Friday, March 24, 2017

SecureMecca Closing

Due to circumstances beyond Henry Hertz Hobbit's control, SecureMecca will be closing ASAP.

I have had battles over the years with the hackers in Odessa (the Black Sea Port).  Now that Donald Trump is POTUS and these hackers did things to help him win (it is them, not the Russian government) I received a threatening email message from sematext.com that I was causing it so that  nobody could go to sematext.com or their blog.  Since I was only blocking sa-receiver.sematext.com (an alias to an AmazonAWS host) their users could not go to either their website or their blog.  I tested it and that was untrue, at least for going to sematext.com directly.  I have concluded that the attack is motivated by politics.  This is especially likely to be the case since nobody has said a thing to me for years.

So effective soon, SecureMecca will be closed, especially since over 85% of the people in the FSA (it used to be the USA) hate Muslims.  At least Muslims aren't Satanic.  Member of ISIS however, are not in harmony with the Qur'an on multiple points.

For a limited amount of time I will continue to provide updates to the PAC filter and the blocking hosts file to HostsFile.org.  I don't know what the owner of that domain plans but I don't plan on supporting what I have much beyond 2017 in this hostile political climate.

Best Wishes.

Henry Hertz Hobbit

Saturday, May 21, 2016

Thunderbird

I have heard that Mozilla is deciding to scrap Thunderbird.  I hope this is not true because I have standardized on it.  Why?  Because once you pick a POP / IMAP email client you don't want to change It.  Here is why.  I have mine configured for multiple email accounts which are separate from each other.  When I encounter messages I want to save I move them into the Local Folders area.  Ergo, if Thunderbird vanishes there went my history and it is back to thrashing around finding and taming a new email program that will inevitably be worse than Thunderbird.  Why did I select Thunderbird besides these book-keeping and history reasons?

I want a POP / email client program that won't render HTML  Remember that I am coming at this from a security standpoint. Rendering HTML is a great way to open yourself up as more vulnerable to phish.  So I don't want HTML rendering except maybe on a toggle on temporarily basis.  There are times that I am sick or distracted and everybody makes mistakes.  So if the Thunderbird team changes this aspect of rendering HTML, at least make it configurable via some easily found method to turn it on or off via about:config.  I can understand a turn on temporarily for a particular message but in general it is nice to see white space.  Somehow for the vast majority of my all email messages all white means there is nothing for me to click on and invariably it is something bad.

I can already hear somebody saying to me, "Thunderbird has about:config?  Where do you type it?  Well you don't.  For me on Linux you go to Edit (Preferences may be some place else on Windows or Macintosh), then select Preferences.  Set that window's tab to General.  Then click on the Config Editor button.  Here is picture of what that will look like:





I just got a tip from my colleague in France that I know by the nom-de-plume of Airelle that this is good thing to use for taming the Locky or Ransomware I get so much of in my email box.  Locky and Ransomware is a zipped Javascript attachment in email right now and for the foreseeable future.  They normally use zip but some times they use rar and I even have one where they used gzip to zip the file.  Anyway, once you have clicked on Config Editor you will have to click affirmatively on the "I'll be careful, I promise" query.  It is always there for me because I don't go in there all that much and want to be warned I am inside where I can maybe harm myself.  Okay, so far we are okay.  Now start typing "javascript" in the Search box.  Find this item:

javascript.enabled

position the pointer over the Value which is probably set to true and right click on it and select Toggle.  That should change it to false.  Does it help?  I hope so, but I still some times see a scripting message when saving Locky zip files.  So it may not help but it doesn't hurt.  If somebody wants to tell us how to do this with other email client programs I would be grateful. This is especially true if you give it for Outlook.  It is probably the number one email client program used for POP and IMAP email.

I have also used about:config to also change these two settings for Thundebird because I am always typing "attach", "attached" and other words derived from "attach" with no intentions of using an attachment:

mail.compose.attach_reminder
mail.compose.attach_reminder_agressive

I changed both of them via Toggle from true to false.  Now, if somebody could tell me that there is some way I could use about:config to make it show me the full From address I would appreciate it.  That is about the only thing I would change on Thunderbird.  I would change it to show the full email address.  I did see that they had this one:

mail.phishing.detection.ipaddresses

I don't know what it does, but all of my Locky malware is sent from special pupose send-only SMTP servers dropped onto hacked Windows machines.  I can tell because of the X-Originating-IP line in the header that qmail thoughtfully provides.  The IP address given there never matches the A record for the MX hosts for the purported sending domain.  But what I am trying to prevent there is somebody or some bot sending you email that says just "YourBuddy" where your buddy is at "YourBuddy@TheRealDeal.org" and the message you have is supposedly from "YourBuddy@FlyByNight.org" but actually comes from a hacked machine place else.

