MailMarshal
Cloud based MailMarshal
In the last few days many people have asked us about MailMarshal As A Service (MaaS). This is our attempt to answer those questions.
VBMania
A number of customers have sent us copies of an email McAfee sent out alerting to a spam they call VBMania.
“McAfee has received confirmation that some customers have received large volumes of s
Evolution of the species
Way back in the olden days of January 1999 WebSecure teamed up with a small New Zealand software firm called Designer Technologies to launch a new type of product into the Australian market. It would check and filter your email and was called MailMarshal. The tech heads amongst us might get a good laugh out of the fact the ruleset was just an INI file.
Back then people weren’t being facetious when they said “yeah, but what’s it for?”, they honestly couldn’t figure out why anyone would filter their own email. Some people were even sure they’d be buying into this email fad anyway. By the end of 2001 MailMarshal, and products like it, had become a fact of life for Corporate Australia.
What changed everything was the computer virus.
What we didn’t know in 1999 was that the Happy99 and Melissa viruses weren’t just one off aberrations. They were, rather, the writing on the wall. In May 2000 the ILOVEYOU worm exploded on the internet like Mr Creosote in a tissue factory. By the end of 2001 we’d seen Anna Kournikova, Sircam, Code Red, Nimda and Klez. This brief eighteen month period rocketed companies like Norton and McAfee to the revenue moon and erased any doubt as to whether companies needed products like MailMarshal. Into 2004 we saw such things as MyDoom, Netsky, Witty, Sasser, Vundio and BiFrost.
All ancient history now buried in just a few Wikipedia pages. Memories to be laughed at after one too many beers.
But they are memories and it’s interesting how things have changed. Viruses listed as ‘notable’ for 2008 were Mocmex, Torpig and Conflicker. I hardly remember a customer who had real problems with either Mocmex or Torpig, only Conflicker stands out in the memory. 2009 gets even more obscure, with something called the Daprosy worm – I’ve never heard of it.
Where did all the viruses go?
As a half answer I read this article today in the New Scientist where Dell warns that some of its’ server motherboards might have been delivered to customers with a hardware trojan installed on them. And this isn’t an isolated instance. As examples IBM gave away USB keys at Auscert with viruses on them and Google’s Android App store has had a problem with malware apps being posted on a semi-regular basis. These are well equipped large companies who you’d think would know better.
What’s changed here is that customers don’t often ring WebSecure anymore asking how to stop an avalanche of viruses through their email pipe. They tell me stories of home users sending them in via the VPN; of USB sticks being plugged at work and at home with all sorts of rubbish on them. The tell me their virus scanner picked up a virus on a video camera when they plugged it in.
So the little sods haven’t gone away, they’ve just moved.
It’s on the notebook wandering around the planet with your CEO. It’s on the computer your son’s friend brought over for a games night last Saturday. It’s on the USB giveaways at trade shows, the camera memory cards people are using and it’s being downloaded for free through the App store.
Like a real virus that we stomped on with antibiotics, it’s back.
It’s evolved.
And it’s quietly building up a host of back doors into your network.
I don’t know what happens next. But if there is a second coming of the virus I know it won’ t be quite as easy to stomp on a second time and it will be bloody annoying.
MailMarshal 6.8.3.9471 Released
Now is a good time to upgrade to 6.8, with the patched version released on June 3rd.
The previous database upgrade issue is put to bed and it seems a good stable version. If you check out the release notes from 6.7 to 6.8 you’ll find a large bug fix listing.
If you’re running 6.4 and 6.5 - you know who you are - then this is the version for you.
64-bit MailMarshal
With MailMarshal v6.8 came 64-bit Operating System support.
One caution however if you are planning an upgrade program, not ALL the add-ons are 64-bit as yet.
Many customers use the Norman AV plug-in, but the current version being used is the 32-bit version. Norman do have a 64-bit scanner, it has been out for a long time, but the DLL integration from the MailMarshal side is not complete. It is being worked on right now but we don’t have a ship date.
