Barracuda update

spam.his.com is doing an excellent job of blocking spam without stopping non-spam – the only false positives we’re seeing involve mail from bulk sources (overstock.com, alert.ema.dc.gov, etc., where many messages with the same content come in at once, which is characteristic of spam – you may find that you need to whitelist these if they’re winding up in your quarantine.

The system is also learning, as we’ve had time now to train it with feedback about what’s actually spam and not-spam – we update this Bayesian database daily, and this helps fine-tune filtering accuracy.

Two major improvements over Postini:  little, if any, non-spam mail getting quarantined, and much faster reaction to new spam attacks that use new methods to get around filters.  Barracuda updates its filters three times/hour, vs. once every day or two on Postini, and we’ve seen the effect of this in action – it works.

We’ve made a few minor changes – you’ll no longer see mail marked “?SPAM?” in your inbox.  This was mail that Barracuda thought it might be spam but wasn’t sure so it didn’t quarantine it, but tagged it and passed it through.  In practice, we found that as much non-spam as spam getting tagged, so this tagging wasn’t helpful and we’ve turned it off. These messages are still passed through, but without the tag.

Zimbra users:  you have another layer of spam/virus/phishing filtering in Zimbra.  Mail that Zimbra thinks is spam will be put in your Junk folder, and this is separate from what spam.his.com does.  Check your Junk folder from time to time, and if any mail is there that isn’t spam, mark it as not-spam (you have to do this via webmail).  Likewise, if any spam gets past spam.his.com and you find it in your inbox, you can mark it as spam.  Zimbra’s spam filter learns from your feedback, and if you mark spam/not-spam for a week or two, its accuracy will improve.  Zimbra’s spam filter works at the individual mailbox level, so you do need to train it so it knows whether you agree with what it’s doing.

If you want, you can forward spam that gets to your inbox to spam@barracuda.com – this will help them recognize new spam tricks and update their filters.

If you have any questions, open a support ticket by clicking “Open a Ticket” at http://info.his.com/support/support.his.com.html.  Check our knowledgebase articles at https://support.his.com/kb/kb/browse/001925


											

		
	
	

							
	

				

						

				Spam filter change:  switching from Postini to Barracuda
			

											
		


							

												
We provide spam and virus filtering with all email accounts – you really can’t use email without it anymore.


We’ve used Postini for our premium spam filtering since 2001 (twelve years!).  Google bought Postini in 2007, and Postini continued to be excellent until about a year ago when we noticed that things were slipping – there were outages, a lot of mail that wasn’t spam started to get quarantined, things like that.  Then Google decided to discontinue Postini, along with quite a few other services.


We evaluated seven good alternatives, and Barracuda was the clear winner.  The spam/virus filtering is excellent – they push out updates to the filtering rules as often as three times / hour, so they do a great job of catching spam blasts that use new techniques to around the filters, and most people will find that they have few, if any ‘false positives’ (non-spam that gets quarantined).   We’ve been testing the Barracuda system and using it for our own email since February, and we think you’ll find it a real improvement.  We’re operating the Barracuda servers in our own cloud, so we have direct control of uptime and reliability.


We’re switching domains over in groups, and should have everybody switched by May 18.  You’ll get email announcing the change before your domain is switched.  The change will be almost completely transparent to you – the only real change you’ll have to make is the link to your spam quarantine, which will be in the announcement email.

											

		
	
	

							
	

				

						

				mail.his.com mailbox quotas increased
			

											
		


							

												
his.com and hers.com mailboxes on mail.his.com have been increased in size to 5 gigabytes.  You can add disk storage if you need it for $1/gb/month.


You can check your storage status by logging on to https://webmail.his.com and hovering your mouse over the bar under your name at the top of the screen.


Tip:  if you use the Zimbra web interface at  https://webmail.his.com, you can restore any messages that you delete for up to 30 days, even if you’ve emptied the trash.  Just right-click on the zimbra.trash icon.  This only works for mail deleted using https://webmail.his.com – if you’re using a regular email client (Thunderbird, Mac Mail, Outlook, etc.), mail that you delete from that program will be gone.

											

		
	
	

							
	

				

						

				ALERT:  major brute-force password-guessing attack on WordPress sites underway
			

											
		


							

												
There’s a significant attack by a botnet on WordPress sites, where the bots are trying to guess the passwords of common admin logins.  More info:  http://arstechnica.com/security/2013/04/huge-attack-on-wordpress-sites-could-spawn-never-before-seen-super-botnet/


If you are using WordPress and are using a common username or a common password, change it immediately to something less obvious. Update your WordPress admin password when in doubt. Operators of WordPress sites can take other measures too, including installing security plugins such as this one: http://wordpress.org/extend/plugins/better-wp-security/ and this one: https://wordpress.org/extend/plugins/limit-login-attempts/, which close some of the holes most frequently exploited in these types of attacks.


