Wednesday, June 21, 2017

Ham v Spam: what's the difference?


This post was submitted by Barracuda Support Technician Frank Dreamer.

One of the most common calls I answer from Network Administrators is: “Why are we getting so much spam?” When I look at the examples they provide, many times I see that the email message is actually ham, not spam.

The following is a brief article to help you to identify the difference between Spam and Ham and what to do about them.

So, what is Spam?

Wikipedia describes Spam as “the use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately.”

The key word here is unsolicited. This means that you did not ask for messages from this source. So if you didn’t ask for the mail it must be spam, Right? That is true, however quite often people don’t realize that they are signing up for mailers when they download free software, or sign up for a new service, or even when updating existing software. The best way to deal with spam is to forward the message to the system administrator.

In 2003 the CAN-SPAM ACT was made law. This act defines the rules for advertisers and bulk mailers to follow. In order to legally send bulk mail and advertisements, they are required to adhere to the following guidelines:
  1. The header of the commercial email (indicating the sending source, destination and routing information) doesn't contain materially false or materially misleading information;
  2. The subject line doesn't contain deceptive information;
  3. The email provides "clear and conspicuous" identification that it is an advertisement or solicitation;
  4. The email includes some type of return email address, which can be used to indicate that the recipient no longer wishes to receive spam email from the sender (i.e. to "opt-out");
  5. The email contains "clear and conspicuous" notice of the opportunity to opt-out of receiving future emails from the sender;
  6. The email has not been sent within 10 days after the sender received notice that the recipient no longer wishes to receive email from the sender (i.e. has "opted-out");
  7. The email contains a valid, physical postal address for the sender. (Cornell University Law School)
So what is Ham?

According to Wiktionary Ham is “E-mail that is generally desired and isn't considered spam.”

Desired? You may be saying to yourself “I do not desire this mail, how is this ham and why am I getting it? “ The answer is you requested it.

There are two ways you could have signed up for this email.
  • Directly- While downloading free software such as a browser or a game or signing up for a new online service you were required to agree to and check the box agreeing to their Terms of Service (TOS) .Below or above the TOS were other check boxes. One said “Yes! I would like to receive information and offers from you and your partners.” If you checked this box, then legally you asked for this email.
  • Indirectly- This is the same scenario as Directly signing up except, The box for the information and offers is pre-checked, leaving it for you to uncheck the box if you do not want to be on their mail lists.
Either way once you are on a bulk mail list they can legally send you the offers (and rarely any information worth anything) as long as they follow RFC Regulations.

The good news is that if they follow RFC Rules then it is easy to stop these emails. All you have to do is to simply “click to unsubscribe” and the mail stops. That is if they follow rules.

Malicious spammers especially will take advantage of this and offer the same format at the bottom of their emails linking the unsubscribe link to malicious downloads and/or tracking cookies; Etc...

How am I supposed to know the difference? Here are a few simple things to look for:
  • Check who the email is from. An email address has two parts:
    • The username- the part before the “@” sign
    • The domain- the part after the “@” sign
  • Mouse over the “unsubscribe” link or button
    • If the end of the address something(.com,.org,.net,.gov,etc…) is the same as the from domain name it is a good bet that this is legit ham and it is ok to click to unsubscribe.
    • If the end of the address does not match the from domain, Don’t Click It! This still may be badly formatted legit mail, but why take a chance. Instead forward the mail to postmaster@ (your domain) they will know what to do with it.
  • Another option that can be exercised, especially if the mailer is from a legitimate retail or such, is to contact them directly and let them know you will not shop with them as long as they use such tactics to advertise.
    • Most Retailers do not knowingly employ spam as a means of advertising, however quite often we receive spam from them. The reason is Retailers hire Marketing firms that may employ other firms some of which for economic reasons hire less scrupulous bulk mailing firms. Letting a retailer know of this allows them to review whom they do business with.
A Hacker's greatest tools are the oldest tricks in a book written before time. Those tricks still work today.

Thursday, May 25, 2017

What is VM sprawl ?

VM sprawl is defined as a waste of resources (compute : CPU cycles and RAM consumption) as well as storage capacity due to a lack of oversight and control over VM resource provisioning. Because of its uncontrolled nature, VM sprawl has adverse effects on your environment’s performance at best, and can lead to more serious complications (including downtime) in constrained environments.

VM Sprawl and its consequences

Lack of management and control over the environment will cause VMs to be created in an uncontrolled way. This means not only the total number of VMs in a given environment, but also how resources are allocated to these VMs. You could have a large environment with minimal sprawl, but a smaller environment with considerable sprawl.