Plse take this into consideration in your planning.
Carlton
Sophos for Marshal
It seems this scanner is still causing us some problems with “not enough memory” errors in some circumstances. This has been an on going issues for years now, but I thought it had been mostly dealt with.
If you use this scanner listen up.
This error usually occurs when the scanner does updates whilst processing is live and continuing. Systems that have high load have always seen more problems than lightly used ones.
If you are running the Sophos scanner for either MailMarshal or WebMarshal it is HIGHLY recommended that you don’t use the client SAVI component but rather install the Marshal version Sophos for Marshal, which uses MSSAVI.DLL. This DLL is coded by Marshal to especially to deal with this behavior. Even if you use the normal Sophos client, you can patch that with the Marshal DLL.
You can download this through the download page at the link above.
Although the Marshal version can, in limited circumstances, generate not enough memory errors, the vast bulk of the problem is fixed by using the Marshal coded plug-in. If you upgrade to v6.8 this will be fixed as part of the upgrade.
Remember - there are no perfect virus scanners and the scanner than never has problems does not exist in the real world.
Carlton
Norman in Marshal
Firstly, don’t use Norman End Point Security Suite off the main download page of the Norman site. Go through our download page and get the correct scanner version, the End Point suite can cause you a world of pain on a Marshal box. These instructions are only good for a 32-bit host operating system. By that I mean you can be on a 64-bit VM box, but the Marshal client you’re installing the Norman on has to be 32-bit.
Install the scanner and reboot if it asks. Once you see an “N” logo in the bottom right hand of your task bar, right click on it and select Configuration Editor.
Make your settings the same as the ones in this picture by deselecting On Access Scanner and Internet Protection. Once this is done the scanner can be added to MailMarshal (or WebMarshal) and anti virus rules enabled.
If you ever need to reinstall Norman do it in this order:
1. Find the folder Norman / nvc / bin and run the uninstaller in that folder “delnvc5.exe”. This is better than add remove programs.
2. Reboot.
3. Delete the remaining Norman folder. You can only delete this after the reboot or the folder will claim to be in use.
4. Run your installer again, remember you’ll need your install key. Without it you won’t be able to do an Internet Update.
5. Reboot (sometimes).
6. Run an Internet Update by right clicking the “N” and selecting it from the list. Without a pattern file the virus scanner can’t initialize properly.
7. Configure as per the picture above.
Carlton
Executable Attachments
For those who are unaware, we’ve been watching a growing wave of phishing style executables coming through email. Almost all are obscured in some way and do not come as an obvious EXE attachment. They’re either zip files, url files or the like.
Examples include;
A contract prepared for you…
A DHL parcel delivery docket…
A Facebook password reset…
An account application form…
A permit form of some sort…
We therefore suggest you are very careful with anything that executes at the moment. Virus scanners are catching some, but they morph so quickly they’re also missing the first waves. So don’t ignore them!
Carlton
EDIT 7th May – Now they’re claiming to be iTunes voucher receipts, just click here…
MailMarshal v6.8 Released
Windows Server 2008 R2 and Windows 7 are supported by this version. Not a huge number of features here, but over 50 bug fixes - and that’s just the ones listed in the release notes.
They have dumped SQL 2000 support in this version - be warned.
This is only a service pack style upgrade for v6.4.5 or better. If your version is older - call us first.
We’ll post the upgrade package some time today, but without the SQL.
Enjoy
Carlton
SPF Checking
Traditionally, we’ve used SPF as a MailMarshal receiver rule set to log only. The anti social urge to blow off senders who don’t have SPF records has, so far, stayed well controlled.
Recently though, numbers of customers have been either playing with blocking and/ or putting up records. And it’s caused us a few minor problems. Sadly, half the issues have been crap SPF records. Sorry for yelling.
Graeme Slogrove, at M86Secuity posted this useful link to test your SPF records are correct:
http://www.kitterman.com/spf/validate.html
Use it before you go live.
Carlton
P.S. I know the picture doesn’t have anything to do with it, but it made me smile.
