Fortune 1000 Companies Sending Spam, Phishing

An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"

Ratio of broadband vs dial-up

[Recovering Hater]

Once you consider how many americans are supposedly still on dial-up it stands to reason that some portion of the zombie bot-nets will be hosted on corporate americas computers instead of in the home.

Companies can restrict outbound port 25 connects.

[khasim]

Yeah, home users aren't the whole problem.

But why aren't these companies correctly firewalled? Why do they allow machines other than their email servers to make outbound port 25 connections?

Why aren't their logs monitored? Wouldn't this be easy to spot?

Even with the resources of the biggest companies, their people cannot keep their machines clean or even stop them from sending spam. Who knows what else. A spam zombie can just as easily log network traffic, passwords and anything else on their wires.

Re:Companies can restrict outbound port 25 connect

[Sparr0]

Why would you NOT allow outbound port 25? Thats a ridiculous restriction. The office I work at has plenty of people who *GASP* check their personal email from work. When they send replies, their SPF/DomainKeys/Whatever-using ISP requires them to use the proper SMTP server. As it should be.

They have usernames/passwords, right?

[khasim]

Port 25 is usually for server to server SMTP transmissions.

If you're an end user, you should have a username/password and be using port 465 or 587 (or whatever your email admin setup).

That is why companies should block outgoing port 25 connections from everything except there own mail servers.

Re:

[Anonymous Coward]

Many email clients still default to port 25 for outbound traffic. I'd rather not have port 587 become standard as it will encourage ISPs to block it as well. Having my own mail server is a hassle sometimes, but there are a few people like me who want to connect to their own mail server. This also goes for university campuses, and public wifi spots. Obviously encrypted communication is important in these scenarios and I do run webmail and ssh for backups. I understand the reaction to automatically block

your use case

[Gary W. Longsine]

You don't need outbound access on port 25. Use a non-standard port for your mail server like the rest of the cool kids.

Re:

[aztracker1]

First off.. port 587 etc traffic *CAN* be limited to only authenticated sessions, no end-delivery... also, mail servers shouldn't allow anonymous relay in any case... the only server you as a user should be connecting to outbound should be ones you authenticate to, and the 587 port is meant for this...

If the above restrictions are in place (no end-point delivery on 587, then the virii won't use it.

Re:

[jettawu]

Until it becomes mainstream to do so at which point the viruses you mention would be rewritten to steal the authentication info from clients that save that information (as the mass majority of people do which is what the viruses target) and then use that port 587. It is a good stop-gap solution for a specific network, but IMHO, it's not a great solution for everyone altogether because the virus writers would just rewrite their viruses. I think it's common that people try to solve the symptom (disinfect th

Re:

[8-bitDesigner]

Believe it or not, all those wonderful little smart phones with WindowsCE on them have Pocket Outlook which is incapable of connecting on port 587 for outgoing connections.

Now, this might not be the case with CE 5.0 and onwards, but the versions I've worked with have just baffled me with that one.

Re:

[bl8n8r]

That's all fine and well but when it's the mail (exchange) server that is compromised the egress filtering is pointless.

Re:

[bendodge]

My cable ISP requires all port 25 mail to go through their own SMTP server. It's a pretty effective spambot solution (and it's fast sending, since the server is close). But of course, GMail doesn't user port 25 (I love Google's trendbucking).

Re:

[LilGuy]

I know it's a pain to have an abuse department that has to answer to complainers all across the net when one of your customers is infected with some spam virus, but forcing all port 25 traffic through your own smtp server(s) is pretty sketchy. I'd be willing to bet your cable isp's backbone is on the AT&T network...

Re:

[bendodge]

Em, it appears to be time-warner from the traceroute.

Re:

[Curien]

Well boo hoo for them. If I set network policy, I wouldn't allow people to download foreign e-mail. If the user's just getting e-mail froma POP connection, you lose the ability to check it for viruses, spam, phishing schemes, etc. Basically, you might as well let people plug laptops right into the enterprise LAN (you're NOT doing that, right?). If they want to receive e-mail at work, they should have it sent to their work address (perhaps via auto-forwarding).

Scan every e-mail at the SMTP server. Scan every

That's inbound. I'm talking outbound.

[khasim]

You are correct. All of those paths could lead to a workstation on your network being compromised. And you have great suggestions on how to protect them.

But I wasn't originally talking about inbound connections. Blocking the outbound connections would cut off the spam coming from your network.

