplify analysis and tracking. Cleaver writes, "Jackpot saves full details of all spam mail submitted to it as a collection of web-pages. The information is organized into lists, with messages sent from a given host grouped on a page. Jackpot tries to gather some information about the host that sent the spam ... \[it also checks to see\] if the source \[of potential spam\] is a known open-proxy or a \[known spam operation and uses sources such as\] abuse.net to see whether there's a registered \[mail\] abuse address for the host."

    Spencer mentions two additional resources that can help thwart spam: SpamNet and Distributed Checksum Clearinghouse (DCC). According to its Web site, Vipul's Razor, commonly know as SpamNet (see the first URL below), "establishes a distributed and constantly updating catalogue of spam in propagation. Clients use this catalogue to filter out known spam." According to the DCC Web page (see the second URL below), DCC resembles SpamNet in that it's "a system of many clients and more than 90 servers that collects and counts checksums related to several million mail messages per day, \[mostly\] as seen by Internet Service Providers." SMTP servers and mail user agents can use the counts to "detect and reject or filter spam or unsolicited bulk mail."
    http://razor.sourceforge.net/
    http://www.rhyolite.com/antispam/dcc/

    To help prevent spam, explore the resources I've mentioned in this article and consider using them on your networks. Thanks to Brad Spencer for his help in bringing this information to Security UPDATE readers.


    SPONSOR: VERISIGN – THE VALUE OF TRUST

    FREE E-COMMERCE SECURITY GUIDE
    Is your e-business built on a strong, secure foundation? Find out with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." Learn how to authenticate your site to customers, secure your web servers with 128-Bit SSL encryption, and accept secure payments online. Click here:
    http://www.verisign.com/cgi-bin/go.cgi?a=n26110107130057000


    2. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • ATTEND OUR FREE TIPS & TRICKS WEB SUMMIT

  • Join us on December 19th for our Tips & Tricks Web Summit featuring three eye-opening events: Disaster Recovery Tips & Tricks, Intrusion Detection: Win2K Security Log Secrets, and Merging Exchange Systems: Tips for Managing 5 Key Challenges. There is no charge for this event, but space is limited so register today!
    http://www.winnetmag.com/seminars/tipstricks

  • THE STORAGE SOLUTIONS YOU'VE BEEN SEARCHING FOR!

  • Our popular IT Buyers' Directories (ITBDs) are online catalogs of the hottest vendor solutions around. Our latest ITBD highlights the solutions and services that will help you effectively manage your enterprises' storage. Download your copy today!
    http://www.itbuynet.com/pdf/1102-itbd-storage.pdf

    3. SECURITY ROUNDUP

  • NEWS: Wi-Fi Alliance Announces WEP Replacement

  • The Wireless Ethernet Compatibility Alliance (WECA), which certifies IEEE 802.11 wireless networking products with the Wi-Fi (the 802.11b wireless standard) marketing label, announced that it has ratified a new standard for wireless security. Dubbed Wi-Fi Protected Access (WPA), the technology will replace the compromised Wired Equivalent Privacy (WEP) security technology found in most existing Wi-Fi products today.
    http://www.secadministrator.com/articles/index.cfm?articleid=27160

  • NEWS: Win2K Passes Security Test

  • Microsoft announced that Windows 2000 has received the highest level of security certification of any commercial OS. The International Organization for Standardization (ISO) awarded Win2K with the Common Criteria (CC) certification.
    http://www.secadministrator.com/articles/index.cfm?articleid=27149

    4. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: How can I stop Windows from caching a .dll file after I close the program that was accessing it?

  • (contributed by John Savill, http://www.windows2000faq.com)

    A. Windows caches .dll files to speed disk I/O. However, even after you close the calling program, the .dll file remains cached. To stop Windows from caching .dll files after you've closed the calling program, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer registry subkey.
    3. From the Edit menu, select New, DWORD Value.
    4. Enter the name AlwaysUnloadDLL, then press Enter.
    5. Double-click the new value, set it to 1, then click OK.
    6. Close the registry editor, then reboot the machine for the change to take effect.

    5. NEW AND IMPROVED
    (contributed by Judy Drennen, products@winnetmag.com)

  • EMAIL AND FILE-ENCRYPTION PROGRAM FOR WINDOWS

  • TAN$TAAFL Software released Top Secret Crypto Gold 2.00, an email and file-encryption program for Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. Use Top Secret Crypto Gold to protect your sensitive personal, company, and corporate data as you transmit it across town, across the country, and around the world. Top Secret Crypto Gold will protect all of your email and files transmitted over the Internet. Top Secret Crypto Gold uses the RSA Public Key Encryption System with three powerful conventional encryption algorithms. Top Secret Crypto Gold costs $34.95 for a single-user license and $999.95 for an unlimited license. Contact TAN$TAAFL at mkp@topsecretcrypto.com or the Web site.
    http://www.topsecretcrypto.com

  • PROVIDE SECURE TRANSMISSION OVER THE INTERNET

  • ZyXEL Communications announced Prestige 652, an ADSL modem/router with robust firewall and VPN capabilities. The product requires no additional firewall devices on the network or VPN software on the workstations to act as an ADSL firewall. Because it integrates firewall and VPN capabilities, customers can expect to save money and increase network efficiency. The Prestige 652's IP Security (IPSec) VPN uses data encryption to provide transparent and secure transmission over the Internet and between two or more sites. Prestige 652 costs $499. Contact ZyXEL at 714-632-0882 or visit the Web site.
    http://www.zyxel.com

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

    6. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

    Featured Thread: How Can I Remove or Disable the View Menu Item?
    (Three messages in this thread)

    A user writes that he needs to remove the View, Explorer Bar, Folders option from a Windows XP system in a Windows 2000 domain. If he can't do that, he wants to remove the View option altogether. He says that he's looked through some policies and tried some registry changes, but he can't seem to remove the menu option. Read the responses or lend a hand:
    http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=48770

  • HOWTO MAILING LIST
    http://63.88.172.96/listserv/page_listserv.asp?a0=howto
  • Featured Thread: Server Losing Permissions in Domain
    (Three messages in this thread)

    A user writes that two servers on his network have suddenly lost permission to access the related domain. He says it's almost as if someone has removed them from the domain and added another server of the same name with a different SID, but that's not the case. He can address the problem by removing, deleting the servers from the SAM database, resynching the domain, then adding the servers back to the domain. However, although the issue is simple to fix, he wonders why it occurs. Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?A2=IND0210E&L=HOWTO&P=601

    7. CONTACT US
    Here's how to reach us with your comments and questions:

    • ABOUT IN FOCUS — mark@ntsecurity.net
    • ABOUT THE NEWSLETTER IN GENERAL — vpatterson@winnetmag.com
      (please mention the newsletter name in the subject line)
    • TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
    • PRODUCT NEWS — products@winnetmag.com
    • QUESTIONS ABOUT YOUR Windows & .NET Magazine Security UPDATE SUBSCRIPTION?
      Customer Support — securityupdate@winnetmag.com

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email