Here are some of the factors that cause VM sprawl:
  • Oversized VMs: VMs which were allocated more resources than they really need. Consequences:
    • Waste of compute and/or storage resources
    • Over-allocation of RAM will cause ballooning and swapping to disk if the environment falls under memory pressure, which will result in performance degradation
    • Over-allocation of virtual CPU will cause high co-stops, which means that the more vCPUs a VM has, the more it needs to wait for CPU cycles to be available on all the physical cores at the same moment. The more vCPUs a VM has, the less likely it is that all the cores will be available at the same time
    • The more RAM and vCPU a VM has, the higher is the RAM overhead required by the hypervisor.
  • Idle VMs: VMs up and running, not necessarily oversized, but being unused and having no activity. Consequences:
  • Waste of computer and/or storage resources + RAM overhead at the hypervisor level
  • Resources wasted by Idle VMs may impact CPU scheduling and RAM allocation while the environment is under contention
  • Powered Off VMs and orphaned VMDKs eat up space resources
  •  

How to Manage VM sprawl

Controlling and containing VM sprawl relies on process and operational aspects. The former covers how one prevents VM sprawl from happening, while the latter covers how to tackle sprawl that happens regardless of controls set up at the process level.

Process

On the process side, IT should define standards and implement policies:

  • Role Based Access Control which defines roles & permissions on who can do what. This will greatly help reduce the creation of rogue VMs and snapshots.
  • Define VM categories and acceptable maximums: while not all the VMs can fit in one box, standardizing on several VM categories (application, databases, etc.) will help filter out bizarre or oversized requests. Advanced companies with self-service portals may want to restrict/categorize what VMs can be created by which users or business units
  • Challenge any oversized VM request and demand justification for potentially oversized VMs
  • Allocate resources based on real utilization. You can propose a policy where a VM resources will be monitored during 90 days after which IT can adjust resource allocation if the VM is undersized or oversized.
  • Implement policies on snapshots lifetime and track snapshot creation requests if possible

In certain environments where VMs and their allocated resources are chargeable, you should contact your customers to let them know that a VM needs to be resized or was already resized (based on your policies and rules of engagement) to ensure they are not billed incorrectly. It is worthwhile to formalize your procedures for how VM sprawl management activities will be covered, and to agree with stakeholders on pre-defined downtime windows that will allow you to seamlessly carry any right-sizing activities.

Operational

Even with the controls above, sprawl can still happen. It can be caused by a variety of factors. For example, you could have a batch of VMs provisioned for one project, but while they passed through the process controls, they can sit idle for months eating up resources because the project could end up being delayed or cancelled and no one informed the IT team.

In VMware environments where storage is thin provisioned at the array level, and where Storage DRS is enabled on datastore clusters it’s also important to monitor the storage consumption at the array level. While storage capacity will appear to be freed up at the datastore level after a VM is moved around or deleted, it will not be released on the array and this can lead to out-of-storage conditions. A manual triggering of the VAAI Unmap primitive will be required, ideally outside of business hours, to reclaim unallocated space. It’s thus important to have, as a part of your operational procedures, a capacity reclamation process that is triggered regularly.

The usage of virtual infrastructure management tools with built-in resource analysis & reclamation capabilities, such as Solarwinds Virtualization Manager, is a must. By leveraging software capabilities, these tedious analysis and reconciliation tasks are no longer required and dashboards present IT teams with immediately actionable results.

Conclusion

Even with all the good will in the world, VM sprawl will happen. Although you may have the best policies in place, your environment is dynamic and in the rush that IT Operations are, you just can’t have an eye on everything. And this is coming from a guy whose team successfully recovered 22 TB of space previously occupied by orphaned VMDKs earlier this year.


Tuesday, April 18, 2017

Why am I getting "undeliverable" email about emails I didn't send?


Summary
  • Spammers often use a real address as the "from" address when they send out mail.
  • They may send to millions of addresses, and any bounced messages then get sent to you (these bounced emails you get are called backscatter).
  • While it is annoying, it does not mean your account has been hacked.
  • For details about how to block backscatter, visit the Answers article on backscatter.



Details
Spammers often use a real address from their list as the "from" address when they send out mail. The “from” address looks like a "real" address (because it is), and if the recipient recognizes that address, he or she is more likely to read the spam. Another perk for the spammer is that using random addresses as the "from" address keeps people from just blocking all mail from the spammer's real address (because they never see it), and it cuts down on the hate mail that the spammer receives.

When a spammer sends a message to millions of addresses, hundreds of the addresses will not work because they no longer exist or the mailbox is full. So, hundreds of "Non Delivery Reports" (NDRs or "bounces") will be sent to whoever's address was used on the spam messages "from" line. These bounces are called "backscatter".

Getting backscatter doesn't mean that your account has been hacked. When sending email, you can actually set any "from" address. For example, when you send mail from your home machine you say that it's "from" you@yourdomain.com, but the mail didn't originate at your email. So, the spammer can send mail from anywhere in the world and say that it's "from" your email address.

Unfortunately, spammers tend to send out a few million messages "from" one address, and then go onto another "from" address. So, people often receive a few hundred of these bounce messages all at once, and then everything goes back to normal until next time. Once a spammer gets your email address, it's impossible to prevent your email address from being used in this way.
For details about how to block backscatter, visit the Answers article on backscatter.

