Happened to pass here after a lot of time and thought “why not?!?”
Is there still room for a personal blog like this one in 2020?
Would I have the time to write anything in here at all?
Perhaps I’ll give it another try…
Oggi vedo arrivare messaggi contenenti presunte fatture di Aruba.it:
From: comunicazioni@staff.aruba.it
Subject: Invio copia bollettinoGentile cliente,
come da lei richiesto in allegato potrà trovare copia del bollettino postale con cui effettuare il pagamento.
Saluti
______________________________Aruba S.p.A.
Servizio Clienti – Aruba.it
Call center: 0575/0505
Fax: 0575/862000
_______________________________
In allegato, un file con nome del tipo 123456789_1234567890.pdf.zip
Guardando l’allegato un po’ più da vicino:
skull@mithrandir:~$ unzip 12345678_1234567890.pdf.zip
Archive: 12345678_1234567890.pdf.zip
inflating: 87654321_0987654321.pdf.pifskull@mithrandir:~$ file 87654321_0987654321.pdf.pif
87654321_0987654321.pdf.pif: MS-DOS executable
Ovviamente, una occhiata agli header conferma che la mail non viene affatto da Aruba:
Return-Path: <xxxxx@hotel.de> Received: from [80.86.156.104] (unknown [80.86.156.104]) by mta1.spin.it (Postfix) with ESMTP id xxxxx for <xxxxx>; Mon, 21 Jul 2014 13:xx:xx +0200 (CEST) Received: from [59.22.31.20] (helo=xxxxx.xxxxx.net) by with esmtpa (Exim 4.69) (envelope-from ) id xxxxx for xxxxx; Mon, 21 Jul 2014 12:xx:xx +0100 Received: from [109.26.59.81] (helo=xxxxx.xxxxx.su) by with esmtpa (Exim 4.69) (envelope-from ) id xxxxx for xxxxx; Mon, 21 Jul 2014 12:xx:xx +0100 Date: Mon, 21 Jul 2014 12:xx:xx +0100 From: comunicazioni@staff.aruba.it To: <xxxxx> Subject: Invio copia bollettino
Al momento della ricezione, la lista degli AV che lo riconoscono per quel che è è desolantemente scarna, come di consueto:
All’occhio…
Posted in Spam & dintorni | Leave a Comment »
Months ago I wrote a serie of articles (Italian only) about why relying on an AntiVirus only is far from being an effective approach to network safety nowadays. Today, I stumbled upon this piece, where Brian Dye, Symantec’s senior Vice President for Information Security apparently says «AntiVirus is dead».
To quote Mark Twain, I think the report of AV death is an exaggeration: nobody should -in my opinion- turn their AV off because it’s not effective anymore. It is certainly true, however, that this approach cannot be the only one in place if you plan to combat malware on your network effectively.
In the fourth part of the series above I already suggested using lists of Command & Control IPs to create nullrouting or firewall entries to inhibit network traffic trying to reach “bad resources”. I also said how one of these lists is available from Spamhaus (as that’s the one I’ve been using) and how they provide this list in the form of a BGP feed you can configure directly in your border router(s).
Whatever the list you chose and however you’re feeding it to your router, you’re going to face a problem: how to monitor what is being nullrouted and what the supposedly infected system is trying to do?
Here is what I did and how you can use a normal linux system to dump and log the blocked traffic and hijack the HTTP sessions (that are by far the most interesting ones) to obtain more intel about the infections.
Posted in Spam & dintorni | Tagged BGPf, botnet, Spamhaus | Leave a Comment »
I spent a good part of the last few days trying to debug a very weird problem involving postfix and opendkim, so I thought it was a good idea to write the entire experience down for anybody who might be encountering the same (or a similar) problem. This was probably the weirdest misbehaviour I managed to trigger without involving any real bug…
On a system I control, I installed opendkim for signing only and configured postfix to interact with it: installation was smooth as usual and everything was deployed in an hour or two. The emails sent by the system are partly anonymized and some headers are therefore stripped before the mail goes out. For this reason, DKIM was configured to sign only some of the headers (and not all of them) or the signatures would fail to validate for remote users.
I sent a few test emails to Gmail and everything seemed to be fine: mail signed, signature header as expected, Google verifying the signature correctly and so on. So I told other users of the same server that the feature was enabled and to poke me in case something was wrong. Immediately one user wrote back saying he wasn’t seeing any signature at all in the emails he was sending.
I checked the logs for his email and found this:
Mar 24 12:22:56 myserver opendkim[32082]: 0CA2F2F1: can’t determine message sender; accepting
The presence of a “From” or “Sender” header within the email is mandatory for DKIM, otherwise the mail can’t be signed; this message was saying that the mail had none and was therefore refusing to sign it.
Easy.
Posted in Spam & dintorni | Tagged dkim, opendkim, postfix | 4 Comments »
Skull's blog 