HOW TO: Barracuda Spam Filtering and Zimbra Domain Aliases

Over the past few years Barracuda has done a good job of improving their spam filtering appliances. We recently started to deploy a Barracuda 400Vx system in front of several Zimbra systems and found that the Barracuda doesn’t work with Zimbra’s Domain Alias function. Worse, the old Barracuda KB article which purports to offer a fix doesn’t work either, and the author of that article no longer works at Barracuda.  Since that KB article was written, Zimbra has updated their LDAP schema and Barracuda have upgraded their firmware, so not surprising really that things have changed enough to break the custom solution from several years ago.

We opened up support tickets with both Barracuda and Zimbra, and after letting both vendors vent a bit with a little finger pointing at each other, we were able to get from Zimbra Support the LDAP detail needed for Barracuda Support to sort out the solution.

 

Zimbra Domain Alias – Huh?
A little background on Zimbra Domain Aliases, because they are kind of unique in the email server space, and one of Zimbra’s more amazing features. Many companies find themselves having to support multiple email domains for all of their users. In Microsoft Exchange, you can add an additional SMTP address on a different domain for a user’s mailbox, but if you have a few thousand employees and several domains, this gets tedious fast (even with PowerShell). Additional domains can come about through mergers and acquisitions as well as domain purchases and new business initiatives; it just happens.

The Zimbra developers thought it would be nice to create email aliases at the domain level, so as you added a new user, that new mailbox (and all existing mailboxes) inherited the domain aliases. Let’s say John Doe’s production mailbox has the email addresses:

John.Doe@example.net
JDoe@example.net
Johnny@example.net
JohnnyD@example.net
Spike@example.net

Now suppose John’s company buys the domain “big-example.com”. In Zimbra, you create “big-example.com” as a Domain Alias for example.net (a few mouse clicks; takes about ten seconds from the command prompt or the Zimbra Admin Console) and Mr. Doe can then get email not only at his existing five email addresses but also at five more email addresses e.g. Johnny@big-example.com.  Zimbra will accept email for all ten email addresses now.

None of the LDAP attributes for Mr. Doe’s mailbox will reflect big-example.com either; it’s all done at the domain level in LDAP — and therein lies the problem with Barracuda…

 

Barracuda’s Default LDAP Search Filter Doesn’t Work With Zimbra Alias Domains
If you’ve never configured one before, adding new users to a Barracuda appliance is easy: you add the domain and point user verification to the appropriate OpenLDAP (Zimbra), Active Directory, Novell Directory etc. server and (in most cases) the Barracuda defaults works out of the box.

So if you have one regular, normal email domain and one Zimbra Alias domain, you’ll add two domains to your Barracuda. The Barracuda default settings work fine with the normal email domain, but you’ll have to do some manual work for the alias domain.

 

Barracuda Settings For Zimbra Alias Domains
After adding the alias domain in the Barracuda Admin Console, click on the Domains tab, and then click “Manage Domain” in the Action column to the right of the listed alias domain.

You are now at the domain management level within the Barracuda, so click on the Users tab, and then LDAP configuration.  Use the following settings:

Exchange Accelerator/LDAP Verification:  Yes
LDAP Server:  The IP addres(es) of your Zimbra LDAP server(s).  Use a space for failover, and a comma or semi-colon for load-balancing.
LDAP Port: 389
Unify Email Aliases: No
SSL/TLS Mode: StartTLS
LDAP Server Type: OpenLDAP
Bind DN (Username): uid=zimbra,cn=admins,cn=zimbra
Bind Password:  The LDAP password you got from running “localconfig -s | grep -i password | grep -i ldap” as the zimbra user account.
Valid Email (for testing):  Some valid email address using the alias domain, e.g. johnny@big-example.com.

 

Now click the “Show Advanced Settings” button to expose the Advanced LDAP Settings:

LDAP Search Base: ${defaultNamingContext}
Blank LDAP Search Base: Yes
LDAP Filter: (|(zimbraMailDeliveryAddress=${recipient_local_part}@example.net)(zimbraMailAlias=${recipient_local_part}@example.net)(zimbraMailAddress=${recipient_local_part}@example.net)(mail=${recipient_email}))
LDAP UID: uid
LDAP Primary Email Attribute: mail

Be sure to replace “example.net” above with the regular domain the alias domain points to on your system!  And please note that the LDAP Filter: variable is all on one line.