I guess it could be worse.  At least one Microsoft Exchange SMTP server ignored the originating IP address and instead looked up the MX record for the purported sending domain (mine doesn't use my domain name in the MX record that handles it email) which was mine, and then looked up the IP address and substituted it.  How do I know?  There is no such user as dfad452xz  at my domain and thus no way of sending email from them.  But email is configured to accept email to any valid sounding user name so I have a dandy mini honey-net whether I want it or not due to how my IMSP / IWSP configured it.  After taking almost two years to educate email admins not to bounce Locky type messages to the purported from domain.  I wonder what Microsoft Exchange will do on those domains I encountered that didn't even have MX records because they were parked?

So, Mozilla. please keep Thunderbird going.  I shudder to even think of using any other email client program for email.

Thank You!



Sunday, March 30, 2014

Setting up email

Where The Spam Comes From

  Recently I read a piece from eSet (makers of NOD32).  They claimed that there were 10,000 hacked Linux machines sending out spam and malware.  Could this be the hackers I originally dubbed PeskySpammer and renamed PerniciousMalware that put in 500+ spam per day in one of my email boxes plus occasional malware I asked myself?  No, it cannot be that because you can see yourself that the majority of the IPv4 addresses used are in DSL and cable IP blocks.  You don't believe me?  Here you go:

Public PeskySpammer folder
Originating IPs
Left 0 Pad Filled Originating IPs

  Just look them up in whois.  I stopped keeping records of these about six months ago.  But if you ever wanted proof of what was sending the spam and malware all you had to do is seize the machines at the sending IP addresses.  On the machines which would be running Microsoft Windows you would find specially crafted SMTP engines that only send email.  How do they get around where it was sent from?  They pretend it was sent from some place else.  That is how I first got them.  They were pretending to send from ficititious users at my domain.  It took me over a year to get email admins to learn NOT to boomerang messages to me.  Evidently thinking has gone out of style. Whether the hackers realized that Yahoo and other domains have email set up wrong from a practical point of view but probably correctly from the old RFC is unknown.  It does argue that things need to change and immediately.  There will be more on that in a moment.

Are The Linux Machines Hacked?

  Probably.  But which would you want to send spam from?  A tiny number of Linux boxes (10,000 is tiny) which you can easily map out the IP addresses and take them out of the loop with blocks at major IMSPs (Internet Mail Service Providers)?  Or do you want a huge flotilla of Windows boxes where the machines sending spam come and go regularly in such a way that a preventitive measure based on the originating IP address is almost useless?  The infected Windows machine route will win hands down.  But lets probe the weaknesses of Linux.  The very first one for me is actually not security.  Because of that stupid X-Windows DB I am almost always staring at 640X480 at install time.  Gone are the days of hacking the X Config file and being on with my business.  But I work from Linux and it is a compromize.  Maybe OpenBSD would be a better choice.
   Linux systems have so much software that is hacked into place and the software changes so furiously that it is almost impossible to eradicate problems.  This is especially true for the servers.  But my two machines named GandalfTW and Sauron aren't servers and they eye each other suspiciouly.  They will allow a hello and are you there (ICMP ping) and that is about it.  I don't even let one do print server duty and instead rely on the JetDirect card in the old HP printer to handle things.  Getting that configured took a lot of work.  Yes, it has an old parallel printer interface.  But with this much complexity I have this nagging feeling I have too many holes in my systems.  Blowing down the protection of IPv4 with IPv6 (no NAT, no firewall) doesn't help.  But I do have two routers in place.
   But then I hear that there is an SSL bug in Macintosh, iPhone, and iPad.  I can remember Apple taking over six months to fix a simple problem several years back.  Did they really fix the iPhone in 2-7 days and Macintosh in less than two weeks?  Unbelieveable.  Then the boom was lowered.  Many versions of Linux also had an SSL security flaw.  At least some Linux distors do make use of OpenPGP signing to make the downloads trusted or not.  But is my kernel the real deal or did the NSA hack a SHA1 certificate and give me a modified kernel?  I am paranoid.  I am paranoid enough or too paranoid?
   But the coup-de-grace was when kernel.org was hacked and they sat there saying how super secure SHA1 was.  Pshaw.  I have malware with SHA1 and I know others do too where they hacked the SHA1.  Still, it is more likely that the certs were stolen as in this case:


But it is not Stuxnet!  The cert passed muster until the keys were revoked.  What am I saying?  There are ways around encryption.  But coming from SSL and hitting serious security stuff gives one the idea that SHA1 is powerful.  Not one serious AV company depends on SHA1.  They have shifted to SHA-256 years ago.  My OpenPGP keys have SHA-256 as the preferred Digest algorithm:

Cipher:  TwoFish, Camellia256, Camellia192, Camellia128, BlowFish, Cast5, 3DES.
Digest: SHA256, SHA512, SHA1, SHA384

I used to have 4096 paired RSA keys and SHA512.  It was fine with a dual core and quad core machine.  It was a little too much for older single core machines.  But I get 3DES whether I want it or not.  I don't want it.  Note that both BlowFish and Cast5 precede it and iPhone and Android systems can handle that.  SHA384 is non-standard so I have no choice but to bump SHA1 up in pecking priority.

But if a Linux system is truly hacked they can steal your keys unless you put in a symlink to a flash drive where your keys are really at and the hacker always hits it with your flash drive removed.  The key logger gets the pass-phrase.  But I doubt most Linux people ever police their shell startup files.  I do look at my shell startup files which have been altered considerably by me;  FREQUENTLY!  I told you I was paranoid.  But what do you expect of somebody that has now handled well over 12,000 Windows malware.

So is it too much to ask that  Linux people shift from SHA1 to SHA256?  I don't think so.  The less services you run the less vulnerable you are.  That is the way it has been forever.

Lest Windows People Snort

  Windows did not wait for IBM to add owner group and other things to the file system which is also used in the processes.  Back then it was called the HPFS and it became the NTFS.  But here is what would have happened if they had waited:


It isn't just limited to the file system.  Look at voodoo.txt.  If Target, Neiman Marcus, and others had used Linux instead of Windows in their POS terminals scraping would not have worked.  Try it!  The SourceBuffer is invariably out of your process's memory space.  The result?  A segnment violation.  No memory scraping here.  Where did all of those Siemens Nixdorf POS terminals go?  Why did they replace them with Windows?


How To Setup Email

   On to the main reason for this blog entry.  Because of the way that Yahoo (and other IMSPs) set up email I have over 500 spam per day in my mini honey-net.  I don't mind the malware except for those two days I got 500+ malware instead of spam each day.  But really, email should be set up like this as the first step in reducing spam:

1. There are only three email accounts that are extra but for anything other than those three email accounts, your email account, and any other created email accounts, anything sent to any other users than the ones enumerated should be tossed.  Bye, bye mini honey-net!

2. The other three extra users are abuse, postmaster, and webmaster.  Although it may seem nice to not put email for those into the master user's account in case of somebody hacking your computer what if your computer (as opposed to Yahoo's or other IWSP / IMSP) is compromized?

3. The number of domains for places like Yahoo are huge.  I would set it up with some sort of a self balancing binary tree for fast lookup.  For example, if you had a domain named qwerty.com with just master user named keyboard, here is what the users and email box (only one, keyboard@qwerty.com) would look like (email name then email box):

keyboard      keyboard@qwerty.com
abuse            keyboard@qwerty.com
postmaster   keyboard@qwerty.com
hostmaster   keyboard@qwerty.com

Only the emails for those four users at qwerty.com would be accepted and all of the messages for them would be put in the user keyboard@qwerty.com's email box.  Any emails sent to any other user at qwerty.com would be dropped like a hot scalding potato.  That means they would just be discarded.

Once that is done, all of my other comments apply.  But if Yahoo set it up this way I would get less than 2% of what I get now.  Their email servers would get a break.  The people that aren't involved in the spam and malware storm would finally see the odd behavior of their email vanish.  No?  Then look at my other points.  I am pretty sure qmail can do it.  It has the richest set of fillter options of any SMTP server.

