TOP

Reducing SPAM on your Postfix Mail Server with the Help of Public RBL/DNSBL Black Lists

A few months ago, we wrote about using “grey listing” on your mail server to help reduce SPAM. While, this concept works great in practice, it does have one major flaw that may affect your users if they are using their mail in time critical environments. Since grey listing initially rejects the mail and waits for a second attempt from the sending mail server to deliver the mail (SPAM servers usually only try one attempt) this eliminates the “instant” delivery of your emails. We all know that emails should never be depended on to be delivered instantly, but these days it’s very close to instant, majority of the time.

As a result, we want to share some other methods on how to reduce incoming SPAM to your mail server and users while preserving the quick delivery so many users count on each day. After all, we live in a world where expectations in technology are consistently rising.

Using a publicly available Black List Database, also known as RBL’s or DNSBL’s (DNS Block List, or Real Time Black Hole List) will allow your mail server to connect and verify whether the sending server is known as a SPAM sender. While there are many different types of Black List’s on the Internet, and we cannot guarantee (nor can they) that they are 100% effective in blocking SPAM, we would like to share a list of the common ones that we have used and are effective.

What to look for in a DNSBL Database

What you want to look for is a well maintained project (since this will be making decisions for you in real time) and one that is well known not to have what are called “False Positives.” In all cases, what you want to avoid when implementing an automated system like this, is the rejection of legitimate email.

DNSBL’s Suggested

The DNSBL’s that we have seen to be effective include the following:

  • zen.spamhaus.org
  • xbl.spamhaus.org
  • rbl.spamhaus.org
  • b.barracudacentral.org
  • bl.spamcop.net

DNSBL’s to Avoid

  • blackholes.five-ten-sg.com

Five-ten-sg.com is very prone to listing entire subnets (up to /24 in some cases) rather that listing individual /32 IP addresses. As a result, using this black list is very prone to attracting false positives and it is not up to date. There are many stale records that we have encountered in this database, sometimes including domains such as Apple’s @me.com and Googles @gmail.com. Avoid this database at all costs.

Implementation

Once you have researched which database (or combination of databases) you want to use, implementing it in postfix is as simple as adding one line for each database you want to include in your main.cf file.

Find the following line in your main.cf file:

smtpd_recipient_restrictions =

Add the following to what is already there:

reject_rbl_client pbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,

Again, you can use as many databases you like. In the case of spamhaus.org, it’s best to visit their website to see what the criteria is for getting on to the database (some are more strict than others).

Overall, using a DNSBL is effective in helping with reducing the amount of incoming SPAM on the network. It is a database that works in real time, and there are professionals out there who contribute information to these databases daily to help reduce the amount of SPAM on the public internet.

Read More
TOP

IPv6 Addresses now available on all OpenVZ VPS accounts at OpenVZ.ca

IPv6 addesses are available on the Medium, Large and Extra large VPS accounts at no additional cost.

There is a one time setup fee of $19.99 to activate IPv6 addresses on the Small VPS package.

For more information on IPv6 click here

We are proud to announce, that our IPv6 network is now online. We have connectivity to the following upstream providers as of today:

  • Cogent Communications (AS174)
  • NeTELLIGENT Hosting Services (AS10929)
  • Hurricane Electric (AS6939)

If you are a current customer looking to add IPv6 connectivity to your existing VPS, please open a support ticket.

Note: While these IP addresses do not have a monthly per-unit cost. Justifications are still required for larger amounts of IP addresses to be allocated. Please refer to the ARIN policy regarding the exact policy that we follow.

IPv6 Addresses now available at OpenVZ.ca on all OpenVZ VPS servers

IPv6 Addresses now available

Read More
TOP

New Order Form

Slider order form for all OpenVZ services

New Order Form

We’ve been getting some feedback lately with regards to simplifying the checkout process.

The result: A new simplified jQuery enabled checkout form that puts all of the information on a single page, and allows you to checkout by “Sliding” a bar to compare different plans.

You will see this new order form starting today.

Thanks for the continued feedback!

Read More
TOP

SolusVM Migrations Completed

We are happy to report that all of the migrations to the new SolusVM platform and Hardware Nodes has been completed successfully.

At this point, all customers should have received an email for each VPS they have with us with instructions on how to access the new panel. If you have not received an email from us please open a ticket with support.

We hope everyone enjoys the added benefits this control panel brings us.

Read More
TOP

SolusVM Control Panel Coming by September 2011!

SolusVM VPS Control PanelDue to the increasing number of requests we get to migrate to a newer control panel, we have decided to go with SolusVM as the control panel for all of our VPS servers going forward.

