HIS News and Status Announcements

DS3 out in DC – multiple T1 customers affected

admin — Wed, 11 Nov 2009 01:53:29 +0000

An AT&T DS3 circuit in DC went down at 7:47 PM EST tonight (11/10/2009). We’ve opened a ticket with AT&T.

Customers with more than one HIS T1 are still up since we feed multi-T1 customers on physically diverse circuits to avoid outages when a single T1 goes down. Single T1 customers fed via the down DS3 are currently down.

We’ll post status updates here as we receive them.

Update: the down DS3 was fixed at 10:51 PM EST and all affected T1s are back up.

Facebook Phishing Email

admin — Wed, 28 Oct 2009 14:39:52 +0000

We’ve started seeing email that looks like this:

(This is just a screengrab image – the links above aren’t live).

The message looks real enough (which is the idea) but it did not come from Facebook. The link actually goes to servers in 15 locations in Korea, Japan, Brazil, Hungary, Poland and the Ukraine, where you’ll be asked to enter your Facebook login info and while you’re at it you’ll be exposed to a variety of malware designed to harvest passwords and make you part of this botnet.

Postini should be catching these so you may not see one unless you’ve added ‘facebookmail.com’ to your approved senders list, in which case the messages will come through unfiltered.

Phishing flood continues … be careful …

admin — Mon, 19 Oct 2009 21:30:10 +0000

We’re continuing to see a high volume of ‘phishing’ email, some of which claims to be from ‘your email provider’ and warns of dire consequences if you don’t follow the link in the message and fill out the form to keep your account active. Don’t fall for these – these messages are designed to ‘get’ you in any of the following ways:

By clicking on the link, you confirm that your email address is good, guaranteeing more spam in the future
The site that’s linked to (usually disguised so as to look legitimate) is full of malware designed to infect your PC with viruses that log keystrokes, capture passwords, send spam, and make your PC part of the botnet that’s sending these things.
Some of the messages include a file attachment that supposedly has your ‘new settings’. This is actually an executable file designed to infect your PC.
If you go to the web site you’ll be asked to enter your username and password; if you do that, your username and password will be circulated in the spam world and your account will be compromised.

Why so many are getting through:

These are coming from one or more gigantic botnets and are originating from PCs around the world that have been infected.
- The volume is extremely high, so that even if a small percentage gets through, many people will get the messages.
The messages are originating from many (probably hundreds of thousands) of different IP numbers
The From: address and subject vary
Most of the examples we’ve seen are customized so that the URL that the link in the message points to is unique.
- This lets the bad guys know who got the messages even if all the user does is click on the link.
- This makes each message different so it’s harder for antispam software to pick up the pattern.
It’s taking at least a few hours for either Postini’s filters or ours to adapt and recognize new variations, and during that ‘zero hour’ phase thousands get through.

Whoever’s behind this is technically clever, and it would appear that there’s considerable money behind this as well.

If you get any of these, delete them immediately.

Flood of phishing mail

admin — Wed, 14 Oct 2009 16:37:56 +0000

There has been a flood of phishing email, coming from multiple sources with varying From: addresses, that says:

Dear user of the his.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (xyz@his.com) settings were changed. In order to apply the new set of settings click on the following link:

http://his.com/owa/service_directory/settings.php?email=xyz@his.com&from=his.com&fromname=xyz

Best regards, his.com Technical Support.

These are not from us. The real-looking link in the message actually takes you to a server in the U.K. where you’re asked to enter your login information. When you do that, you’ve been phished, and they know your email account username and password.

Our spam filters (and Postini’s) are usually very good at stopping this sort of thing, but more of these actually got through than usual, so be on the lookout. Our spam filters have automatically adjusted and most of these are being stopped now, but quite a few got through earlier today.

Update: we’re now seeing similar message that has an attached .zip file:

Dear user of the xyz.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox info@xyz.com settings were changed.
In order to apply the new set of settings open zip attached file.

Best regards, xyz Technical Support.

Opening the zip file will infect your computer (especially if you aren’t up to date with your antivirus software (up to date = daily updates).

