Andrew Will-Holmberg

Andrew Will-Holmberg

This user hasn't shared any profile information

Home page:

Posts by Andrew Will-Holmberg
ipHouse Dot Logo

What’s the deal with DNSChanger Malware?

The FBI will be shutting down the temporary DNS servers that they set up to support Internet users that were compromised with DNSChanger malware. Anyone still using those DNS servers will be unable to resolve host names, which will effectively render them unable to do pretty much anything online until they clean up their infected system.

On November 8th 2011, the FBI, in conjunction with NASA-OIG and Estonian police, arrested several criminals operating under the company name “Rove Digital”. Rove Digital had been distributing DNS changing viruses (TDSS, Alureon, TidServ and TDL4). They then routed victims through their own DNS servers in order to direct traffic to junk ads. They infected around 4 million users, and made a reported $14Million before getting shut down.

With such a large number of compromised users relying on Rove Digital’s DNS servers for their Net access, the FBI decided to temporarily leave the DNS servers up and running to give people time to clean up their infected systems. Because people have been slow about cleaning up their computers, the FBI extended their original March deadline to Monday July 9th.

If you would like to verify that your computer is clean, you can go to for a list of safe sites that you can use to check. Should you find that you have a compromised computer, they have good resources available to help you clean up your system.


Passwords. It seems like most people, when asked, will tell you that it’s important to use strong passwords. However, in my work experience, all too often I see people using fairly weak ones. When asked why, the answer I usually get is that it’s too hard to remember long random passwords. I get this. A password doesn’t do you much good if you can’t remember it.

A popular techie web comic made a good one about this from xkcd:


Undeliverable mail

One of the most common email related support calls I get is someone wondering why they’re receiving “Undeliverable Mail Returned to Sender” notifications when sending out email to a particular email address. These “bounce back” messages will tell you why the email couldn’t be delivered, but often times the language used isn’t immediately understandable by someone who isn’t an IT professional, or “into computer stuff”. I thought I’d go over some of the more common undeliverable errors, and explain what they mean. I made a test email address for this purpose, – and then sent several emails to it that were intended to be bounced for various reasons. Here’s the first bounce back message:

This is the mail system at host

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
<>: permission denied. Command output: maildrop: maildir
    over quota.


Why was my email flagged as spam?

“Why was my email flagged as spam?” This is a very common question, and while it looks like a simple one on the surface, it’s actually not as easy to answer as you might think. Common misconceptions are;

1) If I’ve sent and received email from my friend for years, it shouldn’t get flagged as spam.

2) If I have their email address in my address book, their email won’t get flagged as spam.

3) If I avoid using certain words, my email won’t get flagged as spam.

None of these things are true. To understand why this is a tricky question to answer, it’s helpful to know a bit about what ISP’s are doing to filter spam. Most ISP’s have their own “custom blend” of what they do to filter spam, but it more or less boils down to using a combination of one or more of the following: Blacklists, Greylisting,  enforcing RFC’s, and more traditional Content Filters.

Blacklists can be based on all kinds of things. They can be lists of IP addresses that have been reported as sources of spam, lists of mail servers that have been found to be capable of being used as open mail relays, lists of URL’s that have been “spamvertised”, or any number of other things. Not all blacklists are the same. Some are very aggressive in what they list, and some are very conservative. The aggressive lists might block a lot of spam, but they are also more likely to have “false positives” – as in they blocked something that the recipient really did want to receive. Whereas the conservative lists might not have many false positives, but they’re likely to let more spam through.

Greylisting is when a receiving mail server issues a temporary error, which causes the sending mail server to re-queue the email and send it once more. Being able to re-queue an email is something that any RFC compliant mail server ought to be able to do. Greylisting can drastically reduce spam sent through “spam zombies” – home computers compromised by viruses that send spam out directly from the PC instead of through a mail server capable of re-queuing email.

RFC’s are, in a nutshell, the basic minimum standards for anything Internet related. Enforcing RFC compliance for mail can cut down on mail sent out from compromised PC’s/servers, and cut down on spam sent out from “sketchy” mail servers.

And lastly, content filters are the more traditional form of analyzing the content of an email to determine the “spamyness” of the email. Each spam filter system has its own “custom blend” of techniques to identify spam. Some of these criteria include; spammy words/spelling (\/1agra), format of an email (lot’s of CAPITAL/BOLD/etc lettering), lists of “spamvertised” websites, know spammer addresses, etc. Some filters use a feedback system that allows end users to submit examples of spam to train the filter.

Because blacklists and content filters are dynamic in nature, it can be very difficult to determine what it was at that exact moment that caused a particular email to be tagged as spam.

Andrew Will-Holmberg's RSS Feed
Go to Top