How those machines got infected in the first place is a whole other series of discussions. And one that we really should have sometime. Preferably involving Linux and Free software at the critical points (allowing for Windows workstations).

Re:

[hedwards]

When I was in college a couple of years ago, we had a couple of computer labs. The one I am going to talk about was a mac based lab completely consisting of old world macs. What they did to limit the amount of damage that a root kit could do and make it harder for large amounts of malware to get on there was this:

In addition to the normal security setup each computer had an additional program on it. The function of the program was to reset the contents of the computer to that of a default image every single

Re:

[bangenge]

That's a good idea except it will only work for computers that do not need to save some sort of state, those such as school labs and the like (where user data is primarily saved in the servers). Enterprise computers are not in that category. For example, setting up email accounts (outlook, thunderbird, etc) would be quite a pain in that regard, unless you use web based email (TWIG, Squirrel, OWA) which will easily eat up storage in no time. User preferences (wallpapers, screensavers, themes, recent docs) wi

Re:

[Curien]

Roaming profiles, FTW.

Re:

[pe1chl]

Maybe you should read up a bit on "roaming profiles", which are usually used in an enterprise environment with a Windows domain.
Those store your user settings on the server and make them available on any client where you log in. So you don't have to setup your email account or wallpaper every time you use another computer, or re-install it.

Re:

[mpe]

That's a good idea except it will only work for computers that do not need to save some sort of state, those such as school labs and the like (where user data is primarily saved in the servers). Enterprise computers are not in that category. For example, setting up email accounts (outlook, thunderbird, etc) would be quite a pain in that regard, unless you use web based email (TWIG, Squirrel, OWA) which will easily eat up storage in no time. User preferences (wallpapers, screensavers, themes, recent docs) wi

Re:

[asninn]

That'll work fine until the CEO demands to know why he can't check his mail anymore or why there suddenly is "a little bit of latency" that wasn't there before. Don't overestimate your power to "set network policy" in the face of upper management.

Re:

[Curien]

The latency wouldn't be when you check e-mail, it would be when e-mail is /delivered/. This is already a high-latency process, so adding a little more is negligible. Plus, users tend not to notice latency at that stage.

Re:

[StarvingSE]

I admit I am not an expert on the subject of web-based e-mail, but checking your yahoo, gmail, comcast webmail, whatever is done through the web, which uses port 80, which most likely won't be blocked by your employer. Port 25 should be restricted to a company owned e-mail server.

If your employer is allowing you to check your home e-mail through a client (outlook, thunderbird) then that is asking for trouble.

Re:Companies can restrict outbound port 25 connect

[db32]

I seriously hope you are being sarcastic. If I ran across a firewall admin on any corporate network allowing outbound 25 from anything but the corporate email servers I would suggest canning their asses in a heartbeat. It is just stupid on so many levels. First of all checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this", beyond that, outbound 25 has precious little to do with that anyways, unless they are running an email server on the corporate network in which case that should be #0 on the list since #1 assumes that your employees aren't stupid enough to use your corporate resources to run personal servers, either way a good firing would fix that in a hurry. Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network. A good admin will have a secured relay be it part of the firewall or a sun box or something other than allowing the win/exchange boxes from talking directly to the net.

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases. The enterprise network exists for the sole benefit of the enterprise. Personal email, instant messages, myspace, what the hell ever, has a risk that FAR outweighs any potential benefit. If your employees can't leave their email/myspace/im friends for 8hrs a day you should probably find employees who can. There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive. If the company is paying you so little that you can't afford your own internet access you should probably find a new job.

Re:Companies can restrict outbound port 25 connect

[paeanblack]

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.

That's a classic example of IT narrowmindedness. If the employees no longer care, no technical measures will secure your data. Security is everybody's business, not just yours. People will naturally protect that which they care about. No morale = no security.

As you seem to be from the school of "a good firing will fix anything". Hopefully for your own sake your boss wises up and uses a 'good firing' to adjust your attitude, because I doubt anything else will penetrate that skull.

You have to be cruel to be kind

[TapeCutter]

"No morale = no security."

Yes, but one of them came first. A company that has LAN problems does not get much done and if it happens regularly you will find your users wandering off on "LAN breaks", managers will attempt to charge the IT dept for down time, ect, frustration levels rise, experienced sysadmins are like rats on a sinking ship, and morale suffers.

