Email Constipation | TechSNAP 46

Email Constipation | TechSNAP 46

We answer the question: What to do when your email server gets blocked, and why it keeps happening.

PLUS: GSM phones are vulnerable to a simple tracking attack, all you need is some open source software and some spare hardware, we’ll share the details! And we introduce the TechSNAP “Hall of Shame”.

All that more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before February 29, 2012 to secure your own .co domain name for the same price as a .com.

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
Deluxe Hosting for the Price of Economy (12+ mo plans)
Code:  hostfeb8
Dates: Feb 1-29

   

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

 

Subscribe via RSS and iTunes:

Show Notes:

GSM Networks allow attacks to determine your location without your knowledge

  • Researchers at the University of Minnesota have found a way that an attacker using open source software could locate your cell phone to within 1 square kilometer
  • The GSM Protocol attempts to mask the identity of individual devices by using temporary IDs, however it is possible to map the phone number to these temporary IDs
  • The attack works by placing repeated PSTN phone calls to the mobile number, but disconnecting before the first ring on the handset (~4 seconds)
  • This causes the cell towers in the area where the networks believe the user to be to broadcast ‘paging’ requests to the target handset’s temporarily or immutable ID
  • By listening in on the radio frequency for this broadcast, the attacker can determine if the target is in range of one of the cell towers near them. A few repeated calls allow the attacker to isolate which temporary ID corresponds to the mobile device they are placing the aborted calls to
  • In a large area services by many towers, an attacker can determine if the target is within approximately 100 square kilometers
  • This attack could be used by oppressive governments to determine if a person is present at a protest or other gathering without relying on support from the telco, to determine is a victim is away from home before attempting a robbery, or even to locate a high profile individual for stalking or assassination
  • Research Paper

Feedback:

Q: (Traci) My webhost has been added to an RBL and now emails sent from my domain and from my website cannot be received by some people, can you explain what an RBL is and why it is blocking my email. (Dreamhost servers blocked by Trend Micro RBL )[http://www.dreamhoststatus.com/2012/02/14/mailservers-on-trend-micro-rbl-working-on-removal-from-list/]

A: An RBL or Real Time Blacklist is a list of IP addresses or domain names that the maintainer of the list feels should be blocked from sending emails. There are many different RBLs which different criteria from inclusion and removal from their lists. Most RBLs operate based on DNS due to its light weight and extremely low latency.

So, when an ISP, say, comcast, receives new email directed to one of its customers, it will check details of that email against a number of RBLs they comcast subscribes to. It checks the sending IP, any links included in the email, etc. If one or more of these RBLs returns a positive result, the email may be flagged as spam, or rejected entirely.

Different RBLs cover different problems, Spamhaus.org has lists that cover spam, Trojaned PCs and Open Proxies, Dynamic IP ranges, Spam Domains (sites that spam links to), and compromised servers. Spamcop.net bases its RBL on emails they intercept at honeypot addresses, and sampling the emails that users pay $30/year to have their email filtered via spamcop.net.

One of the most common ways for a webhost to get added to an RBL is when one or most customers run insecure CGI or PHP scripts that send email. When that happens, and attacker can cause your site to send email, or install a script that sends email. Sending large amounts of spam from the web host’s servers will cause it to be listed in the RBLs until the webhost resolves the issue. Many RBLs are automated, where they will add an IP when it is detected as a source of spam, and remove it once it has stopped sending spam for 24 hours. The other common cause of listing in an RBL is hosting sites that are the target of the spam messages (rather than the source). When a web application such as wordpress is compromised, the attacker may be able to install their own site in a subdirectory, using your hosting to host the link that send out in their spam messages. The target of the spam could be a page directing the user to buy something, a phishing site designed to look like paypal or a bank, or even malware, hosting the executable or javascript that the unsuspecting user will run. This last example is similar to the exploit we saw with cryptome last week, if other websites on the internet were infected and made to load a javascript file from a domain hosted at your host, then anti-virus vendors such as Trend Micro may add your webhost to their block list.

In the past, there have been a number of legal battles against RBLs where senders have tried to prosecute the RBL for blocking their communications, however, in the end, it is up the individuals ISPs to decide which RBLs to use and how to interpret the results returned by the RBL.

Email Blacklist Check – See if your server is blacklisted


War Story:

Another in our continuing series of War Stories submitted by the other other Alan (Irish_Darkshadow)

*
This incident took place in mid-April 1999 about two months into my technical support career with the US Thinkpad desk. Despite my rocky start I had managed to establish a reputation for myself as an agent who liked to tackle the more difficult calls. In addition, I had also managed to avoid having a single customer “escalate” on me. That is where a user demands a superior or someone who knows more about their issue to take over the call. That all changed with a single call.

I arrived to work that day for my 16:30 to 01:30 shift and settled in to take my first call. It was a relatively easy one where the user had picked up their laptop from a servicer and was having boot problems. It turned out to be a simple case of the servicer having left a driver disk in the floppy drive. Top to bottom the call took about 13 minutes including typing up the documention for it in our ticketing system. I sat in Avail on my phone for the next few minutes before my next call arrived.

