See Why Postini Marked Your Message as SPAM

An E-mail!Ever wondered why Postini blocked your email? Luckily Postni provides their “Postini Message Analysis” tool to assist in tracking down pesky false positives.

Here’s how to run your message through their analysis tool:

Step One

Login to Google Postini’s web interface at https://login.postini.com/ and release your quarantined message.

Step Two

Open your message in your favorite email client. View your message headers and copy everything from the top down to (and including) the line starting with “X-pstn-addresses:”

Step Three

Visit the Postini Message Analysis Tool page and paste in the content we copied in Step Two. Press “Analyze Message”

Step Four

Review your results and see why the message was counted as SPAM.

Another helpful page is Google’s description for what each custom header tag (added by Postini) represents. See this page for more information.

The RioRey DDoS Solution

 

Product Overviewimage

The RioRey solution is a DDoS protection device not widely used or heard of … yet. First of all let me assure you that I am in no way associated with the RioRey company and my focus is to give an honest and unbiased opinion of their product offerings.

 

The RioRey device is a rack-mountable device with one copper management port and two copper or fiber (Multimode SX/LC or Singlemode LX/LC) ports. Their products tier in the volume of packets per second they are able to mitigate under a real DDoS attack. They range from 150K packets per second (PPS) to their newest eight rack unit 16M packets per second model. The model I have had the most experience with is their entry-level 150K PPS model. This will be the model I talk about in the remainder of this article. 

 

imageInstallation

Using the device is a breeze. Installation is as simple as installing it in line to the closest “edge” of your connection. For most companies and hosting providers this would be at their handoff from their bandwidth provider (e.g. Cogent, ATT) The device can be purchased (at no additional cost) with the ability to fail to bypass. This means that if the device has a  hardware failure the device will act as a straight-through cable and continue to pass traffic. In testing this device did not even trip external monitoring when simulating failure.

 

Usage

The device comes with a very primitive web interface which is used for setting up low-level functions like syslog reporting and IP addressing of the management interface. The device comes with a pre-configured IP address to access this web console for first installation. The device also comes with their management software called “rView” This software allows you to view the status of the device, perform reports, get real-time insight into current attacks and customize how the device behaves under attack. The device also has the ability to send SNMP traps, log to syslog and email when an attack is detected.

 

Real World Experience061309-RioReyUDP-2

I’ve personally and (un)fortunately had this device work for me. This device was blocking a 1.3GBit/sec UDP flood and was currently only linked at 100mbit. All sites/devices/services behind the RioRey were still responsive. The sites did notice a small uptick in response time but no dropped packets or requests. The device performed as advertised and their patented Micro Behavioral Analysis (MBA) algorithms performed beautifully. Within 60 seconds the attack was mitigated and “polluted” traffic was removed. The graph on the right illustrates how fast the traffic was blocked. Notice the blue line grow and then almost instantly disappears. This blue line is the “after filtering” traffic (the traffic passed to the LAN interface.) The attack traffic was almost instantly mitigated- all without human intervention.

 

Summary

This device is a very valuable tool. It’s kind of like a fire extinguisher, when you need it you really need it; when you don’t need it you never really even know or care to know that it’s there. Was it worth the investment? It’s hard to gauge these things after an attack is mitigated. If we didn’t have the device under attacks it would be much harder to identify the attacker and the victim and would cause more downtime simply analyzing the traffic to find the source(s).

I believe the device is well worth it. It’s entry-level pricing is second to none (when compared to other solutions) and it allows a level of protection that most never thought possible for the price. To obtain more information and pricing please visit The RioRey Site.

If you have any questions about the device and would like to contact me for more information please post a comment or email Adam [at] Admo.net for more information!

How to Calculate IOPS (I/O’s per Second)

 

IOPS (I/O’s per Second,
or iostat "tps")

Data Transfer Rate
(MB/sec)

Minimum Number of Disk Drives to Support Workload

Random I/O (10k RPM)

125

0.5

n = (%R + f (%W))(tps)/125

Random I/O (15k RPM)

150

0.5+

n = (%R + f (%W))(tps)/150

Sequential I/O

2000

50

n = (MB/sec)/50

Where:
%R = the percentage of disk I/O’s that are reads.
%W= the percentage of disk I/O’s that are writes.
f = 1 for ordinary disks, 2 for mirrored disks, 4 for Raid 5 disks.
Assumes data is distributed evenly across all disk drives.