Thursday, April 6, 2017

Understanding Dark Data

Understanding Dark Data: What is the Dark Data? What should a company do with that much data without apparent utility? Discover with Ahmed Banfa the keys of Dark Data

Thursday, November 3, 2016

A Taste for Holiday Spam

http://www.tech-ii.com/taste-holiday-spam/
“T’was the night before Christmas and” …. Well it really last from November through January, that is. What lasts for months on end you ask? Well SPAM, that pesky e-mail promising you free stuff or telling you that your package has been setup for delivery. Spam is not just something to worry about during the months of the holidays, but it tends to come in very high volumes during the holiday season.


As retailers around the world ramp up for the holiday shopping season, holiday themed spam and phishing messages will be heading for inboxes everywhere. While we can update our filters and pay close attention to what is hitting our borders, all may not have as good a protection on their personal accounts as they do at work, so give your coworkers an early festive present by warning them of the common threats that hit this time of year.


Malware
Whether in form of festive greeting cards, holiday screensavers, or applications for your Facebook page, festive themed malware comes straight from the Grinch and tries to take advantage of people’s holiday spirit. Making sure that antivirus software is up-to-date is critical, and treating any software or app with a healthy bit of skepticism is a way to play it safe.


Scams
Whether the hot gift this year will be tablets, or smart phones, or coffee makers, one thing is for certain; supply will not meet demand. Scammers will exploit this by sending emails offering unbelievable deals, or stating that they have in stock what everyone else sold out. If it’s too good to be true, it probably isn’t. Remind others to only shop with reputable vendors, and to check out special offers by going to the website directly instead of clicking links in emails they weren’t expecting.


Online Coupon Offers
Phishing attacks may offer incredible savings in exchange for personal information. Before filling out any form to get a discount code, make sure you are dealing with a real vendor. Again, going to the vendor’s site by typing the URL in by hand is safer than clicking links in emails, or calling a brick and mortar to verify a coupon offer is legitimate can save time and disappointment.


Fake Transactions
We should be very careful about email confirmations for purchases they did not make. Scammers can mock up an order confirmation for a high priced purchase easily; and they are counting on the victim clicking the link to cancel the order rather than confirming it is legitimate. Whether that delivers malware, or tries to harvest personal information and login credentials, it’s a way to exploit someone’s fears of fraudulent transactions.


Pleas for Help
This is also the time of year when phishing expeditions pull out the really mean-spirited methods. These can be pleas for help from strangers with incredibly sympathetic stories, or from relatives allegedly stranded and needing money, who can email but strangely not call for help. We all need to be aware of these scams, and be wary of any request for help that they cannot confirm as legitimate.
Take a moment or two today to warn others of these scams. It’s a gift that keeps on giving, and helps make sure no spammer named Scrooge spoils their holiday.

Friday, March 25, 2016

Ransomware: The What? The Where? And The How?


Ransomware and other variants are on the rise, but there is hope to limit the impact of this threat to your company and its assets. In the this article we will be discussing what ransomware is and what it does; where the infection comes from and where it goes after it is deployed, and finally, how you can prevent this type of threat from taking a large toll on your company’s production time.

The What?

Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. The most common of these is Crypto variants that travel through a system and encrypt its files causing them to be unusable. The encryption type used makes it improbable for anyone to break the encryption without paying the ransom. No one is safe from this infection. Although “Crypto” is predominately seen on Windows systems, recently it has been showing up on other operating systems, as well. In fact, since it can encrypt any file that the system has access to, this includes network shared files. Once attacked, it will sync up and modify all the files across the system and prevent anyone from accessing them.

The Where?

The majority of ransomware appears to get deployed through malicious email messages with attachments containing the virus. These messages look legitimate, and once opened on the system, will wreak havoc in a matter of seconds. Ransomware can also be deployed through drive-by downloads, which happens when a victim visits a compromised website. It will exploit by attacking unpatched software on the system. The least common method is deployment through a USB drive where the drive contains the ransomware and infects the system upon plugging it in.

The How?

  • The number one way to be prepared for this type of attack is to have backups of all critical systems and data, and have those backups tested and verified on a regular basis. Once ransomware attacks, the only method of saving the systems and the data is through a full system restore. There is no way to decrypt the affected files, and no software will reverse it. The only recourse is to restore from backups. 

  • The next way to be prepared is a bit more obvious. Have an anti-malware software deployed on all your systems, and make sure it is up-to-date and actively scanning, using behavioral analysis or some other form of heuristic scanning. 

  • Thirdly, ensure that all your systems are up-to-date on security patches, and that you have a way to report on systems that fall behind with a method of patching on-demand.

  • Look at incorporating SPAM blocking or scanning on your network to prevent the likelihood of these exploits passing to your users. All employees should be educated and told to be diligent in analyzing the messages they receive. They should only open emails they are expecting and only when they know the sender. Beware of attached files in emails!