What does this mean for existing customers?

Between now and September 2011, you will get an email with instructions on how to login to the new web control panel. The Legacy HyperVM web interface will continue to be active until all VPS accounts are fully migrated to the new system.

Will there be any downtime as a result of this upgrade?

Absolutely NOT! One of the benefits of OpenVZ virtualization technology is the the ability to “live migrate” virtual servers. Your VPS will be moved to the new nodes with the SolusVM software enabled live. Nothing will change with your configuration.

When your VPS is fully migrated, you will get an email to confirm.

Why are we migrating?

One of the benefits to this migration, is that you will be able to see all of your usage graphs (CPU, Load Average, RAM, Network) from within your ePortal (secure.media-hosts.com).

In addition, these extra features will also give us room to grow in the future:

  • API Access for use with iPhone applications and other 3rd party programs.
  • Simplified web interface that makes much more sense.
  • Ability to add other types of virtualization (KVM, Xen PV & HVM). I know we are OpenVZ.ca but Media-Hosts.com will be offering other virtualization technologies as a result, and it’s much easier for us to manage one system instead of two.
  • SSH console built into the ePortal and Web Portal.
  • Tun/Tap will be user installable with one button.

If you have any questions regarding this new feature/migration please email us directly: support@media-hosts.com

Read More
TOP

New Juniper Gear has Arrived!

As OpenVZ.ca continues to grow beyond what we initially thought was possible, we have had to plan ahead into our network infrastructure.

We are very proud to announce that we will be migrating all of our services to the Juniper platform due to the reliability and scalability of their platforms, as well as using one OS (JUNOS) for all devices.

Over the next few weeks (step 1) we will be implementing our new EX series switches to replace all of the legacy equipment. While no downtime will be scheduled, all customers will be updated with maintenance windows as they become available.

We hope to cut power consumption, reduce latency and increase bandwidth for everyone.

Read More
TOP

Godaddy CEO Kills Elephant! Transfer your domains for only $5, Coupon Code Here

As you may already know. Godaddy CEO Bob Parsons was recently filmed shooting an Elephant in Africa. We at OpenVZ.ca and Media-Hosts.com do not support this cowboy-like mentality. As a result of his actions we are offering current Godaddy.com domain customers transfers for .com .net .org and .biz to openvz.ca for only $5.00.

Use Coupon Code GoDaddySucks at checkout for the discounts (Expires April 30 2011).

Click Here to Transfer As Many Domains As you Like

We are also offering free migration services for anyone who would like to switch to our cPanel web hosting plans with an additional 1 year of hosting added on for free (1 year and 2 year terms only). To get this promotion, place your order normally and open a ticket with us attaching your most recent Godaddy Invoice. We will then add 1 year of hosting to your account for free.

You can see the full video of Bob shooting the Elephant here:

Read More
TOP

Using Email Greylisting to Reduce SPAM

One of the most common problems faced by anyone hosting a mail server in today’s internet world is SPAM. Whether it comes from the outside world to your clients or originating from your clients themselves. Every server administrator will need to deal with this at some point. This article is to clarify what “Greylisting” means, what it will do, what it won’t do and hopefully give you enough information to decide whether or not it’s a good idea for your environment.

In short, Greylisting does two main things. The first, is to temporarily reject the first email received from a non-whitelisted sender, the second is to keep a list of possible spam servers to chose whether or not to reject the first email.

This does sound a little weird at first, but the methodology behind rejecting the first email comes from a basic principle. SPAM servers generally send a lot of mail OUT. The faster the better (in most cases) as Administrators try to shut down these servers through blacklist databases all the time. Since these servers gernerally process a large amount of outgoing mail from potentially old mailing lists or manually created ones in some cases, most spammers don’t always know what email accounts actually exist. Going on this priciple, majority of SPAM server will not try to deliver mail more than once (ie: if it sent mail gets rejected it will not try and resend it). A properly configured mail server will try multiple times before sending it back undelivered.

As a result, Greylisting takes advantage of this by initially denying the message and waiting for the origin server to re-send it. If it receives a second request for the original message then it will accept and deliver it locally.

The most common configuration we use on our networks utilize Postfix mail servers with a plugin called PostGrey.  Although I won’t get into the configuration of PostGrey here, there are many articles online that can help you out.

Is Greylisting Right for You?

The reason you need to ask yourself this question is that it can provide benefits but at a small cost. Since Greylisting initially rejects the first email message, the immediate implications are that you will not get “instant” delivery of your mail. While most providers will never say that email delivery is instant by nature, it’s generally very fast. Normally within 1 minute of it being sent it should be received at the other end.