Wednesday, August 15, 2012

APK-Hosts-File-Installer

There is is another Hosts File Installer program created by Alexander P. Kowalski.  You can download the latest version here:



This zip file is in the 2012_06_01 folder If you want the older version or to look around you need to go to the top level APK folder.  It is here:



Brief instructions for how it works are at Start64.com.  As you can imagine it is made to work with Windows 7 64-bit and the instructions are tailored around that OS version.  Here are the brief instructions:



As you can imagine, you will need some sort of hosts file to use the program with.  Here are some of them with some information that will reduce the load on the servers if that is possible.  If there is no need to update, why update?  I will give a brief explanation of each.




These are perhaps the most complete files on the Internet.  Since they are so large, please check the update.txt file (second link) first.  They are 7-zipped so you will need something that supports the 7-zip format to use them.  They are just too large to download the whole files without some sort of compression.
7-Zip is far and away the best compression algorithm.  In addition it cannot be made to expand forever, cannot be peered into on Windows, and you throw the UID:GID of the files away on Unix / Linux.



This list is fairly similar to MVPHosts later on but it does have French specific hosts  added to it and very few comments.  It is hosted at sysctl.org



These are mine.   There is no difference between the files at HostsFile.org and SecureMecca.com.  I use the UnixUtils utility with my own shell scripts to do the updating.  The scripts are used with zipped folders using both the zip and 7-Zip format.  Rather than linking to all of them I will just give the link to UnixUtils, the script that I use, and finally the downloads folders.

Unix Utils Folder
Unix Utils - zipped with instructions
AutoHosts shell script
SecureMecca.com Downloads folder

If you compare the current sizes of 857K for the uncompressed hosts.txt file compared to 178 K (AutoHosts.unx.7z), 341 K (AutoHosts.unx.zip), 180 K (AutoHosts.msw.7z), and 346 K (AutoHosts.msw.zip) you can see that in addition to having all of the constituent files and OpenPGP signatures of the add.Risk and hosts file you still save a lot of network bandwidth. If you just look at the date on the hosts.html file or the hdate.txt file you will save even more if nothing has changed.  They change almost every week.  My script pulls down the hdate.txt file first and if it has not changed nothing is done.  I used to round robin between HostsFile.org and SecureMecca.com.  But the HostsFile.org owner (it is not mine but the files are) mentioned he wanted to take it down.  You cannot see the files in the Downloads folder and there are NO 7-zip files, only zip files on HostsFile.org.  IIS is what is doing that.  SecureMecca.com is on a modified Unix type system.


Hosts-File.net (hpHosts)

Actually, this is distributed across serveral hosts.  Because they may fail due to either DDOS (hosts-file.net had a three day DDOS on the second week of August 2012) or one or more of the servers being down I made it try one server after another until it gets the zip file.  I am sorry but the files in the hpHosts folders are in LF format only since they were made to work only on Linux.  Windows users need to use NotePad++, psPad, or Vim to look at the files to get some sort of idea what you could do with VBS.

hosts-file.net wget files (7-Zip)
hosts-file wget files (zip format)
ckdupe program (Windows)

The ckdupe program will check for duplicates in a hosts file or just spit out all of the host names.  I mentioned that hosts-file.net author who is an MVP has had a DDOS.  He also receives lots of bounced spam where they forge the headers on a PC and have them send out mail pretending to be hosts-file.net.  A spammer is doing the same thing with securemecca.com.  I call the bounces lemons and have been making the host names (lemons) into lemonade (read - they go into my hosts file).


MalwareDomainList hosts file

This is malware specific for Windows.  Since there are so few of them I have most of these hosts in both the Linux and Windows file versions.  They come and go so fast that if you wait much over two weeks they will be out of date.


MVPHosts

This is probably one of the oldest hosts files out there.  I don't know why it is so small but it is what it is.  It is the only hosts file I usually see in HJT logs all over the Internet.  That could be because it doesn't block enough or it is about the only hosts file used.  I have concluded it is the latter.


SomeoneWhoCares.org hosts

An oldie but a goodie.  He does update it.