Once I managed to get the initial greeting script out I was slammed with a guy screaming down the line about wanting to speak to a manager. I was resigned at this point to losing my “no escalation” record but I still needed to follow procedure and determine what grievance had the user so irate before putting a team lead or manager on the line with him. It took me a few mins to calm him down enough and to vent sufficiently for me to start gathering some information. It turned out that he had returned his laptop to IBM on three separate occasions in the first nine weeks he had owned it for various compatibility issues with 3rd party devices he had purchased. I could see his point of view perfectly in wanting an escalation and I placed him on hold to go look for someone in authority to help the guy out.

My team leader (TL) at the time was easily located and once I had explained the situation he decided to delegate the matter to his assistant team leader (ATL). I took her to my desk where she started speaking with the user and I strolled back to my TL to get some ribbing for my first customer escalation. Normally when a TL or ATL takes over a call it results in the user being placated in some manner or else the customer gets transferred to Customer Relations to be dealt with appropriately. Either way, once an agent handed off a call like that they simply waited for a resolution before taking the next call. No such luck this time. The ATL walked up to where I was standing and started to explain the situation to the TL and how the user had returned the machine three times with no faults found but he still could not get his 3rd party devices to work. Nothing too new there but then she dropped the bombshell that she had promised the user that I would troubleshoot the hardware issues for him immediately! This was unheard of, the customer had four devices that I had no familiarity with and this ATL had just thrown me under the frickin’ bus. I looked at the TL for some sanity to be brought to the situation but he had to acknowledge that the ATL had committed a course of action to the customer and I was going to have to pay for her generosity. Back to my desk I went whilst cursing the ATL, her lineage and any future offspring…..but in a harmless way :-D

Once I was back on the call with the user I started to gather some details on exactly what I was dealing with. The user had a Thinkpad 560 which is termed a “single spindle” machine in that it only had a hard drive within the chassis and no floppy or optical devices. The external floppy drive was attachable via an IBM proprietary connector and the machine was a Pentium 120 with 32mb RAM, a 2.1 Gb HDD and an IrDA 1.0 header.

Now that I had some idea of the core hardware I ventured into the realm of 3rd party peripherals that the user was struggling with. He had a backpack cdrom (parallel port optical drive), a PCMCIA modem, a PCMCIA network card and a HP printer that he wanted to connect to via Infrared. I knew I was screwed at that point but figured I couldn’t really make the problem worse since none of the hardware operational anyway.

I began working with the backpack cdrom which was attached to the printer port. Windows 95 v2.1 was not detecting any new hardware once the drive was switched on. I tried the usual places like device manager for clues but all I could determine was that the parallel port appeared to be operational. I put the cdrom to the side and started working on the two PCMCIA cards. Despite the user having the proprietary CardMagic software installed that acted as a crutch to Windows 95 plug & play (*pray) neither card was detected and a pattern was beginning to emerge. The IR printer suffered from the same lack of detection and so I asked the user if he had any other device that we could attach to the laptop just to see if Windows was detecting anything at all. He connected up the external floppy drive and instantly it was detected and accessible in Windows Explorer. SHIT!!! My instincts were telling me that the OS was corrupted in some way and a reload was imminent and I hated having to do that to any user.

I sent an IM to the Team Leader to let him know that I was going to have to do a reload and he told me to stay on the call with the customer until the reload was complete and then resume working on the 3rd party hardware. As I was preparing the user for the reload I had a sudden realisation of how bad the situation really was. A single spindle machine comes with a specific reload solution where a user starts up Windows for the first time and they get prompted to insert floppy disks onto which the reload disk images will be “burned”. At first the customer didn’t recall any such prompt and I began to get a sinking feeling that I would need to have this laptop shipped to IBM for the 4th time just for a reload and then once it was returned to him, I would need to pick up with troubleshooting the 3rd party hardware. The user had a Eureka moment and told me that he believed that he had a shoe box with the floppy disks that had been in his office closet since the day he made them. He managed to locate the shoe box and the 37 floppy disks inside. 26 of those were the base OS and 11 were for the application layer.

I reckoned that the reload was going to take about two hours to complete which presented me with another challenge due to the team leader telling me to stay on the phone through to completion. One of the rules was that there should not be any dead silences during a tech support call so I was going to have to find a way to get this guy talking for the two hours in between me asking him about what was on the screen and how many disks he had left to go through. This was gonna be fun!

