Tuesday, January 18, 2011

1st Known Spamming from the "Cloud"

Ehlo All,

This is my 1st confirmed spam (mid 2010) I have ever seen come from the "Cloud". The "winner" of this honor goes to Amazon. Congratulations (sarcasm). According to my latest research Amazon still does not allow PTR (rDNS) records which is typically required/strongly recommend to avoid outbound email being labeled as spam. How do the many mail servers running on Amazon's Cloud handle it? They relay their email from Amazon's environment onto another host (e.g. authsmtp, google "smtp relay service", etc) and then the other service forwards.

Background on me
I see a LOT of spam since my firm handles filtering for most of our clients via our geographically diverse clustered anti-spam/virus/DoS solution. Our clients on an average day get a total of about 300-400k connections a day (spam/real). This provides me a lot of experience/exposure with spam filtering. If you are wondering why we run our own systems it is because it offers more flexibility, significantly lower latency for email messages (aka delay), and faster response than the big guys.

View from my Spam Filtering Solution which Quarantines Suspect Email Like This.

Spam Header Details
Received: from mm-notify-out-209-61.amazon.com (mm-notify-out-209-61.amazon.com [])

by mail.rbkgroup.com with ESMTP id 67cz6639988tcu.19.20100625083501;

Fri, 25 Jun 2010 11:35:01 +0200

Date: Fri, 25 Jun 2010 11:35:01 +0200



From: "Buy.com"

Reply-To: Nobody


Message-ID: <02630844.67618272250016768122.JavaMail.em-build@na-mm-relay.amazon.com>

Subject: Thanks for your order!

X-AMAZON-CLIENT-HOST: digital-docs-dope-5002.iad5.amazon.com

X-ASG-Orig-Subj: Thanks for your order!

Bounces-to: 20100625083501q4b3332ggg949lm9p0629fm7g208en6r@bounces.amazon.com

X-AMAZON-CLIENT-SENDTIME: Fri, 25 Jun 2010 11:35:01 +0200



MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 7bit


Any questions, let me know.

Saturday, January 15, 2011

DoS of DNS by an Exchange Focused Backup Software (AppAssure Replay)

 Ehlo All,

Imagine to my surprise that my favorite Exchange & Windows backup solution (AppAssure Replay was attempting to cause a denial of service (DoS). This version has a major problem with it's use of DNS lookups within the problem. Within 3 days, one Replay Server had performed over 450,000 queries of the hostname I used for Replay replication. This is almost 100 queries every minute 24 hours a day. That's what the product is doing. This is a serious issue. I've alerted the vendor, so I'm sure a fix will be included in a future release. In the mean-time, see below for the work-around until that happens.

The Issue
Inside AppAssure's Replay for replication, you specify a "Replication Target Host Name". This can be a hostname or IP address. See below for setting within Replay.

 This "Select Replication Target" configuration is per protected server (e.g. your Exchange Server, etc). I normally use a hostname for these types of settings since I'm a big fan of using DNS instead of IPs when possible (saves time when changing IPs & saves brain memory space for Exchange Server things). So, when you add your Replication Target hostname, the Replication target and source perform lookups more often than the snap-shot period (x min/hrs). In reality, Replay should only perform a DNS lookup when a replication needs to occur and NOT almost a 100 per minute.

AppAssure's Replay abusing DNS lookups. View from my Firewall hostname query  logs.

The Workaround Until a Permanent Fix is Released by AppAssure
If you use a hostname within the Replication option, make sure you add the corresponding information inside the hosts file (c:\windows\System32\drivers\etc\hosts - format is IP address space and hostname - use notepad to open the "hosts" file) on the source AND target Replay Replication Server. This avoids the use of an external DNS query and the query is handled by the operating system. So, this speeds up the process of performing a lookup and reduces your hostname's name server load. Otherwise prepare for your DNS to be attacked by your Replay environment.

Sadly, this isn't the first time I have seen a product mis-use DNS, but it's one of the worst in recent memory.