Like it or not the GP is correct, IT policy is a matter of coporate "self preservation". LAN policy must be enforced from the top down with the s

Re:

[db32]

IT narrowmindedness? Sure, whatever, I am so sick of users justifying the most insane bullshit on the network and then crying about the IT department being enforcing such harsh restrictions. Go buy your own internet access and expose your home network to whatever you want, not mine. Then on top of this its the IT departments fault when the secretary has installed 18 random mouse cursors and other malware crap and her computer runs like shit. While doing contract work I almost watched a woman get fired o

Network security is primarily a people business.

[McDutchie]

I mostly am the IT department at a 30 employee company, so I have some experience with these issues from a somewhat different (non-Fortune 1000) perspective.

First, you are confounding personal use of the network (e.g. personal email) with major security risks like people installing their own software. If people are even able to install their own software on the computers under your management, I have no idea why you still have a job -- restricted-rights user accounts exist for a reason. From a security per

Re:Network security is primarily a people business

[db32]

Personal mail IS just as much of a security risk as installing software. Let the users do non risky things, thats fine. But personal outside email is a huge damned risk, noone wants to believe it is, and I have actually bust people on this on networks that you can get sent to jail for screwing up. I'm not saying be draconian and horrible to users and not let them do anything, but personal mail is one of those things they had better not be doing. Its just too large of a vector for badness to come in. Do

Re:

[644bd346996]

Somebody smart enough to install an email server on a company workstation, but dumb enough to think that it is okay, is dangerous to the company and should be fired.

Re:

[db32]

Should be quartered and their parts left in the corners of the building as a reminder for everyone else who thinks they should do something like that. Unfortunately the "civilized" world doesn't like that much.

Re:

[jvkjvk]

Exactly. My first thought was - Jeez, He's part of the problem!

Don't check "personal" email, don't surf Slashdot, do nothing except work and do what you're told. Easiest way to have people to come in with a slave mentality. Do just enough to avoid getting beaten down but certainly not enough to actually make a difference.

I wonder how he reconciles his use of company resources to post to Slashdot with his attitude toward lusers. Oh, right, he's probably posting from home... and some lusers are mo

Re:

[db32]

Because I assume you don't understand the problem. Reading webpages at work is generally safe to do providing you have a good proxy and filtering to weed out the darker corners. I frequently read the news and slashdot and other sites during downtime at work. I don't visit popup ridden exploit havens like myspace or do webmail allowing a whole vector of nastiness in and the good proxy filtering stops the others from doing the same. The first thing I do with keys to the kingdom is break them up so noone h

Re:

[Hoi Polloi]

This is the IT environment I work in and I've managed to survive. As long as your internet use is reasonable and you are getting your work done and on time they leave you be.

Re:

[zrq]

.. checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this" ..

I can understand why you would say that. However, what about external visitors to your site ?

A large part of my job involves visiting other university departments and conferences, email (and Jabber IM) contact with my home department is vital for being able to respond to questions and problems raised by the people that I meet. Which is why I'm there in the first place.

Re:

[db32]

Well allowing SSH out is kinda sketchy. I wouldn't allow SSH out except for specific approved machines/reasons. Primarily because you can tunnel all forms of nasty in and out of the network with it and nothing can peek in on the data to see what is going on.

VPN maybe if the host network is setup to allow it, but I think probably the best solution (in terms of reliability at least) is to get bluetooth in on the action. Get a cellphone, pay the extra $10/month or whatever it is for unlimited net usage, a

Re:

[zrq]

As far as you being the owner of the network and allowing guest access to others visiting I think the first thing to do would be to corral the visiting machines off in their own VLAN and have it be treated as an external network by all your stuff. Sure they may be able to use your pipe to the world (again, push em through your firewall/proxy), but at least your stuff will treat them like the potentially dirty foreigners they are

Yep, that protects your internal systems from attack by nasty things on visit

Re:

[kalirion]

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.

Easier said than done. When you consider that even the formidable Los Angeles CTU security defenses were breached by a simple remote-execution browser exploit planted on a web-page, what chances do normal businesses have?

Re:

[danpsmith]

There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive.

Exactly, for instance, browsing slashdot from your employer. =P

Brought to you by WorldWide Pants ...

[beer_maker]

... grotesque breeches of security ...

breaches == holes or breaks in a wall (of security, perhaps)

breeches == trousers worn by Ben Franklin, or the back ends of a number of modern cannon

I must admit, however, there IS a strange and awesome majesty to your original phrase ...

Re:

[sabernet]

I sincerely hope you were being sarcastic. Lotus? What is this: 1995?