For the two hours of the reload, as the customer went through his 37 disks, I managed to lure him into topics like his job and prior computer experience and pretty much anything else I could come up with to keep things flowing. I was trying to hit on a topic that would allow for lots of conversation with minimal input from my side. It turned out that he was a Judge in NYC who handled criminal cases. The only common ground there is that I could explain to him that I loved My Cousin Vinny which I figured would not go down very well. Eventually he mentioned that his son was at soccer practice and he needed to arrange someone else to pick him up while we reloaded the laptop. That was my angle, I started talking to the guy about every possible soccer item that came to mind and the rest of the reload flew by without incident. I got him to go into the BIOS and I set up the the parallel port and PCMCIA slots before dealing with Windows.

Once the operating system was back on there and up and running I got him to attach the backpack cdrom and I heard the detection sound over the phone. That meant I had at least found one issue and corrected it. Device manager showed the cdrom with an exclamation mark and it looked to me like this thing needed to be installed from a DOS perspective before it would work in Windows. He had a driver disk for the cdrom which I was able to get running in DOS mode so that it added the driver to the config.sys file and called it from the autoexec.bat file. A quick reboot later and the cdrom was usable from within Windows 95. Problem #2 solved. Time for the PCMCIA fun and games.

I decided to go with setting up the modem first as it would be easiest to test. Upon insertion the card was instantly detected and I was able to talk him through configuring it in the CardMagic application. He hooked it up to his fax line and was able to connect to his ISP at a staggering, no, blistering 28.8kbps! Either way, problem #3 solved.

The network card was up next and once more upon insertion it was detected and was able to find a driver on the backpack cdrom drive. There was no network near the user that I could test with but I was able to talk him through some ping tests and winipcfg.exe tests that implied the TCP/IP stack was operational and the bindings to the card were good. So we agreed to call that problem #4 solved. I felt that I was in the home stretch now and when I looked at the clock I realised that the call was coming up on three and a half hours already. Now it was time to get the printer operational.

The printer was able to print a self test page from the buttons on it and so it appeared to be working from a hardware perspective. I got the user to test it using the parallel port by removing the backpack cdrom and that was also successful. The problem came when trying to get the IR link to the printer to work. No matter what configuration I tried I just could not get a connection between the IrDA header on the laptop and that on the HP printer. The customer refused to believe that it was the printer and was adamant that the IrDA header on the Thinkpad was at fault. I was completely stuck for a way to prove otherwise. At some point during that desperation to come up with a troubleshooting idea after nearly four hours of work I hit upon an idea that made sense…at least to me. I asked the user to confirm what COM port the IrDA was configured as and then I had him connect to that COM port via the Hyperterminal application. My next request was a weird one, I asked him to get a remote from a TV or a VCR for me. He rummaged around for a while and then found one for some small TV he had in his office that was barely used. I asked him to point it at the IrDA header on the laptop and keep pressing random buttons on it while watching the hyperterminal window. He said that gibberish symbols came up in the window whenever he pressed a button on the remote. EUREKA! I had solved problem #5 by proving that the issue was with the IR port on the printer and not the one on the laptop. He agreed with my conclusion and he asked me if I would set up the printer on the parallel port so that he could just hook up a cable if he needed to. As we were going through the steps of hooking up the backpack to install the driver he told me that he got a blue and then a black screen. The text said “registry not found”. Apparently he had decided to pull out the PCMCIA cards while the LPT printer driver was installing and it had thrashed Windows.

My first attempt at a solution was a reboot into safe mode but that failed with the same error and I was only able to get the system to reboot into DOS mode. From there I backed up the existing registry files and restored the user.da0 and system.dao clean registry files. When he booted back into Windows, we were back where things started….no hardware was detected once attached. EPIC USER FAIL!!!
With just over four hours on the timer, the whole procedure had to be done all over again. I asked the user if I could put him on hold and he agreed. Firstly I dealt with my bladder and then I went to the TL and told him what was happening and the sadistic bastard told me to go back with the user and see it through to completion. Fucker.

I got back onto the call and we started going through the whole process all over again from the ground up with one caveat – don’t do anything with the computer unless I authorised it. During the two hour reload portion of the call I got him to give me his AOL email address and I sent him a copy of a tool from the Microsoft site called E.R.U. (emergency recovery utility). This time around once we had managed to get all of the hardware and software to where it needed to be and we had done enough tests to convince us both that everything was operational. At that point I ran the ERU application and made him store that recovery set in his shoe box of floppy disks. We exchanged pleasanties and parted ways. I checked the timer and 8 hrs 38 minutes had passed.

On an average day I would deal with twenty to twenty five calls in a single shift. On this day I managed a grand total of two calls with 1 pee break and no food as I hadn’t taken any of my breaks. However, I was able to leave the office two hours earlier than expected. That didn’t really help with my complete burnout after that long of a call but at least I had a new record for the longest tech support call in the history of the call center and that record still stands today as far as I know.

Try to get a 8hr plus support call in a current day call center. Aside from the focus on 7 minutes per call I doubt you will find the will and dedication to send a customer away satisfied with the experience.

And I never even got a medal but if I ever get into nefarious matters in NYC, I will be calling in a favour from a certain Judge I know there.


Round Up:

Question? Comments? Contact us here!