 

Press the “Test LDAP” button and hopefully you will see a successful test!

 

If you need more help, please give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Why Encryption Matters – Who Is Really Looking At Your Stuff?

First off, this is not a privacy rant; it’s about understanding how folks you might not expect could see your Internet traffic: emails, web browsing, file transfers, etc., and why encryption can help.

In the United States, when you send a letter or package through the Post Office, FedEx, UPS etc. to another address here in the United States, we all know that a number of employees get to see the tracking information for the item: who sent it and who is going to receive it.  We also know that letters and packages which raise suspicion are subject to opening and inspection.

What we don’t expect is if you are sending a bottle of perfume to your Aunt Tilly in Peoria for her birthday, that someone in China, Russia or someplace else will get to open the package and sniff the perfume before sending it on to your Aunt Tilly.  But on the Internet, that happens more often than you might expect. On the Internet, your “package” frequently takes a more circuitous route than you might believe — indeed, a lot of folks like it that way and nation states frequently abuse the system to get a peek at others’ Internet traffic.

 

Here’s How It’s Supposed To Work:

The “glue” that holds the Internet together is BGP (“Border Gateway Protocol”); BGP determines the route data packets take to get from here to there.  Geeks like us often use a tool called “traceroute” to show how data packets go from one router to the next.  A “trace route” looks likes a set of driving directions from Google Maps or MapQuest: a list of “turns” onto different “roads” in Internet-speak translates to the “next hop” to a different “router”.

Your Internet Service Provider makes a number of BGP “announcements” (as do Internet backbone and major data center providers) to ensure Internet traffic is routed efficiently and/or at least cost.  One large data center provider we know told us they alone make hundreds of thousands of changes to BGP every day to make sure their customers’ traffic is routed without delay. Think of mashing up Waze with your car’s mapping software to proactively route you around traffic jams and you’ve got the idea.

 

So What’s The Problem?

Alas, the founders of our Internet were a trusting lot, and so there’s not a lot of verification of BGP change requests.  That’s how companies like Dyn/Renesys make money: they plant BGP listeners in data centers across the country and analyze changes to BGP in near real-time.  When they see something wonky, they notify their customers who are it seems mostly ISPs, Internet backbone providers, government agencies, and anybody else who owns a lot of IP addresses and prominent web sites and is concerned where their traffic is being routed.

Many times, the wonkiness is human error: a typo or other unintentional misconfiguration.  Sometimes, the wonkiness is just wrong, as pointed out in a recent blog post where Dyn/Renesys discovered that some intra-Russia traffic was being routed to China Telecom routers in Germany.  The first paragraph of the blog post is for lay and technical readers alike; thereafter the article gets pretty technical.  At the end though are links to well-known thought pieces for better securing Internet routing.

 

What Can I Do?

If the content of your emails, web browsing, file sharing and other things you do on the Internet is not something you mind being known to someone outside of this country, you need do nothing except presume that your Stuff, like Aunt Tilly’s perfume, could be sniffed by anyone inside and outside of this country without your knowledge.

Alternatively, you can take a page from the Book of HIPAA, where healthcare regulations require patient data to be encrypted both “at rest” (i.e. on disk or tape) and “in flight” (i.e. when being rendered in over a link to a web browser), and focus on tools to at least get your data encrypted “in flight”.

With email for example, you can choose to use a service provider who can configure your email server to do only encrypted connections to other email servers, or to use an end-to-end encryption service. Just because your email’s web browser does https doesn’t mean the email is encrypted all the way to the intended recipient.

There’s a reasonableness test here: The grocery list my wife sends me to pick up on the way home I wouldn’t mind being read by anyone; indeed, if we all at more kale… (but I digress!).  Nonetheless, if you are the senior marketing officer for a company in a highly competitive industry sending sensitive emails at a trade show across the hotel wireless, wouldn’t it be nice to know that your competitors at the show sniffing the wireless can’t read your emails?

