An AT&T DS3 circuit in DC went down at 7:47 PM EST tonight (11/10/2009). We’ve opened a ticket with AT&T.
Customers with more than one HIS T1 are still up since we feed multi-T1 customers on physically diverse circuits to avoid outages when a single T1 goes down. Single T1 customers fed via the down DS3 are currently down.
We’ll post status updates here as we receive them.
Update: the down DS3 was fixed at 10:51 PM EST and all affected T1s are back up.
We’ve started seeing email that looks like this:
(This is just a screengrab image – the links above aren’t live).
The message looks real enough (which is the idea) but it did not come from Facebook. The link actually goes to servers in 15 locations in Korea, Japan, Brazil, Hungary, Poland and the Ukraine, where you’ll be asked to enter your Facebook login info and while you’re at it you’ll be exposed to a variety of malware designed to harvest passwords and make you part of this botnet.
Postini should be catching these so you may not see one unless you’ve added ‘facebookmail.com’ to your approved senders list, in which case the messages will come through unfiltered.
We’re continuing to see a high volume of ‘phishing’ email, some of which claims to be from ‘your email provider’ and warns of dire consequences if you don’t follow the link in the message and fill out the form to keep your account active. Don’t fall for these – these messages are designed to ‘get’ you in any of the following ways:
.
Why so many are getting through:
.
Whoever’s behind this is technically clever, and it would appear that there’s considerable money behind this as well.
If you get any of these, delete them immediately.
There has been a flood of phishing email, coming from multiple sources with varying From: addresses, that says:
Dear user of the his.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (xyz@his.com) settings were changed. In order to apply the new set of settings click on the following link:
http://his.com/owa/service_directory/settings.php?email=xyz@his.com&from=his.com&fromname=xyz
Best regards, his.com Technical Support.
These are not from us. The real-looking link in the message actually takes you to a server in the U.K. where you’re asked to enter your login information. When you do that, you’ve been phished, and they know your email account username and password.
Our spam filters (and Postini’s) are usually very good at stopping this sort of thing, but more of these actually got through than usual, so be on the lookout. Our spam filters have automatically adjusted and most of these are being stopped now, but quite a few got through earlier today.
Update: we’re now seeing similar message that has an attached .zip file:
Dear user of the xyz.com mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox info@xyz.com settings were changed.
In order to apply the new set of settings open zip attached file.
Best regards, xyz Technical Support.
Opening the zip file will infect your computer (especially if you aren’t up to date with your antivirus software (up to date = daily updates).
Backbone issues briefly impaired service at our Sterling, VA facility at 4:30 AM EDT (high latency for 17 minutes) and again at 8:59 AM EDT today (full outage for several minutes). The carrier reports that the problem was the result of maintenance that went awry and that the problem has been fully resolved.
We’ve heard from quite a few of our email customers who get their internet connectivity from Verizon that they’ve started having problems sending (not receiving) email.
What’s happening: as an anti-spam measure, Verizon has started to block the SMTP port (port 25) for residential customers. There’s a Verizon writeup on this here. This is a good thing for the net because it blocks outgoing mail from virus-infected PCs (Wikipedia article here).
The workaround is simple: go into your email software setup and change the outgoing server setting from port 25 to port 587. Port 587 works with all of our servers and will let you send mail even if Verizon (or Comcast, Cox, Roadrunner etc.) blocks port 25.
If you’re using Wordpress and aren’t at the latest version (2.8.4), it’s time to upgrade. There have been many cases lately of Wordpress blogs getting hacked by spammers who have been able to exploit vulnerabilities in older versions of Wordpress to inject malware into mysql databases, causing no end of time-consuming annoyance for the owners of the blogs. Some pretty famous bloggers have been hit by this.
For more information, see: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ You can use http://ismyblogworking.com to test your Wordpress blog and get the version number.
If you’re reasonably up to date, there’s a link on your admin control panel that lets you upgrade automatically using your FTP login info – it’s pretty painless.
Wordpress is an excellent package and we encourage its use, but as with any piece of software, you can’t just install it and forget about it – you must keep it up to date. The best way to find out about updates is to watch http://www.wordpress.org.
An AT&T DS3 (circuit that feeds 20-some T1s) is down in DC, causing some of our customer T1s to be down. Customers who have multiple T1s are up because we spread multiple T1s over different circuits, but single-T1 customers who are fed by this DS3 have been down since 7:34 AM.
We’ve contacted all affected customers by phone and will post updates here. AT&T sees the problem and is working to resolve it.
10:45 AM update: AT&T reports that this is part of a much larger outage. No estimate on resolution time yet.
10:55 AM Update: the problem was resolved at 10:51 AM and all customer T1s are back up.
We’ve started to see reports of mail to HIS users that looks like this:
Dear user of his.com,
Your email account has been used to send a huge amount of unsolicited email during the recent week.
Probably, your computer had been compromised and now contains a hidden proxy server.
We recommend that you follow the instruction in the attached file in order to keep your computer safe.
Virtually yours,
The his.com team.
These messages are not from us – they’re trojans designed to trick you into opening the attached file, which, if you do, will infect your PC with whatever virus they’re trying to propagate, which will then turn your PC into a spam-sending ‘bot’ …
Messages like this should be blocked by our anti-spam/virus servers, but some do get through every now and then and you might see one. If you do, delete it.
We’ve had to replace a hard drive on mail.his.com and the RAID array is rebuilding. While this is happening disk operations will be much slower than usual. This won’t affect most users, but we’ve found that webmail logins can be quite slow while this is going on.
If you’re accessing https://webmail.his.com or https://mail.his.com you may find that your logins take an unusually long time if you have a large mailbox.