 

Using the above formula, here’s the minimum number of disks required to support a random I/O workload, at 1000 IOPS,  80% read, 20% write on 10K RPM disk drives.

 

Ordinary disks:  (0.8 + 1*0.2)(1000 IOPS)/(125 IOPS/disk)  = 8
Mirrored disks:  (0.8 + 2*0.2)(1000 IOPS)/(125 IOPS/disk)  = 10
Raid 5 disks:      (0.8 + 4*0.2)(1000 IOPS)/(125 IOPS/disk) =  13

Full Article Here

BASH: Find Orphaned Users and Orphaned Groups

Sometimes, for auditing purposes, it can be useful to look for users and groups which are “orphaned” or have no users/groups associated with them. image

Finding Orphaned Users

Use this script to find orphaned users:

   1: USEREXCLUSIONS=( sync shutdown halt operator )
   2: USEREXCLUSIONSNUM=${#USEREXCLUSIONS[@]}
   3:  
   4: for i in `cat /etc/passwd | awk -F : {'print $1'}`; do
   5:  
   6: command=`grep $i":x" /etc/group | wc -l`
   7: if [ $command -lt 1 ]; then
   8:  
   9:         for ((t=0;t<$USEREXCLUSIONSNUM;t++)); do
  10:         look=${USEREXCLUSIONS[${t}]}
  11:                 if [ $i = $look ]; then
  12:                         orphaned=0;
  13:                         break;
  14:                 else
  15:                         orphaned=1;
  16:                 fi
  17:         done
  18:  
  19:         if [ $orphaned -eq 1 ]; then
  20:                 echo $i" is orphaned!"
  21:         fi
  22:  
  23: fi
  24:  
  25: done   

 

Finding Orphaned Groups

Use this script to find orphaned groups:

   1: GROUPEXCLUSIONS=( sys tty disk mem kmem wheel dip lock users floppy utmp slocate )
   2: GROUPEXCLUSIONSNUM=${#GROUPEXCLUSIONS[@]}
   3:  
   4: for i in `cat /etc/group | awk -F : {'print $1'}`; do
   5:  
   6: command=`grep $i":x" /etc/passwd | wc -l`
   7: if [ $command -lt 1 ]; then
   8:  
   9:         for ((t=0;t<$GROUPEXCLUSIONSNUM;t++)); do
  10:         look=${GROUPEXCLUSIONS[${t}]}
  11:                 if [ $i = $look ]; then
  12:                         orphaned=0;
  13:                         break;
  14:                 else
  15:                         orphaned=1;
  16:                 fi
  17:         done
  18:  
  19:         if [ $orphaned -eq 1 ]; then
  20:                 echo $i" is orphaned!"
  21:         fi
  22:  
  23: fi
  24: done

Jing Project: Simple “MindShare”

It’s not common for me to find a tool that’s really useful these days. Especially with the advent of spyware, software has just become too cumbersome for something free to spark my interest. Sure, I’ve used many a screen capture utility but nothing has really stuck out. Co-workers always ask for explanations on how to do things and it can be nice to write up a handy document for repeatable tasks but it’s never really as easy as it should be; until now.

 

So, What is it?

The application I spoke about was Jing. This application is a spin-off free product of Camtasia (TechSmith) and allows you to capture screenshots and allows you to easily upload them to a specified FTP server for sharing. I really enjoy this concept because it closes the gap between screen capture and presentation. Previously I would have to capture what I was thinking and then open the FTP program, then upload it, then copy and paste the URL… then send it to the person in need. With Jing I just capture, and press one button. The Image/Video (yes, VIDEO) is now on my clipboard and ready for presentation.

 

imageWhat Can It Do?

Jing can capture images and video (up to 5 minutes) and automagically FTP them to your server. Other transport mechanisms are available like Screencast.com, Flickr and simple saving to a file on local storage. The interface is very straight forward and easy to use. On the right you can see how the FTP configuration page looks.

 

Check out Jing today and see how easy sharing your mind can be!