 

If you’d like to discuss your options, please give us a call at (207) 772-5678 and ask for our Chief Security Officer, Chris Falk.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Fighting Spam: SpamAssassin RDNS_NONE Test Issues

We host tens of thousands of email domains and so we get to see a lot of spam.  Over the past year we have seen spammers really raise the bar on their ability to sneak through a variety of commercial and open-source anti-spam filters, with the result that many email administrators have tightened the screws down on whatever anti-spam tools they have been using.

While this has reduced spam volumes delivered to end users’ Inboxes, we are also starting to see more “false positives” i.e. legitimate email incorrectly identified as spam.

This article is about correcting one such increasingly common “false positive” in SpamAssassin, the RDNS_NONE test.

It used to be that spammers were frequently sloppy about setting up DNS records for the servers they were using to send out spam.  Typically, there was no reverse DNS record (PTR record), so the SpamAssassin test RDNS_NONE was both accurate and effective in identifying spammers’ servers.  We and others would often increase the default RDNS_NONE score in SpamAssassin (the default score today is 0.793 BTW…) enough so that an RDNS_NONE hit alone would be insufficient to flag the email as spam, but, high enough so that if a few other tests hit, the email would be flagged as spam.

Alas, we are now seeing spammers make increasingly effective use of self-service Cloud servers (we suspect paid for with stolen credit cards in some cases) where DNS records management is configured to RFC-compliant standards as a matter of course.  We are also seeing that more and more email administrators have started using additional spam filtering tools which modify the email header in ways that the code underlying the RDNS_NONE test does not know how to handle.

The end result is that the RDNS_NONE test triggers much more frequently now, and on legitimate email.  We recommend first if you have modified a SpamAssassin .cf file to increase the default RDNS_NONE score, that you remove that modification.  If your system is still flagging legitimate email as spam, and it’s the RDNS_NONE test that is putting the legitimate email’s score over the edge, then we recommend setting the score to zero.  This can be done by adding “score RDNS_NONE 0.000″ to the appropriate SpamAssassin .cf file.

Tech Talk:

Two common scenarios we have seen where the RDNS_NONE test logic failed comprise:

A user in a coffee shop uses their Mac Mail or Outlook client to send an email through their corporate email server. The RDNS_NONE code is supposed to parse the email header looking for the first “real” email server. Instead, it finds the RFC1918 private IP address of the user’s laptop, sees that there is no reverse DNS for an address like 192.168.0.56 and adds the RDNS_NONE score to the email.

Web services like Basecamp use a 37signals.com server with an RFC1918 private IP address to collect notification emails destined for subscribers. The email is routed correctly through a basecamp.com email server with a public IP address and proper DNS records all around. But, the RDNS_NONE code determines the 37signals.com server is the originating sending server and incorrectly flags the email with the RDNS_NONE score.

We contribute to the Zimbra SpamAssassin Customizations wiki page. Many of the configuration tweaks there are non-Zimbra specific, so if you are looking for additional ways to improve SpamAssassin, I recommend a visit.

And if you are finding yourself just way too preoccupied dealing with spam, give us a call at (207) 772-5678 and we can walk you through some options.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

BayRing Communications Was Down (Sunday) – Now Up (Sunday) – Down Again (Monday) – Now Back Up (Monday)

At about 4:30pm Eastern today (Sunday), we noticed an issue with BayRing Communications, the New Hampshire-based phone company where our NH data center infrastructure is domiciled.

The issue BayRing have told us is due to a street power outage impacting all of the former Pease Air Foce base.

As of this initial writing (5:20pm Sunday) BayRing is working to restore power to their core Internet routers.

For our Zimbra hosting farm clients, we maintain a secondary MX server in Denver, Colorado, unaffected by this outage, so no legitimate inbound email will be lost during this (nor any other) outage.

You can always check our network status page for realtime updates: http://status.reliablenetworks.com

UPDATE: 5:39pm Sunday – Service has been restored.  As soon as we have a documented RFO, we will post it.

UPDATE: 8:32pm Sunday – BayRing has posted an update on their web site. We have been told by phone that Internet traffic from and to our data center at 77 Aviation drive is normally routed through another BayRing building at 11 Manchester, also at Pease.  It was the 11 Manchester facility which experienced the power event.  77 Aviation traffic has been rerouted. Again, as soon as we have a documented RFO, we will post it.