This is by no means all of them.  I gave you some to choose from just to get you going.  I will say that despite the hosts file at HostsFile.org / SecureMecca.com being much larger than MVPHosts it also blocks more but also depends heavily on the PAC filter for the bulk of the protection.  A PAC filter like AdBlockPlus for Firefox and AdBlock for Chrome has the capacity to wipe out huge swaths of hosts but at the same can reach in and snip out an offending JavaScript but leave the rest of the host alone.  Nonetheless, the spammers are pumping up tha size of my hosts file considerably at HostsFile.org / SecureMecca.com.  I will write more about spam and my conclusions of the only way to bring it down in the next blog entry.  Good luck using the APK hosts file installer!

Monday, April 5, 2010

Deactivate PAC filter



Deactivating the PAC filter

Somebody wrote to me implying that they were going to have to format their hard disk drive to get rid of the PAC filter. Don't panic!  A caveat is in order here.  All of these instructions are for Microsoft Windows.  If someone has the PAC filter or other stuff on Linux or Macintosh, contact me personally at this email address: hhhobbit gnat securemecca.com.  I will give instructions for how to remove the PAC filter. These instructions for deactivating the PAC filter will work for the Internet Explorer, Chrome, and Safari browsers on Microsoft Windows.

1. Click on Start

2. Select Control Panel. The default is out in the open. If you have changed the way you view what is hanging off the Start menu to be something other than the default then it is your responsiblity to find the Control Panel. You can also do some of this from Internet Explorer instead - if you are going that route select the Internet Options and skip to step 4.

3. Double click on the Internet Options. You can now close the Control Panel window.

4. Select the Connections tab at the top.

5. Click on the LAN Settings button

6. Find the section that has the file://C:/etc/proxy_en.txt string or file://C:/etc/proxy_fr.txt string. If you have the older version of the filter it may be just file://C:/etc.proxy.txt.  (2012-02-11 Addendum:  Due to the Chrome browser bug of reading every file in the folder the files you should be using are now file://C:/etc/OneFile/proxy_en.txt and file://C:/etc/OneFile/proxy_fr.txt respectively.  It does not matter because other than the string being different the instructions are the same.)  It should be in the Automatic Configuration section but it may be different depending on what IE version you are using. You were warned not to use the PAC filter if the Proxy Server box was checked. In any case find where the section is that has this string and uncheck it so it is no longer using the PAC filter.

Congratulations. You have now just deactivated the PAC filter for everything that uses Microsoft's Internet Settings. It will no longer function in IE, Outlook, Chrome, Safari, RealPlayer, Opera, or anything else that uses Internet Settings.  Okay, now let's handle the Firefox browser.

Firefox PAC Deactivation

Firefox does not use the Internet Settings.  Here are the steps you should take to deactivate the PAC filter in Firefox.

1. Click on Tools on the menu bar (for some it will be Edit).

2. Click on Options (under Edit it is Preferences).

3. Click on Advanced at the top of the Options / Preferences panel.

4. Click on the Settings button.

5. You will see the "Automatic proxy configuration URL:" radio button selected. Select the "No proxy" radio button. On older versions of Firefox it may be called "Direct."

Congratulations again.  The  PAC filter has been deactivated in Firefox.  If you are sure you want to remove it all including the hosts file and the Homer pseudo web server read on.

But don't panic! Just deactivate the PAC filter and go from there. Remember, once the PAC filter has been turned off in Internet Settings and Firefox it is effectively not even there any more!


Remove Blocking Hosts File

1. Go to this URL in your browser:


Not knowing what your browser is in advance it is hard to give specific instructions of how to save the file named "OrgHosts.txt" to your Desktop.  I can say that you will have something like "Save Page As ...".  Usually it will be under the File menu.  If you want to fast track it, on save, change the ".txt" extension to ".bat" instead.  That means if you did it right, the file on the Desktop would probably show up as "Org.Hosts.bat" if you have Windows set to show extensions.  It goes without saying I strongly encourage you to change the default of not showing extensions to show the extensions of a file as a security enhancement.  There are too many exploits where the people have something like Questionable.jpg.exe, and you may double click on it thinking it is an image file when it is really the install file for a Trojan.

