Resources

Our offices will be closed November 27th-28th for the Thanksgiving holiday. Emergency support will not be impacted. Case-based support requests confirmed after noon Nov. 26th will not be processed until the following week. Clients with manged servers or management plans should not be impacted.

Recently we migrated some servers to a new IP address. About a day after the migration, a client complained that their email was delayed. When we investigated, we found 10,000's of emails jamming up the queue.

The immediate suspects were a open relay, compromised user password or web application exploit. After ruling these out, we found the problem that was obvious in hindsight.

When we migrated the server, we used IPtables to forward IPs during DNS propagation. This meant clients would see minimal impact during the migration. Emails would go through, web sites would resolve and people can pop their mail.

When looking at the email queue, we saw that all emails came from the forwarding server. This was rather odd. We had actually tried to relay mail through the forwarding server but it failed.

As it turns out, the problem was with POP before SMTP. Due to the forwarding, the server was seeing the IP for the forwarding server not the client's IP. As a result, the forwarding server's IP would be whitelisted to send email for 10 minutes. Given the large number of email users on the system, I suspect it was open a large portion of the time.

A spam bot found the IP and considered it an open-relay and started flooding in the messages.

The lesson -- when using IP forwarding always consider any services that may cache the referring IP. We've seen this once before with DOS prevention type tools and bandwidth throttling systems. We had never considered the impact on POP before SMTP.

Of course, this is one reason why SMTP AUTH is preferred.

In recent news, there have been several reports of authorities finally shutting down some spam operations.

In September, Atrivo's upstream providers finally pulled the plug. The ISP had long been suspected of providing safe haven for spammers, botnet and malware operators. Atrivo was linked to a large botnet that powered the Storm Worm. The masters that controlled the botnet were apparently hosted by Atrivo. Once Atrivo was shutdown the botnet began to die off.

In October, a confidant of Alan Ralsky, a well know spam operator, agreed to testify against the persistent spammer, who's long been a member of Spamhuas' ROSKO list. Earlier this year, Ralsky was indicted for a "wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing." Judy Devenow, one of Ralsky's crew, plead guilty to conspiracy and aiding fraud in a US Federal court. Devenow said she was paid US$150,000 to send e-mail and manage others from January 2004 through September 2005. According to Spamhaus, Devenow faces 33 months to 41 months in prison, but could get less time due to her co-operation with the feds.

This week, McColo was yanked offline as upstream providers severed their ties. According to the Washington Post, the firm was responsible for as much as 75% of email being blasted. As seen in the graph, Spamcop saw a huge drop in the number of reports sent after McColo was pulled offline. Brien Krebs has posted an interesting follow-up on the McColo story that includes a mind map of how involved the ISP was in nefarious internet activities.

Much of these successes have come through the work of security and network professionals. By analyzing traffic patterns, they can begin to reconstruct the sources of these bad players. While I've not seen any decrease yet in our own spam processing, I hope that these efforts will begin to have an impact.

rackAID, a leading managed service provider, announced today that they have joined the Red Hat Partner Program as a Red Hat Ready business partner. Though the partnership, rackAID expects to increase their Red Hat Enterprise Linux service offerings and develop business through co-marketing opportunities.

Continue reading "rackAID Joins Red Hat Ready Partner Program" »

One thing a partnership provides is education. ControlScan has notified us that Phase III of the PCI-DSS program is upon us (see the bulletin). If you are running an E-commerce shop or plan to, then you may want to review the upcoming changes in the PCI-DSS program. On October 1st, 2008, Phase III will be in effect. Under Phase III, banks cannot board new level 3 or 4 merchants that cannot attest to PCI compliance. If you need PCI compliance, now would be the time to get started. Best of all, ControlScan is providing a Free 14 day Trial for rackAID clients.

Continue reading "Get Ready for PCI Phase III with a Free PCI Scan" »

rackAID, a leading managed service provider, has joined the Jacksonville Chamber of Commerce and the IT Council. rackAID's president, Jeff Huckaby, expects the company's involvement in the IT council will enable rackAID to continue its rapid growth and service expansion.

Continue reading "rackAID Joins Jacksonville Chamber of Commerce and IT Council" »

We get asked about it all of the time. What? Spam. Dictionary attacks, backscatter, and those popular male enhancement messages can really kill you productivity. Fortunately, I think we've found a cost-effective solution.

Continue reading "Anti Spam Service - Free Trial During Soft Launch" »

Early this year we announced a server backup solution (server backup press release). This solution is based on R1soft's backup software called CDP. Since launching this service, we saved many clients a lot of headaches.

Continue reading "Our Backup Service Rocks! Just ask our clients." »

Happy Labor Day. Labor Day is an official US Holiday that was originally started by a labor union in New York City in an effort to give their hard working members a day off. Since, Labor Day has become a celebration to mark the end of the summer. We too will be closed on Labor Day. If we are lucky, we may even get out of here early today.

As our offices will be closed, case-based support, billing and sales will not be available on Monday, September 1st, 2008.

Clients with server management subscriptions will continue to receive services in accordance with their SLA. Low level tickets submitted after 5 PM Friday, August 29, may not be handled until Tuesday, September 2nd.

Case-based support requests received after 2 PM Friday, August 29 may not be completed until Tuesday, September 2.

Offerings Available through ControlScan Provide rackAID Clients with Quality PCI Compliance Solutions.

Continue reading "rackAID Announces Strategic Partnership with ControlScan" »