Service impairment at Sterling, VA facility – resolved

admin — Thu, 01 Oct 2009 14:08:32 +0000

Backbone issues briefly impaired service at our Sterling, VA facility at 4:30 AM EDT (high latency for 17 minutes) and again at 8:59 AM EDT today (full outage for several minutes). The carrier reports that the problem was the result of maintenance that went awry and that the problem has been fully resolved.

Verizon blocking port 25 (SMTP / Outbound Mail) – what to do

admin — Tue, 22 Sep 2009 19:27:47 +0000

We’ve heard from quite a few of our email customers who get their internet connectivity from Verizon that they’ve started having problems sending (not receiving) email.

What’s happening: as an anti-spam measure, Verizon has started to block the SMTP port (port 25) for residential customers. There’s a Verizon writeup on this here. This is a good thing for the net because it blocks outgoing mail from virus-infected PCs (Wikipedia article here).

The workaround is simple: go into your email software setup and change the outgoing server setting from port 25 to port 587. Port 587 works with all of our servers and will let you send mail even if Verizon (or Comcast, Cox, Roadrunner etc.) blocks port 25.

Old Wordpress versions under attack

admin — Mon, 07 Sep 2009 03:39:11 +0000

If you’re using Wordpress and aren’t at the latest version (2.8.4), it’s time to upgrade. There have been many cases lately of Wordpress blogs getting hacked by spammers who have been able to exploit vulnerabilities in older versions of Wordpress to inject malware into mysql databases, causing no end of time-consuming annoyance for the owners of the blogs. Some pretty famous bloggers have been hit by this.

For more information, see: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ You can use http://ismyblogworking.com to test your Wordpress blog and get the version number.

If you’re reasonably up to date, there’s a link on your admin control panel that lets you upgrade automatically using your FTP login info – it’s pretty painless.

Wordpress is an excellent package and we encourage its use, but as with any piece of software, you can’t just install it and forget about it – you must keep it up to date. The best way to find out about updates is to watch http://www.wordpress.org.

DS3 out in DC – some customer T1s down – resolved

admin — Fri, 04 Sep 2009 13:07:50 +0000

An AT&T DS3 (circuit that feeds 20-some T1s) is down in DC, causing some of our customer T1s to be down. Customers who have multiple T1s are up because we spread multiple T1s over different circuits, but single-T1 customers who are fed by this DS3 have been down since 7:34 AM.

We’ve contacted all affected customers by phone and will post updates here. AT&T sees the problem and is working to resolve it.

10:45 AM update: AT&T reports that this is part of a much larger outage. No estimate on resolution time yet.

10:55 AM Update: the problem was resolved at 10:51 AM and all customer T1s are back up.

Trojan email warning

admin — Thu, 20 Aug 2009 19:55:23 +0000

We’ve started to see reports of mail to HIS users that looks like this:

Dear user of his.com,

Your email account has been used to send a huge amount of unsolicited email during the recent week.
Probably, your computer had been compromised and now contains a hidden proxy server.

We recommend that you follow the instruction in the attached file in order to keep your computer safe.

Virtually yours,
The his.com team.

These messages are not from us – they’re trojans designed to trick you into opening the attached file, which, if you do, will infect your PC with whatever virus they’re trying to propagate, which will then turn your PC into a spam-sending ‘bot’ …

Messages like this should be blocked by our anti-spam/virus servers, but some do get through every now and then and you might see one. If you do, delete it.

mail.his.com webmail slow – resolved

admin — Wed, 05 Aug 2009 21:36:03 +0000

We’ve had to replace a hard drive on mail.his.com and the RAID array is rebuilding. While this is happening disk operations will be much slower than usual. This won’t affect most users, but we’ve found that webmail logins can be quite slow while this is going on.

If you’re accessing https://webmail.his.com or https://mail.his.com you may find that your logins take an unusually long time if you have a large mailbox.

Update: the RAID rebuild completed at 11:34 PM Wednesday and access times are normal again on mail.his.com.