UPDATE: 11:50am Monday – BayRing has had another power event starting around 10:45am.  Currently one of the two power feeds to one of our racks is dark. From the logs it appears power from both of our BayRing power feeds (fed by separate BayRing UPSs) was lost, but only briefly on one of the feeds.  Several of our cloud server hosts rebooted; several did not.  SAN storage did not lose power.  Since we do not have clarity from BayRing that the second power feed will not go down, we are for the moment keeping I/O-sensitive servers shut down to preserve data integrity.  Servers whose applications tolerate what the backup vendors call “crash consistent” backups as safe are being brought back online.

UPDATE: 2:05pm Monday – This morning’s power interruption was caused by failover from generator power back to the UPSs.  All but one of our racks now has full redundant power restored; that one rack has only one active power feed and BayRing are locating the break in power for us.  As we have a fully redundant networking stack and all of our servers/SANs have redundant power supplies, we are fully operational and most client servers are back online.  Many servers required disk checks on reboot.  We have been told by BayRing they will produce an RFO tomorrow.

UPDATE: 8:30pm Monday – Full power has been restored to all of our racks and all systems are fully back on line.  BayRing have reiterated they expect to issue an RFO on Tuesday and we will distribute that to clients directly as soon as we receive it.  Thank you all for your patience as BayRing and we worked to recover from this power event.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

 

 

Reliable Networks Joins Citrix Verified IaaS Providers Program

We were pleased as punch recently when Citrix called and asked if we wouldn’t allow ourselves to be verified as a Citrix Ready IaaS Cloud for XenDesktop provider.

By way of background, we have been hosting Private and Hybrid Cloud servers backed by Citrix XenServer for several years now. Our own Zimbra Hosting platform is on the same highly redundant and resilient infrastructure as our clients’ Cloud servers. Earlier this year we invested six figures in our new Citrix CloudPlatform environment; we and our clients have been more than happy with the results. (And to be clear, we don’t do Public Cloud.)

One challenge in the Cloud Hosting space is that there are few barriers to entry, so if you are considering using a commercial cloud provider for your Private/Hybrid Cloud deployment, how can you differentiate the newbies and dilettantes from the folks following best practices? How do you know your data will be secure?

Sure, we have a SOC 2 Type 2 audit covering Security, Availability and Confidentiality, but good or bad, anyone with a checkbook can buy CloudPlatform (or VMware for that matter).

To be part of this Citrix Verified IaaS Program however, a provider has to document that their workflow processes are in conformance with Citrix’s reference architectures and best practices. And oh-by-the-way, Citrix comes on site too for an in-person and quite intimate poke-about.

Our on-site Citrix visit is scheduled for early next month, but Citrix felt comfortable with our submissions to date to include us alongside companies like Verio/NTT Communications in the announcement post.

If you’d like to find out how we can help you better manage technology risk via our Managed Cloud offerings, give us a call at (207) 772-5678. And if you’d like to read Citrix’s Press Release, you can click here.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Rackspace Emulates Reliable Networks’ Approach To Cloud Servers

Yes, the title is a little presumptuous I confess, but with Rackspace announcing they have left the pure IaaS market to provide only Managed Cloud servers, we at Reliable Networks are feeling a little bit full of ourselves right now. (Don’t worry, we’ll get over ourselves in a few minutes, I promise…)

You see, we have always liked Rackspace for their “fanatical” approach because we are much the same in that client service is paramount.  We do think we are way more proactive than Rackspace; one client affectionately calls us “The constructive thorn in our sides.” because we don’t let them be too expedient too often.  But we respect Rackspace for their client-centric view on things and imagine we have common ancestors a few generations back.

But unlike Rackspace, we never got into the pure IaaS market.  Having done tech M&A for a number of years, it looked to me like that was one that would commoditize fast.  Plus, all of our clients value not only our highly resilient, redundant and performant infrastructure, but our expertise – offered only inseparably from our Cloud Server and other Hosted compute offerings like Zimbra.  We essentially function as our clients’ part-time, on-demand CIO/CTO/Senior IT staff, collaborating with both C-level executives and client IT staff with a view towards better managing technology risk and spend.