Say what you want about MS(personally, I don't much like em' and Vista is the most horrid thing to happen to the OS world since ME), but Exchange works and works well. And yes, most companies use it. Maybe a couple of holdouts or diehards use Lotus. But Exchange is definitely the dominant platform and is the great majority of MS's piggy bank.

Your statement would be like saying, "Most computer users I know run BeOS".

Re:

[spacefight]

If you leave Port 25 open as a company, you're basically asking for trouble....

Re:

[DrSkwid]

How to make yourself look totally ignorant about the internet in one easy post.

Re:

[v1]

port 25 is not used to check mail, it's used to send mail. port 110 (POP3) is used to receive email and there is little or no reason for a firewall to block it. Port 25 is what the spammers are interested in because that's SMTP for sending mail.

Both companies I work for get their internet service from a provider that blocks port 25 at the head end. If you want to send mail, you must send using their SMTP server, it is the only IP address exempt from port 25 traffic. If a spambot is dim enough to try to

Re:

[Sparr0]

port 25 is not used to check mail, it's used to send mail. port 110 (POP3) is used to receive email and there is little or no reason for a firewall to block it. Port 25 is what the spammers are interested in because that's SMTP for sending mail.
Maybe you missed the part where I said this:
"When they send replies, their SPF/DomainKeys/Whatever-using ISP requires them to use the proper SMTP server."

Now this is minorly annoying as if I read an email on my home account when at work, and I hit reply, I have to ch

Re:

[v1]

Changing your SMTP server like that is exactly what you SHOULDNT do in terms of proper spam solutions. SPF (usually) says you have to send your bob@isp.com emails through smtp.isp.com, not smtp.workplace.com. If workplace.com is blocking outbound port 25, shame on them.

So you have a better, simple idea, that has a prayer of being implemented by anyone? Their policy of not allowing outside SMTPs completely solves the problem of open relays, and that's a powerful feature. It forces all outgoing mail to go t

Re:

[rbanffy]

Believe it or not, blocking ports is a solution most would prefer to dropping their favorite (and the only one they ever knew) OS in favor of something that is not an excellent petri-dish for just about every digital disease known to man and machines.

Re:Companies can restrict outbound port 25 connect

[afidel]

Yep, that's what I came here to say. Outbound port 25 blocking is a standard for any firewall config I do. It helped me out the one time a mail server I admin got incorrectly added to a RBL, I simply told them that my outbound 25 was restricted to the one host and asked them to run a scan on it, once it came back as not being an open relay them removed me immediately. I have never had someone give me a legitimate business reason for not restricting it, and I really can't imagine one. Contractors and consult

Re:Companies can restrict outbound port 25 connect

[aztracker1]

Many viruses that send out spam use the MAPI interface (Outlook & Outlook Express) to use the mail settings on the local machine... So blocking the port doesn't help nearly so much... though why they don't have outbound mail flagged if a user sends more than say 10 emails an hour on average is beyond me...

Re:

[siriuskase]

Security, as is much of IT, is a cost center. It's hard to get authorization for hiring enough employees and equipment to do a proper job and continue to do a proper job unless you have an expensive embarrassing incident. And then, to save face, cover ass (what's the difference), management brings in an expensive outside security consultant to do a little magic and save the day. The underequipped, understaffed fulltimers will be lucky to keep their jobs.

Re:

[Anonymous Coward]

If you're not going to RTFA, you could at least read the summary...

Re:Never attribute to malice...

[TopSpin]

Isn't it a lot more likely that their Windows boxe(s|n) just got zombified?

You're probably right; spammers are among the most aggressive attackers and most of the F1000 have large distributed networks where a (hopefully) small number of systems are going to be vulnerable at any moment. On the other hand, these companies can and do pay for high quality and high capacity pipes. They are also far less suspect as a source of spam, and the ISPs will certainly be reluctant ($$) to take unilateral action to deal with suspect traffic (as some do with their residential customers.)

For all of these reasons F1000 hosts are many times more effective as spam zombies than your average asymmetric DSL host, so I have no problem with people exposing carelessness or neglect among these companies. They have the resources and talent to prevent this sort of abuse. If they're not, a little bad press might help. Earlier today we all learned that some 40+ million credit/debit card accounts got downloaded from commercial IT systems. I wouldn't be surprised to learn that those same companies have a long history of unwittingly contributing bandwidth to spammers.

Re:

[gmuslera]

Im not worried about spam sent by those machines. If you assume that all those machines are not sending spam because their usual user send it on pourpose, then means that all those fortune 1000 companies have maybe a lot of people with sensible information/passwords/access regarding their internal network, with compromised PCs (that have keyloggers, bots picking orders from their master, etc).