WordPress creator Matt Mullenweg has released a statement regarding the issue:


Almost 3 years ago we released a version of WordPress (3.0) that allowed you to

pick a custom username on installation, which largely ended people using “admin”

as their default username. Right now there’s a botnet going around all of the

WordPresses it can find trying to login with the “admin” username and a bunch of

common passwords, and it has turned into a news story (especially from companies

that sell “solutions” to the problem).


Here’s what I would recommend: If you still use “admin” as a username on your

blog, change it, use a strong password … and of course make sure you’re up-to-

date on the latest version of WordPress. Do this and you’ll be ahead of 99% of

sites out there and probably never have a problem. Most other advice isn’t great

— supposedly this botnet has over 90,000 IP addresses, so an IP limiting or

login throttling plugin isn’t going to be great (they could try from a different

IP a second for 24 hours).


HIS advice:  remember that usernames are also passwords, so choosing a username like  ‘admin1492’ rather than ‘admin’  will help make your WordPress site much more secure.  Also, never use a password for your WordPress site or email that you’ve used somewhere else.  Yes, it’s a bother, but you should never use a password on more than one site.  Passwords should be 8 characters or longer and should contain at least one punctuation symbol, a mix of upper and lower case, and a number.

											

		
	
	

							
	

				

						

				Planned maintenance:  dc.his.com, mail.his.com upgrades  – Done
			

											
		


							

												
In order to expand disk space to accommodate larger user disk allowances, Zimbra servers mail.his.com and dc.his.com will be taken offline briefly this weekend:


    

  • mail.his.com – starting at 3 AM EDT, Saturday, April 6th – COMPLETED 5:20 AM April 6
    • 

  • dc.his.com – starting at 3 AM EDT, Sunday, April 7th – COMPLETED with no downtime.
    • 



 

											

		
	
	

							
	
							
	
							
	
							
	

				

						

				Warning:  ‘Webmail Account Warning’ message is bogus.
			

											
		


							

												
This bogus email is making the rounds and seems to be slipping past spam filters at the moment.  If you get one of these messages, delete it.  The link in the message takes you to a form that asks you to enter your email address and password.  If you do this, you can count on your account being hijacked by spammers all over the world.  This is an example of a ‘phishing‘ email, designed to trick you into giving up your account login credentials. The copies that we’ve seen of this message came from IP numbers in Brazil.


Webmail Account Warning!


This mail is from Webmail Service; we wish to bring to your notice the Condition of your email account.


We have just noticed that you have exceeded your email Database limit of 500 MB quota and your email IP is causing conflict because it is been accessed in different server location. You need to Upgrade and expand your email quota limit before you can continue to use your email.


Update your email quota limit to 4.8 GB, use the below web link:


<link to form on docs.google.com>


Failure to do this will result to email deactivation within 24 hours


Thank you for your understanding.


Copyright 2012 Help Desk Technical Upgrading



											

		
	
	

							
	

				

						

				Phishing/Malware email
			

											
		


							

												
We’re seeing a significant  increase in the number of ‘phishing’ and malware email messages.


Most of these are being stopped by Postini’s spam/virus filters, but some are getting through, and some are getting past our own spam/virus filters that we use to supplement Postini.


These messages are well crafted and look like legitimate email from an entity that you might be doing business with (AT&T, USPS, an airline, FedEx, UPS, your bank).  They tell you that a check has bounced or that you’re being billed for some outrageous amount, or something similar – the idea is to get you to click on the links in the messages.  If you do that, you’ll go to the bad guys’ web sites, where you’ll either be exposed to malware or there will be a login page that’s designed to trick you into entering login information that you use with your bank, airline, etc.


These messages appear to come from legitimate email addresses (which are forged) and have subject lines like:


US Airways online check-in.
Please confirm your US Airways online registration.
Fwd: Wire Transfer Confirmation (FED 5405TG032)
Your USPS postage labels charge.
USPS postage labels receipt.
USPS postage labels invoice.
USPS: DELIVER CONFIRMATION - FAILED 636382
Your USPS shipment postage labels receipt.
Your USPS delivery.
Confirmation of email address change.
Your AT&T wireless bill is ready to view


Before you click on any links in email that you receive, hover your mouse pointer over the link and check to see where the link really points – most browsers will show this at the bottom of the page.   If they point to something that looks bogus, don’t click.


Forward messages like this to spam@postini.com – this will help Postini recognize the tricks that these bad guys are using to get  past their filters.  Once you’ve done that, delete them.