Positive Fusion

PHP has been upgraded to 4.3.10. CPanel has also been updated to the latest release. With the exception of a brief pause while Apache was restarted the updates were completed without incident.

Just a quick update to let everyone know that things have been running quite smoothly lately. Over the course of the month we have been taking quite a bit of action in a continuing effort to improve service and also to prevent server slow downs as a result of overzealous web bots, comment spam that can kill a Movable Type website (along with all other hosted sites on that server), and just spam flooding in general.

Happy Holidays.

We just halted a denial of service attack against a MT website by way of comment spam. The class C, as it was a distributed attack, has been blocked in the firewall. Load average is returning to normal.

Our SMTP server, what is used to send email, must be authenticated with prior to being able to accept email for relaying. While previously you may have been able to send email by logging in via POP3 first to check your email, now you must specifically authenticate. All email clients will allow for this and it is a simple change. If you are unable to send email through your hosting account, and your ISP or firewall does not block outgoing traffic on port 25, make sure authentication is enabled.

A dictionary attack is when a spammer randomly ‘invents’ the local part (the username before the @ in an email address) in an effort to force junk mail into a user’s catch-all account. By setting your default/catch-all address in CPanel to :fail: these messages will not be delivered to you and the sender’s host will notify the user that the address does not exist. The downside to doing this is that there are instances where having the ability for a user to ‘invent’ an email address ‘on the fly’ without setting up an email account or forward beforehand would be beneficial.

We have configured the email server to recognize and indentify this type of spamming behavior. If four email messages sent by the same IP address fail consecutively to be addressed to actual users that particular sending IP address will be flagged as being a source of dictionary attacks. Once flagged the IP address will be placed on a temporary ban list and no further email will be accepted from that IP address during the temporary ban period.

This new identification and prohibition of hosts launching dictionary attacks will in effect allow for decreased spam for those not using the :fail: option by still filtering email based on an IP history of sending spam via dictionary attack to other hosts on the system. This will still allow for ‘on the fly’ created addresses for those wishing to have such addresses forwarded to their catch-all or any other existing email account.

Why the ban period is temporary: We recognize that mistakes can be made when addressing email. We do not want to permanently ban anyone for using the wrong email address to contact a user. We also recognize that the majority of these spam sources are dialup account users whose IP address will be rotated off to another user. It is also important to note that the blocking applies only to receipt of email; IP addresses are not banned from accessing any other service (web, ftp, etc).