Having botnets composed by home users with their hobby pcs is bad enough, now when that botnet have a good numbers o

Re:

[MooUK]

Sending email by porpoise sounds like a fun idea...

Not suprising to me

[rhartness]

Yes, I didn't read the article but I wonder if this is from in-network computers for these major companies or if it included the computers that traveling business men and women tote around. It's been my experience that the laptop users often have more freedom on their mobile computers to download and install any junk they can find. This means that they are more likely to be targets of bots that will setup this type of crap. Also, a couple of the companies that were mentioned were more tech based. I woul

Defense in depth.

[khasim]

Those are the biggest companies that should be able to afford the best security measures.

You know what? With a couple of old boxes and Linux you could setup a smaller company so that this would never happen.

Use Linux as your firewall and restrict any outbound SMTP connections to your email server.

Use Linux and Snort to monitor crap on your network.

Use Linux as your DHCP/DNS server and lock down the IP addresses by the MAC addresses. Yes, this is labour intensive. But it will allow you to keep all your regul

Re:

[csk_1975]

What I don't understand is why you would have outbound filtering at all for any desktop machines. Having any routes from any desktop to anywhere near the Internet is asking for trouble. Default route them to a dead end occupied by a snort box. Proxy all valid Internet traffic via servers specifically setup for this purpose. Allow those servers to have routes to the Internet or better yet to secondary proxies located in your DMZ and filter inbound and outbound connections from those servers. Have an internal

Re:Not suprising to me

[Bonker]

Also, frequent laptop-toting business travelers (almost universally salesmen) also have more limited access to their local IT techs.

For example, I've worked fairly frequently with a poor lady who was a salesman for a remote market. She lived there rather than near my office. Her email account got suspended at least once a week due to the fact that her laptop had syphilis, gonorrhea, warts, crabs, and just about every virus and worm known to man.

Phone walk-throughs just didn't help with this lady and the local ISP (mandated by accounting) blocked any ports that could be used to remotely administer her machine. Finally we had her fed-ex it to us for cleanup, wipe, and reinstall of a fairly-well locked down windows system with our (accountant selected) workstation antivirus app.

This cycle continued four or five times. Her Antivirus app somehow got disabled and her machine became Typhoid Mary. She shipped the Laptop back and we tried to lock it down as securely as possible.

Ultimately, we discovered that an internet cafe she frequented was infected with a particularly nasty spam-bot worm that our particular antivirus app didn't catch (An AnnaK variant, IIRC). We used this as evidence to override the accountant's selected cheapo antivirus with something that worked a little better.

Re:

[flyingfsck]

Yup - I worked at a small company where the viruses always originated from the CEO's laptop.

Re:

[aliensporebomb]

This is exactly what it is in many cases. Where I work as a Sysadmin we have
independent contractors who come and go and utilize our network. The problem
is frequently the children of these users who use the parents work machines to
do homework, surf game sites or even the adults who use it to surf gambling
and adult entertainment sites. It is their equipment but we allow it on our
network. We lock some things down, but it is still the persons personal
property. An unusual situation I admit.

maybe

[mastershake_phd]

Well laws havent stopped spammers or botnets yet, maybe big companies suing them for millions (or billions) in damages will, couldn't hurt.

ExxonMobile

[biocute]

finding stock spam being pumped from ExxonMobile

This is no spam, this is an actual stock push you insensitive clod!

Re:

[edwardpickman]

So you mean all the emails saying Global Warming is a Commie plot by gay Democrats aren't spam they are simply informative emails from ExxonMobile?

Big surprise

[cdrguru]

Could it be that most users can't seem to understand that surfing to porn sites leads to malware being installed? How about clicking on random attachments leads to compromised computers?

Perhaps computers meant to be used as email appliances should really be email appliances rather than general purpose programmable (and repurposeable) computers.

The alternative to this is to figure out a way to make sure that it is impossible for users to ever install anything on their computer that will compromise it. Soun

Re:

[Detritus]

Why not just shoot all the users. We can't have the employees ruining our perfect computer network with work and stuff.

Re:

[Lord Flipper]

We can't have the employees ruining our perfect computer network with work and stuff.

Ha ha ha, where are the mods on this one?

It sounds just like the engineers' attitude towards the 'musicians' in the music biz; Musicians were these psychos who kept screwing around with the 'source' signal. :=)

Re:Big surprise

[Frogbert]

This got me thinking. How many users are out there that know their computer was infected or screwed with while they were visiting a porn site, and are too afraid of getting fired (for looking at porn) to tell IT that something is wrong.

