WoW..when it rains it pours and apparently anyone who was out phishing today, got struck by lighting.  A mere two weeks before the Windows Update site forces Windows XP workstations to upgrade to Serivce Pack 1 and on the same day that they released a significant upgrade to Windows 2003 Server, Microsoft has gone on a rampage.

Microsoft Corp. on Thursday filed 117 civil lawsuits against alleged phishers trying to scam Microsoft customers out of personal information such as credit card numbers.

The lawsuits, filed in U.S. District Court for the Western District of Washington, seek to identify large-scale scam operations and recover damages from so-called phishing operations. Phishers typically send out spam e-mail, made to look like official e-mail from a real e-commerce company, asking recipients to click on a link and update their personal information. The link takes consumers to a Web site that mimics the look of the real e-commerce company, but collects personal information for ID thieves to use.

Exchange D2D.com has a short piece that provides the low down on the Exchange Intellignet Mail Filter while also providing a bit of guidance on how the end user can really take advantage of it's capabilities.

Looks like some additional details of IE 7.0 are finding their way to the huddled masses, lbeit in fits and starts.  And are we ever chomping at the bit.

Take a look at Microsoft Watch for some details on standards, secruity and the GUI. Sorry, no pics yet, just images for your mind to conjure up.

The most interesting things that I've heard so far are the RSS aggregator, tabbed browsing, .PNG graphics support, IDN support (this is a big one in light of emerging phishing attacks) and possible integraton between IE 7 and the MS AntiSpyware Beta, which I've heard is very likely getting the boot as far as enterprise support (Group Policy, enterprise threat reporting, etc…) is concerened.

Hmmm…how malicious could it have been to get him only six months?  Also, does anyone know if this was prosecuted under the CANSPAM legislation?

A Louisiana man has been sent to prison for six months for sending a malicious e-mail to Microsoft MSN TV customers.

The e-mails the convicted man sent out contained an attachment that the mails claimed would re-set their TV's display colours when opened.

Instead, the attachment contained script that re-programmed customers' TV boxes to dial 911 instead of a local phone number to access Microsoft's servers

Microsoft has revealed at a security panel at CeBIT that it is preparing to dump passwords in favour of two-factor authentication in forthcoming versions of Windows.

Detlef Eckert, the senior director in charge of Microsoft's Trustworthy Computing initiative, did not specify which form of two-factor authentication would be used in the next edition of the company's operating system, codenamed Longhorn

Acknowledging that in this day and age single factor authentication, in other words PASSWORDS, just aren't enough to secure corporate IT assets, Microsoft has announced much tighter integration of two factor authentication technologies into future versions of the Windows OS.  While they do exist today, two factor auth is more of an add on to the OS than a core component, as a result, it is inherently not as secure as it could be. 

One well known Online Financial Services provider has already begun to head down this route.  Who might you ask?  E*Trade.

For those of you unfamiliar with two factor authentication schemes, they can be summarized as authentication with two pieces of information.  Typically these pieces of information amount to SOMETHING YOU KNOW and SOMETHING YOU HAVE.  There are many examples.  In the case of RSA SecureID the "something you know" is a PIN number and the "something you have" is a key fob with a code that changes every sixty seconds based on an algorithm that the authentication server knows based on the serial number of the fob and the time.  If you lose the device, the PIN is useless and if you lose or forget the PIN, the device is useless.

Other approaches use RFID tags such that if the tag is in proximity to a sensor and the proper PIN is entered, the machine will unlock and when the sensor leaves the area, the machine will lock. Another well known approach to two factor authentication uses biometrics (a thumb/finger print, retina scan, etc…) and a PIN code.  Again, if you lose the bio feature…well, you've got bigger problems then not accessing your computer systems unless of your name is Jack Bauer.

Two factors.  Very secure.

Not that this is the be all end all of spam fighting…WOW…that's a huge understatement, but I think you'll find that periodically updating your Outlook 2000/2003 Junk Mail filters will yield some results.  I would encourage you to download the March 8th update here and install it today.  Think of the Junk Mail filter as one more layer in your defense in depth spam fighting strategy.

For those of you not familiar with the Junk Mail features of Outlook, check out a quick intro here.

This came across the wire the other day and I was surprised that it didn't get picked up sooner.  I even overlooked it in my RSS feed, but it is certainly worth mentioning.  It looks like Microsoft, as promised, is going to reenter the subscription based service arena with their Outlook Live offering.

Known as Microsoft Office Outlook Live, the service includes a subscription version of Outlook 2003 to connect with Hotmail or MSN e-mail accounts. For $59 a year, customers get an e-mail account with 2GB of storage and the ability to send individual messages with up to 20MB of attachments. Customers can also check multiple e-mail accounts, including corporate accounts that are managed through an Exchange server

It appears that the service, among other features, will offer anti-spam and anti-virus tools seemingly at no additional cost.

Reuters UK has a story this morning which indicates that over one third of Internet traffic is now acounted for by legal…and illegal uses of BitTorrent. What the article doesn't discuss is what the other 65% is being used for.  My money is on spam.