So if you are running a mail server that forwards messages to blackberrys or various handheld devices, these mobile users need to know that they will not get their messages “instantly” when they are sent by another user.

Also, mail servers can be configured in different ways. While most don’t wait very long to re-send a message, depending on the configuration the message could take up to 10 minutes to be re-sent. So it may not be a good idea to use this on a support or high-availability help-desk style situation.

The good news: You can exclude certain mail accounts from grey-listing. So you can still install and configure PostGrey on your server and specify which mailboxes to not Greylist.

Conclusion

GreyListing is very effective if you understand how it works and behaves. When used correctly it will reduce the amount of SPAM destined to your users by a very large factor (it did for us, but your mileage may vary).  In turn, this will reduce the amount of work other filters that are installed will need to do (IE: spamassassin etc…) thus allowing you to use much less resources for processing mail and limiting it to real mail in most cases.

 

Read More
TOP

Comodo Essential SSL Certificate Sale, Save Over 80%

We are having a sale on “Comodo Essential” SSL Certificates this week.

The regular price on the Comodo website is now $139.00 for one year.

You Get

  • Domain validated, 2048 bit Industry Standard SSL Certificate
  • Immediate “No Hassle” SSL certificate issuance 24/7
  • Automated validation – no paperwork
  • FREE site seal
  • Unlimited Re-Issuance Policy
  • Free Registration in IdAuthority
  • Licensed for unlimited physical servers
  • 99.3% Browser Recognition
  • $10,000 relying party warranty

We are offering the same Certificate for only $25.00 per year! Over 80% off!

Use this promo code at checkout: comodo-essential-blog-deal

Click Here to Order

Read More
TOP

Setup a Tun/Tap OpenVPN Server on OpenVZ in Under 5 Minutes

How can I install a VPN server on my VPS in order to access the internet through it? If you want to skip the background and methodology behind the script, skip to the section called “Installing OpenVPN on OpenVZ.”

One of the pre-requisites to run common PPTP and IPSEC VPN protocols is PPP. Due to the nature of OpenVZ virtualization, it requires it’s own custom version of the Linux Kernel to run. As a result, ppp is not available for us to use.

So, OpenVPN is the simplest way to get a VPN server running on your VPS since it utilizes the TUN interface /dev/net/tun and creates a tunnel to your client software running on your PC. Then, using simple IPTables rules, you can masquerade or NAT your traffic to your public interface. Sounds complicated? to a degree it can be (depending on your linux knowledge level).

So we have come up with  a script that will allow you to install a “simple” version of OpenVPN server and allow you to download the appropriate configuration file (.ovpn & certificate) to import into the OpenVPN client software. This requires no configuration from your side other than running the script and answering some questions in the wizard.

Installing OpenVPN on OpenVZ

The following script will do the following things:

  1. It will check to ensure tun/tap is enabled. If it isn’t you will need to contact your support department and have it enabled before continuing.
  2. It will download and install the RPMForge Repository for CentOS (where OpenVPN packages are located)
  3. It will use YUM and install all the required packages (openvpn openssl openssl-devel)

Once the required packages are installed the script will create a sample easy to use configuration for OpenVPN and put the required files you will need for your Client to connect in /root/openvpn-keys.tgz

It will set OpenVPN to run on boot and create the necessary iptables NAT rules to route your traffic to your primary Public IP address and save it so it will remember when iptables is restarted.

Installation Steps

Download the following script (tested and supported on CentOS 5 32bit) and run as root:  OpenVPN Install Script

or

Type the following commands as root:

cd ~
wget http://www.openvz.ca/scripts/install-openvpn.sh
chmod 700 install-openvpn.sh
./install-openvpn.sh

Wizard Instructions:

  • When asked to enter a “Passphrase” do not enter one, leave it blank and just press “enter”
  • When asked for Country Code, Province, City… These do not have the be accurate. Any values will do.
  • When asked if you want to build/sign the generated certificates enter yes (y).
  • It is normal for it to ask you two times for the same information (Since you are generating both client/server keys)

The final step is to download the /root/openvpn-keys.tgz archive, unzip it on your PC and import the .ovpn file in your OpenVPN Client (you can download it here if you haven’t already). This will create a simple button in your client and allow you to quickly establish a VPN connection to your VPS whenever you need it.

Questions? Contact Us or post a comment on this blog so we can clarify anything not mentioned.

pre-requisites

Read More