Food for thought.

Re:

[glwtta]

In my experience, they are fairly forthcoming in reporting malware infestations (usually "computer runs slow" is what they come to me with), and then lying through their teeth about what they've been doing to get there.

Actually, here's the complementary thought

[Moraelin]

This got me thinking. How many users are out there that know their computer was infected or screwed with while they were visiting a porn site, and are too afraid of getting fired (for looking at porn) to tell IT that something is wrong.

Food for thought.

Actually, here's another thought for you: how many got pwned by other means, but are affraid that some "lusers are idiots" type will blame it on porn? I've only skimmed through the thread and I already see two blanket generalizations to the effect that, respectively, (A) infections come from porn surfing, and (B) the user is lying through his teeth if he's saying otherwise.

The fact is, there are so many ways to get pwned today, it's not even funny. Email attachments, trojan programs packed as some cutesy screen server or utility you can download, phishing-like schemes where you're sent to a page chock-full of IE exploits, warez sites (tend to be worse than porn as infection risk goes), spyware serving ads with exploits in them, or rarely a genuine site or ad provider getting pwned and helping spread exploits (don't assume that _only_ spam zombies can possibly ever get installed when security is breached), etc.

Yes, you can say that they should have known better, but it's still not porn. And it sometimes comes with the endorsement, real or faked by a trojan who took over a friend's address book, of someone they know. E.g., every company has a wiseguy or two setting up some jokes mailing list and forwarding there anything he receives, indiscriminately, including links to other sites. And by indiscriminately, I mean here one even managed to forward a couple of business emails to that list.

Then there are malicious insider jobs. There are cases of sheer idiocy on the part of some techie or programmer or PHB. (You can occasionally read advice even on /. to the effect of leaving a backdoor to some client's machine so you can remotely debug it, for example. Or insecure stuff left in programs just on the assumption that noone will know it's there.) Etc.

Re:Actually, here's the complementary thought

[lukas84]

The problem is, that the whole story is two sided.

It's very hard to maintain an open attitude when working in IT. Especially when you're doing Internal IT only (i mostly work for our customers, and do our internal IT as a side job).

People fuck up, and are afraid of the consequences when they fucked up - thus they will try to find something else to blame.

IT People fuck up too, and are afraid of the consequences when they fucked up - thus they try to find someone else to blame.

The consequences are that Users and IT People don't trust each other. And this is bad, very bad.

IT is something to make your users more productive, and help them to get their work done faster. A restrictive policy usually won't help you with that. My company has a very open IT policy - and i think it helps with both morale and problem resolution.

We even allow our employees to plug their own laptops into the company network. Yes, it's risky. But the problems incurred and benefits reaped are a better than properly securing this (e.G. buying 802.1x switches and segmenting clients into VLANs according to their identification).

Remember - IT is an internal service to make the company work better. IT is not an end, it's a means to achieve an end faster. You as an IT guy should think about "how do we get our employees to be more productive" and not "how do we restrict them as much as possible so that i can sit around and read dilbert all day long".

No objections

[Moraelin]

No objections there. In fact, I wish I could mod you up, but then I've posted in this thread already. Very refreshing to see a sane attitude, in any case.

Re:

[lukas84]

It depends. I work in a Small Business, and for Small Businesses. With a maximum of 50 people in a company, you know everyone. Things might be different in a big company, when you're no longer "Joe Smith from the IT Dept." but instead "Employee #0815".

I never had issues with file sharing programs.

I did have a bandwidth hogging issue though, with Zattoo [zattoo.com] (a legal P2P TV application). During major sport events, our internet broke down. I sent an email that zattoo shouldn't be used by multiple people at once, a

Re:

[flyingfsck]

I can click on anything using any of my computers and I don't get infected with crapware. This is how it should be. You cannot blame the users for the idiotic security flaws of rotten computer systems.

Make them pay!