Cloudmark, rebranding it's anti-spam soltion SpamNet to SafetyBar, adds anti-phishing to the list of protections afforded to its users…by its users. For those of you not familiar with Cloudmark, I suggest reading an overview we did a few months ago on their flagship product and its model for stopping spam.

As you can probably tell, I've always been a big fan of this product because no one knows spam better then the people who block it every day…YOU and I…and Cloudmark leverages our collective intelligence to defeat spam with a success rate that exceeds 99%.

The big news here is that users SafetyBar users are protected phishing attacks when they are identified by Cloudmark's million-plus member community of spam-fighting users. At the same time, legitimate marketing e-mails from participating institutions, such as banks and other financial institutions, are scanned, "fingerprinted", and their presence made known to the installed base of SafetyBar clients.

AOL announced today that they will joing the Messaging Anti-Abuse Working Group. Before I go off on a rant and say something I'll wish I said SOONER, lets just hope this new working group can succeed where so many other have failed.

"America Online is committed to improving our customers' messaging experience," Carl Hutzler, director of antispam operations at AOL, said in a statement. "To do so, we must cooperate to find common solutions for eliminating spam and other unwanted communications and security threats."

Ed Foster over at InfoWorld takes a few shots a Da Balmer over his contention that Windows has a better TCO story then Linux. You go Ed!

What interests me most about this particular white paper is that it contains some benchmark results comparing performance of Windows Server 2003 and the .Net development framework versus IBM Websphere running on Red Hat Enterprise Linux. Which brings me to that one little fact I wanted to add. The license agreement for Windows Server 2003 states:

"Benchmark Testing. The 32-bit version of the Software contains the Microsoft .NET Framework. Disclosure of the results of any benchmark test of the .NET Framework component of the Software to any third party without Microsoft's prior written approval is prohibited."

In other words, Microsoft says competitors need their permission to publish results of a study like the one Microsoft commissioned. If IBM, Red Hat, or some other open source advocate wanted to counter Microsoft's claims with a study of their own, Microsoft's license would deny them the right to publish their own set of benchmark results.

Brian Keller rants on a subject near and dear to us all, tele-spam. Poor Brian must have gotten on some mailing list or something because I'm on that DNC Registry and frankly, I never get bothered much these days. That said, I believe that political ads are exempt from the DNCR, but for one reason or another, I haven't really been bothered this election year.

Virtually every phone call I get at home nowadays is a 30-second political ad. I've lost track of how many I've received but I think it's approaching double digits. I for one can't wait until the election is over if for nothing else to stop the barrage of these SPAM-calls. Are there really people out there who are swayed to vote a particular way based on these calls? If so, it's a sad testament to our voting community… I'm even on the Do Not Call registry but I guess it doesn't apply if you have a political message. What's the number for the "Do Not Call Even If You Have a Political Message" registry?

Just came across a post on Mike Creasys MSDN blog point out a counter on AOL's corporate web site which displays, among other things, the number of SPAM messages that they've blocked "today". Not sure if that means the last 24 hours or if it means since 12:00:00am, but either way, as of this post, they've blocked over 439 million spam messages.

That's a lot of SPAM.

The big four ISP's/EMail providers are taking on spam again. This time AOL, Yahoo, Earthlink and Microsoft are going after various proliferators of spam and, for what I believe is the first time attacking SPIM as well.

In the new round of lawsuits, AOL is suing numerous defendants and seeks damages as well as court orders forcing the alleged spam senders to give up their profits and cease their activities. One suit targets spam sent via instant messaging, also known as SPIM, the first such lawsuit, according to AOL.

AOL and EarthLink are aiming at spammers hawking controlled substances, including Vicodin and other prescription drugs. EarthLink's lawsuit also charges numerous unnamed defendants with sending spam advertising mortgages and loans.

Microsoft is charging one named and two unnamed defendants with sending millions of e-mails advertising herbal growth supplements, mortgage services and get-rich-quick schemes. The defendants allegedly spoofed, or faked, the origin of their e-mail messages to show it came from Microsoft, AOL, EarthLink or Yahoo accounts.

Yahoo filed suit against East Coast Exotics Entertainment Group Inc. and Epoth LLC, charging the companies with disguising their identity and sending sexually-explicit messages that were designed to circumvent spam filters.

According to a experts from McAfee, PGP and others speaking at a conference in France, Enterprise IT Security, despite a market inundated with desktop, e-mail and other network security tools, is at an all time low.  They all sight lack of integration amongst security products as the number one reason why these products aren't doing a better job of protecting those who implement them.

Enterprises are more exposed than a year ago.The hackers have won!" said Eli Barkat, managing director of venture capital firm BRM Capital, who has been involved in investing in security firms.

While this may sound a bit alarmist coming from a VC, the reality is that there is a way to go, both in the perception and in the reality, before enterprise networks, and home networks for that matter, are truly secure.