Earlier this year Rackspace hired Morgan Stanley to explore “strategic options” so we knew all was not well.  It’s still early days but kudos to Rackspace for swapping out a CEO and keeping their stock even today selling at more than 2.7x sales (it had been near 4.5x a year or so ago as I recall).

The pundits as per usual are claiming the entire Cloud market is commoditizing, and unless one becomes the biggest all will be lost. On a related note, Forbes magazine is recommending companies should no longer build new data centers but instead rely on data centers from Cloud providers. We agree with Forbes but look to a Cloud market with different levels of value-added services.

In other words, we think the Cloud market is showing signs of maturity onset, just like the car business.  Toyata and GM fought to be the largest in the world and look at what that brought them.  Meanwhile, those car companies who elected not to be all things to all people, and who compete on value-add, not price, are doing quite well thank you.

At the end of the day, it’s not the price of the hardware that matters, but what you can do with it and how much technology risk you can mitigate cost-effectively.  And that takes people. Really smart people.  And Managed Services.  So that’s why we have never offered pure IaaS and why we find it interesting (and yes, somewhat satisfying) that Rackspace is seemingly abandoning the commodity scale market for the smaller, but higher value-add Managed and Professional Services market we’ve stayed in since day one.

OK, time’s up.  We are over ourselves now…

If you’d like to find out how we can help you better manage technology risk via our Managed Cloud offerings, give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

 

What Is The Best Protection Against Malware?

What Can We Learn From Race Cars?

In the racing business, there is an old saying that “To finish first, one must first finish!”  Trying to go as fast as you can, all the time, is in fact, not the best way to finish a race in first place.  More often than not, all it does is get you in the middle of a wreck.  (I used to be the Chief Driving Instructor at a Rally School, so I have some experience with this…)

Indeed, the more experienced and talented the driver, the more often their coach will advise them to slow down, to give them time to better plan their next move.  In other words, if you can drive at 99.9% one hundred percent of the time, you’ll be both safe and fast.  And when something does go awry and you need to drive at 110% for a bit, you’ll have the margin and composure to do so.

 

Drive Encryption Malware Strikes Again

You may have seen a recent Ars Technica article in which a senior Symantec executive admits that anti-virus software catches less than half of all malware (here’s the full URL: http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/).  Not surprisingly, not a month goes by that we don’t hear about some poor end user clicking on a link in an email and inadvertently launching some drive encryption malware requiring their workstation to be rebuilt from scratch.  (It gets worse when the drives encrypted are the company network drives, and whole servers have to be rebuilt and restored…)

So how can we apply how to go fast in racing to malware protection?

It’s simple: Slow Down!  Slow down how fast you skim through email. Take a breath before you click on a link.  Know where your mouse cursor is, in what application before you hit the Enter key.  Don’t be the cause of a malware wreck!

 

The Most Effective Anti-Malware Tool?  Training!

In our experience, end-user training is the most effective malware detection tool.  With the benefit of hindsight, most malware delivered via email links does look suspicious, but only after you take that extra split-second to look at it.  Often there is a typo, a graphic that doesn’t look quite right or some other attribute that appears out of place in an email purportedly from the Post Office telling you about a failed package delivery attempt.

Sure, at Reliable Networks we are fussy about security and do things like block executable attachments and have multiple vendors’ products scanning our email stream (inbound and outbound BTW…) but these URL links delivering malware are quite clever, insipid, and frankly, the bad guys are way ahead of the good guys who sell anti-virus/anti-malware detection solutions.

But at the end of the day, we recommend our users slow down — just a little — and take advantage of our uniquely human ability to sense when things are not quite right.

Now, we are of course not suggesting you abandon the usual protections. Indeed, we like a multi-vendor approach because when new exploits are discovered, different vendors release updates at different times, and just a few minutes can make a difference.  So even though it costs more, it’s fairly cheap “insurance”.

And if you’d like to schedule some end-user training with us, we’d be happy to oblige.  Just give us a call at (207) 772-5678.