[Tijaska]

If corporates host boxes that pump out spam, sue them! Their firewalls shouldn't allow emails to flow out of their networks except from one of their approved mail gateways, which should require user authentication before accepting mail, and which should apply reasonable limits like 300 emails sent per source IP address per day, except for the corporate's own spam machine (a.k.a. marketing). Corporates should be held accountable for choosing cheesy software that allows viruses to take over their boxes, and

Re:

[Net_fiend]

Seems to me if they had SPF and turned off relaying non of this should have happened. But again that assumes all the mail is going thru their system and not some temp tiny mail server that was dropped in by a trojan/worm etc. Those (I believe) create their own server which in essence would bypass any sort of mail server they have setup. But still it is going thru a router somewhere...so they should have packet shaping setup or some other routing protocol that slows that particular connection if its utili

Re:

[Achromatic1978]

I'm sorry, who the fuck died and made you arbiter of what was a "reasonable limit" of email that I should be allowed to send?

Re:

[flyingfsck]

Yup - with a helluvalot of effort, even Windoze can be made secure. Here is the manual:
http://www.microsoft.com/downloads/details.aspx?Fa milyID=d39d0028-7093-495c-80da-2b5b29a54bd8&Displa yLang=en [microsoft.com]

If you do it right once, then ghost it, you can make as many secure PCs as you need.

Admins who don't secure corporate PCs are just lazy, stupid or both...

Little problem..

[cheros]

Admins who don't secure corporate PCs are just lazy, stupid or both...

You're assuming two things here which aren't always true in corporate life:

1. Admins have control over all the machines on their network. That's a good theory, but even in the story above you'll find the problem to be unauthorised connections. In well managed setups that won't happen often, but it only takes one idiot to make a mess. Worse, sometimes you have an embedded system that is overlooked. Photocopiers, phone

I guess

[iminplaya]

As long as it wasn't the computer controlling the inanimate carbon rod, we should all be okay, right?

These same guys INVENTED spam..

[burnitdown]

In the old days, they used to mail it to you. Yeah, on paper. And then you had to throw it out, and 800 billion tons of it are rotting in a landfill somewhere. The Fortune 1000 contains some of the people least concerned about the environment, or your spam-free virgin mailbox.

Reminds me of when I first started my current job,

[BurningFeetMan]

The PC hadn't been turned on in about 6 months. Apparently the dude who I was replacing was into Russian brides and err, certain types of ethnic pr0n, and had got the sack for various dodgy reasons 6 months prior to my instalment. Anywho, in the 6 months that this computer was un-manned, my company installed Norton across all other PC's.

My 2nd day was interesting, when I first turned on the computer. EVERYONE who had the Norton running detected all sorts of network worms and virusiis's (:P) the second I'd booted into Win XP. I thought,
"Oh crap, here we go. Time to clean up this mess..."
and began a search for *.jpg. Kapow, tonnes of hairy pr0n, selected all and shift deleted.

Next, it was time to install the company antivirus software, which was Norton. The next couple of days were spent trying to free my infected system of all sorts of goodies. I started by enabling the Norton Mail Monitor, and oh my, how funny!

"Scanning out going mail, Scanning out go-Scanning out going mai-Scaning out g-Scan"

The WHOLE screen filled up with Norton "scanning out going mail" boxes, like, 100's of them. This was my first job outside of the IT industry, and a big WELCOME TO THE REAL WORLD for me. So yes, what's the point of my story? Well, Russian brides are hairy. OH, and not all companies have IT departments, let alone competent IT staff who can source and cease zombie machines from operating.

Re:Reminds me of when I first started my current j

[David Off]

Why didn't anyone pick up his PC was spewing viri etc when he was still using it? I don't understand why they didn't just ghost his machine like most companies do? After all there can't have been much worth saving if the m/c hadn't been turned on in weeks. I also think this "surfing dodgy sites" == "malware" is a bit overplayed. First of all a good proxy could block a lot of this stuff, such as executing certain types of Javascript and secondly unless someone is installing stuff by clicking on pop-ups or wh

Re:

[powerlord]

Well ... the GP did mention that they in the previous 6 weeks they had installed anti-virus software company wide, so perhaps they knew they had a problem, but couldn't track it down since his computer was off (and they might not have had an on-site tech support department, according to his email).

I bet most companies under 30 employees don't have a dedicated IT person, just someone who's job got made to include IT (if even that).

9 times out of 10, they either get consultants to cover the stuff they can't

Re:Reminds me of when I first started my current j

[jimicus]

Wouldn't it have been quicker (not to mention more secure) just to rebuild the box?

At least that way there's no niggling question lurking in the back of your mind "Have we got everything? Or is there still some random trojan on there?"

Re:

[BurningFeetMan]

Of course it would have, but second day on the job, I didn't know what was what... not to mention literally "no" IT deptarment insite. It turned out that that computer in particular stored about 6 years worth of very very VERY important data, so lucky I didn't format the thing, etc. >_
There are still thousands of companies out there in manufacturing and mining industries that have been doing what they've been doing for the past 50-100 years. For such workplaces, a lot of them wing it when it comes to I

(contractor at one of its power generator plants)

[colfer]

D'oh!