2. If you didn't save the file as "OrgHosts.bat" but "OrgHosts.txt" instead, right click on the file (left click if you reversed the mouse buttons), and change the file name to "OrgHosts.bat" (change the ".txt" to be a ".bat").

3. Double click on the OrgHosts.bat file.  When it finishes you should see the message "DONE" On the line below it will probably see the final message "Press enter to exit."  It is supposed to be part of the pause statement.

4. Tap the enter key.  If you want to study the script file, change the ".bat" extension back to a ".txt" extension and view it in your default ".txt" editor by just double clicking on the file.  If you don't want to study it to learn something, just right click on the file and delete it.

Congratulations.  The blocking hosts file is now gone.  I must say that I finally commented out the host named ad.doubleclick.net in the hosts file because it is the one host the few web sites that are left that demand you not block ad pushers to use their web site use.  My take on that is that I don't go to them if they insist it be allowed.  I block it for myself.  But blocking ads is number four on my priority list.  But the DoubleClick service does much more than just deliver ads.  It also tracks you.

At this point NOTHING is being blocked.  You could stop here if you want to.  If you do not want Homer running look at the next step and if you want it all gone then see the Mopping Up step.


Removing Homer

WARNING!  Do not remove Homer which is a pseudo web server if you have either the blocking hosts file or PAC filter blocking enabled.  Homer is used to answer the redirected requests by replacing images with a 1x1 clear GIF image, and almost everything with a do nothing response.

1. Go to this URL in your browser:


See the instructions for how you download the OrgHosts.bat script file (first in Remove Blocking Hosts File) and do the same thing here.

2. Rename the "NoHomer.txt" file to be named "NoHomer.bat".  See the instructions on how to do that in number two of the Remove Blocking Hosts File.

 3. Double click on the NoHomer.bat file.  At the end you should see three long sentences ending in "Press Enter to Exit."

4. Right click on the NoHomer.bat file and select delete.


Mopping Up

At this point you should really have no adverse affects from having the filters at all.  However there are some registry entries that are left and some files you may want to delete.  So lets do them so you have reversed everything you can to a reasonable degreee.  First lets clean up the registry even though what is left should cause no adverse effects.  But be sure you do this only after you have deactivated the PAC filter for every user on the computer and removed the blocking hosts file.

1. Go to this URL in your browser:


Save the "AllIEUsersUndo.txt" file just like you did for OrgHosts.txt and NoHomer.txt files with one significant exception. You want to change the extension from ".txt" to ".reg" so that you have a file named "AllIEUsersUndo.reg" on your Desktop.

2. Double click on the AllIEUsersUndo.reg file.  Some of the entries here were what made it possible to use the PAC filter.  Once they are gone even if you try to reactivate the Internet Settings, it will no longer work.  You would have to download the install package and double click on the AllIEUsers.reg file again to be able to turn the PAC filtering back on in Internet Settings and have it do something.

3. If you are the only user on the system that was set up to use the PAC filter in Internet Settings then you are all done with the registry removals.  If other users are also using it you will need to back up and repeat the deactivation of the PAC filter for each of them.  Once that is done you go to this URL in your browser:


You can save the file to their Desktop or alternatively save it to the All Users Desktop, being careful to rename the "EachIEUserUndo.txt" file to be "EachIEUserUndo.reg".  You double click on it for each isers just like you did for all of the other files.

At this point you may ask why I didn't do this to deactivate the PAC filter in the Internet Settings in the first place?  There are two reasons.  First, that setting has a pair of settings to achieve it in two separate registry hives.  I can easily delete the one in the HKEY_CURRENT_USER hive but that does nothing unless you also delete the one in the HKEY_USERS hive and that one is a little difficult to impossible for me to delete with a simple script. The second reason is to make sure it really got done.  It is best to have the human do that to make sure it really got done.

4. You will probably want to delete the files even though they take up no space.  I stored the files in these two folders:

%SystemDrive%\etc\
%SystemDrive%\Homer\

Usually that is:

C:\etc
C:\Homer

I would like to just use deltree, but you have to install deltree before you can use it.  So you will have to delete these manually if you want to get rid of them.  They take up almost no space and like I said, they are no longer being used.  You have all the time in the world to delete them.  The pressure is officially off.

Happy Trails To You:
I hope you have a happy, safe, filter-less browsing experience and that your machine doesn't get infected.