 

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Are We Up For You?

One of the things we pride ourselves on is comprehensive internal monitoring of our entire infrastructure and cloud environment. Whenever we benchmark ourselves against other cloud providers we consistently find that our monitoring is much more extensive than others.

Is it Good For You Too?
But just because our stuff is up and running doesn’t always mean it is up for you. The Internet can be incredibly flakey, so for the past few years we’ve been using an external monitoring service (from Pingdom if you are curious) to make sure that our public facing Private Cloud applications and network hardware is globally responsive. We do have clients with offices overseas who connect to our Zimbra email system for example, so we want to make sure the Internet is carrying their traffic appropriately.

How To Find Out…
Recently, Pingdom improved their Public Status Pages reports for clients like us, so today we added a menu item to our web site called “Cloud Status”. This links directly to Pingdom’s reporting engine. You can go there directly too; the URL is:

http://status.reliablenetworks.com

How To Interpret “Downtime”
Pingdom is harsh on reporting; they have multiple monitoring servers all over the world looking at their customers’ stuff, and all it takes is one monitoring system perceiving an issue (which can often be nothing more than temporary bad routing on the Internet) to flag a service or hardware.

That suits us just fine because we are less interested in showing to the world nothing but pretty green “Service is Up” globes than we are in making sure all of our clients across the globe are having a good experience on our Cloud — even if a bad experience has nothing to do with us or our upstream providers.

We really like transparency and hope that whether you are a current or perspective client, you find our new status page from Pingdom useful.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Spam, Spam, Spam, Spam… (Lovely Spam, Wonderful Spam!)

Monty Python references notwithstanding, in the past few weeks we have seen an extraordinarily major increase in the amount of spam hitting our and our clients’ mail servers — and it’s been anything but Lovely.

A quick check of the Postfix mailing list and a few others confirmed our suspicion that we are not alone in our suffering. The root cause seems to be legitimately configured, not (necessarily) compromised, cloud servers on Amazon and other self-service public cloud providers. The servers we have tracked stay up for just long enough for them to get noticed by all the anti-spam blacklist engines, and then they are taken down and new ones pop up to take their place.

After reviewing literally hundreds of email headers looking for clues, over the past week we rolled out some significant tweaks to our spam filtering methodology on our Zimbra hosting farm. So far over the past few days, we’ve seen the amount of spam emails which get through go back down to the usual few per day, without any increase in “false positives” (i.e. legitimate email incorrectly identified as spam).

We’ve documented our updated techniques on Zimbra’s SpamAssassin Customization wiki (propeller heads only for this one I’m afraid…)

If you’d like help improving your system’s anti-spam configurations with Zimbra or Exchange, give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.

Just Say “NO!” To Windows XP

Earlier this month Microsoft finally ended support for Windows XP (unless you are, say, the British government and are paying Microsoft more than a million quid to get another year of support…)

The trade press reports that many companies, despite years of prodding, have taken an ostrich approach to migrating away from XP to Windows 7 or Windows 8, and are still running Windows XP systems with an Internet connection.

“We have good firewalls in place!” “We run up to date anti-virus and endpoint protection on every Windows XP machine.” are just some of the comments we have heard that companies use to self-justify that, despite using an unsupported operating system, the risk of doing so has been mitigated.

No longer.

Last week the trade press reported that a new exploit in Internet Explorer had been found and is being exploited. Microsoft as of this writing has yet to release a fix, but has made clear that Windows XP will not get the fix.

For the moment, the public consensus seems to be to stop using Internet Explorer entirely (tough when some apps are hard coded for Internet Explorer…) until a Microsoft patch is released.

But if you are still running Windows XP, this is just one more reminder that XP will not be getting any more security fixes, and that it really is time now if you haven’t done so already to just say “NO!” to Windows XP.

Need help planning this migration? Give us a call at (207) 772-5678.

Take care,
L. Mark Stone
General Manager, Managed and Private/Hybrid Cloud Services
Reliable Networks
A Division of OTT Communications

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone and do not necessarily reflect those of Reliable Networks, OTT Communications or Otelco Inc. The contents of this site are not intended as advice for any purpose and are subject to change without notice. We make no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.