Good bye erection dysfunction

[RealityNews]

The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks.

So I will finally be able to get viagra from reliable Internet sources? God bless you, capitalism!

Corrupt [corrupt.org]

Re:

[zionian117]

Sure, why not? Not just viagra................... isn't someone going to stop all this?

Maybe it's time

[dreamchaser]

Maybe it's time for individuals and corporations to be held libel for what their computers spew. Got a botnet sending phishing emails from your business? Boom, big fine. Got an infected home machine sending out spam? Boom, a somewhat smaller fine.

Re:

[enharmonix]

Maybe it's time for individuals and corporations to be held libel for what their computers spew. Got a botnet sending phishing emails from your business? Boom, big fine. Got an infected home machine sending out spam? Boom, a somewhat smaller fine.

That would be awful. When somebody gets shot with a stolen gun, you don't go after the person the gun was stolen from; you go after the person who actually did the shooting. Same thing - you need to go after the people causing the infections.

The infection rate in my company's machines is about 1/3rd the national average, but it's still as many as 50 infections a year. How much was that fine? Because I don't know that we could afford it. And of the infections I handle, most of them are by kiddiez r

Re:

[radtea]

Maybe it's time for individuals and corporations to be held libel for what their computers spew. Got a botnet sending phishing emails from your business? Boom, big fine.

Sure, because look at how well putative penalties for other crimes have worked at reducing the crime rate.

For example North Dakota has one of the lowest homicide rates in the U.S., and no death penalty, ever. Texas has amongst the highest homicide rates, and the death penalty not only exists, it is fairly routinely applied.

Anyone who was se

Re:

[tweek]

I'm not judging the concept of punative penalties but let me make a point if I might:

North Dakota:
Population Ranked 48th
- Total (2000) 642,200
- Density 9.30/sq mi
3.592/km (47th)

Texas:
Population Ranked 2nd
- Total (2000) 20,851,820
- Density 79.6/sq mi
30.75/km (28th)

You've got 32x the population and almost 9x the population density. Now math is not my strong point but I'm guessing Texas has more stupid assholes per square mile that North Dakota every wi

Re:

[WeeBit]

Maybe it's time for individuals and corporations to be held libel for what their computers spew.

It wont work, they will deny, act ignorant, or blame it on Technology for not making it more secure.

Is the corporation centralized?

[br00tus]

It is easy for me to see this for a number of reasons.

1 - Is the entire corporation's IT department centralized? HP is a F1000 company - is HP and Compaq's computer networks fully merged? Or for Citigroup, is the old Citicorp network fully merged with the Travelers network? Or were Travelers Salomon Brothers and Smith Barney networks merged before that? And so forth. Wal-Mart's corporate network is probably standardized, but a lot of companies are the resut of many mergers over the years. Or some companies are just of a type where different divisions are very different so there is no or not much centralized corporate IT.

2 - Does the corporation have a global network? Global multi-national corporations have computers all over the world, and it can be hard to have a standard network in New York, Tokyo and London (etc.) New York and Tokyo may be solid, but London may be open to problems etc.

Re:

[Vulva R. Thompson, P]

Interesting point. I used a unique email address for years with VMWare without a single piece of spam. After EMC bought them a few years ago, within a couple months it was getting hit with 2-3 pieces a day. Never gave it much thought beyond filtering it.

Which brings up the point, pure speculation but it would seem that valid lists are becoming more valuable. The public's general awareness to not leave their address lying around has probably hurt the scrapers to some degree. Along with the rise of sneak

When I grow up

[Coraon]

Can I be hacker for a fortunie 500 company? Thank of the glamor (none) the babes (less then none) the sexy parties (ok mabye a few of those if your room mate is cool)

Interesting....

[aliensporebomb]

It's an interesting topic because with todays work environment potentially being
in many different locations (I'm literally in a different office every day of the
work week) and people being allowed to have their own equipment on the network
with only Symantec corporate edition between them and the network it's a strange
experiment. The vast majority of infections I see coming onto our network is
from people surfing....unsavory sites....from home in their off hours.

But I wonder if this particular revelation wil

Mod title -1 Troll

[rubmytummy]

or something. TFAs are about security failures at large companies, not (as the title implies) companies voluntarily originating malicious e-mail.