Monday, March 29, 2010

too many blacklists on SBS 2008 leads to Earthlink delivery problems

I had this problem for several weeks, and I'm documenting it in case anyone else is unlucky enough to be in this situation and needs to find the solution. I was seeing that Earthlink and Mindspring were not able to send to my domain. The senders would get delivery delay emails and the delivery failures eventually on all emails to my domain. With a couple exceptions, everyone else had no problem sending to my domain. So 99% of all email was coming through, but these couple were problematic.

It turns out that I had configured too many real time block list providers (RBLs). When the remote server was connecting to my server, the process of checking the sending server against all 5 RBLs would take some time. In this case, the Earthlink servers wouldn't wait long enough for my server to finish checking - and the Earthlink servers would drop the connection. The solution was to just have one block list provider. In this case I used zen.spamhaus.org

So that was it. Just a note for future reference.

Tuesday, March 16, 2010

checking autodiscover SRV records using nslookup

There are a couple ways to add autodiscover - which is required by Exchange 2007 (and presumably Exchange 2010) for full functionality (more coming on this concept).

One method is to add an SRV record. Because nothing is easy, not all DNS editors allow you to create SRV records. Sometimes, you can add them yourself. Sometimes, you have to write to support. Sometimes, it can't be done. But when it is done, here is how to check on it:

In a DOS prompt, type "nslookup"
Then "set type=srv"
Then the record you want - such as "_autodiscover._tcp.exampledomain.com"

Here's what a properly configured autodiscover looks like:

Wednesday, March 10, 2010

the anatomy of a fakealert infection

Over the last year, a new type of virus (malware) has become prevalant. The weird part is that antivirus vendors are way behind on detecting these new viruses. It seems new generations of these viruses change just enough to evade detection. This post will show you what it typically looks like when you are infected with one of these viruses - called fakealert viruses.

It starts by visiting an infected site. These don't necessarily need to be inappropriate sites. You can visit an infected site from a regular innocuous google search.

You start by getting a pop-up like this:



For some viruses, hitting OK might infect you - or it might be hitting any of the buttons in the pages that follow. What you're seeing here is a web site pop-up with words on it. It could just as easily be telling you the plot of last night's CSI: Miami. A web page can display anything as you will soon see. In this case, it just happens to be misleading text. The virus can't just infect you - it needs a little help from you in order to run a script.

If you hit ok, you often get something like the screen below. Again, it looks like something your computer is telling you - but it's just a web page. It could be a spoiler for Dancing with the Stars, but it's just an image and text that someone chose to put on there. Nothing is really scanning.




If you try to close the browser, it won't let you. No matter what you try, you get something like this:
















And then it will often try to run/download a file to further infect you.



Another example of what you might see:


-----

So what is the answer? You've found your way to a web page that you can tell is trying to infect you - but it's hard/impossible to close your browser (the example here is Firefox - but Internet Explorer is vulnerable as well).

The answer is to close your browser with Windows Task Manager before you can be infected. Hit control-alt-delete and the start the Task Manager. Find your browser on the applications tab (either Internet Explorer or Firefox) and hit end task. This will close your browser without the annoyances and get rid of the potential infection before you are infected (presuming you didn't interact with virus/malware in the web page).



So that's pretty much it. That's what you should be looking for and the best way to avoid infection if you come across these types of viruses/malware. If you find yourself infected, you can use the tools listed here to disinfect your computer.

UPDATE - Symantec talks about fakealert viruses here:
http://www.symantec.com/norton/theme.jsp?themeid=mislead

Still no improvement on the handling of these types of malware. Very lame.

Tuesday, March 9, 2010

malware removal tools

The fakealert malware viruses are everywhere. I've managed to rid most of them with just two tools:

rkill - to terminate the running processes
Malwarebytes - to remove the infections

For just about every fakealert virus, I put rkill.com and mbam.exe (links above) on a flash drive and then run rkill.com on the infected computer. Then I run Malwarebytes full scan and then remove whatever it suggests.

---

The other day, I came across a machine with different symptoms - just in time debugging kept coming up over and over again. I fixed it with combofix, but here's also another suggested tool that I didn't have to use:

Combofix
Dr. Web CureIt

So far, I've fixed every infection I've found using some combination of these tools. I wonder when the antivirus vendors will ever get a hold on this. It's been over a year that these types of viruses have been in the wild.

Saturday, March 6, 2010

laptop reliability survey

I came across this laptop reliability survey, and I thought I'd keep track of it as it's pretty interesting - first time I've seen it. It came from here:

http://www.engadget.com/2009/11/17/laptop-reliability-survey-asus-and-toshiba-win-hp-fails/

In case the link disappears, here's the important graph:

Tuesday, March 2, 2010

pdf995 requires Program Compatibility Assistant on Windows 7

I had a Windows 7 computer where I had installed PDF995, but found that it didn't show up in the list of printers. Then I found this - which said that you need to make sure the Program Compatibility Assistant service is started. In this case, the PCA was set to manual - but it was not started. I started it - uninstalled PDF995 and reinstalled it and voila - it worked. Weird.

Monday, March 1, 2010

installing Filemaker on Windows 2008 SBS (or Standard)

I had quite an ordeal installing Filemaker Server on Windows 2008 SBS. I won't bore the people who don't care about my troubleshooting and just provide the relevant details:
  • Filemaker 10 is necessary on Windows 2008. Filemaker 9 is not supported (I tried and failed).
  • If installing on 64 bit Windows (SBS or otherwise), install the 64 bit version of Apple Bonjour first (Bonjour is required and the FMS install tries to install the 32 bit version). Credit for that advice belongs here.
  • You need to open ports 5003, 16000, and 16001 on the server for the clients to interact properly with the server
  • Filemaker Server 10 can use any level of Filemaker Pro on the desktop end - 8, 9, or 10 (and presumably 7)
  • Web publishing should not be used on your SBS box. SBS isn't supported by Filemaker - though it works - but even if you use it - the web publishing stuff will conflict with some of the IIS stuff that SBS uses