We recently enabled a process that notifies our customers when they have domains that are not properly rejecting unknown users (catch-all alias enabled or domain simply misconfigured).  Please note that although the notice says that you have 24 hours to fix the issue, we will not begin disabling domains for this issue until June 2, 2010.  This will allow people time to get the issue corrected.

Please work with our support team if you have any questions or issues as to why you are receiving these notifications.

This morning at approximately 7am central time, our MF2 gateway began to experience issues. Although the gateway was up and responding to network requests, it was not responding to SMTP requests. After investigating the issue it appears that the gateway was hit with an extremely heavy dictionary attack, essentially to the point of a denial of service, sent to a domain that was misconfigured and was not rejecting unknown users.

This caused our gateway to accept all mail received for that domain and queue it up in an attempt to deliver it to the destination server. Due to the large volume of mail, it caused the gateway’s processor load to spike, causing the gateway to shut down SMTP services to protect itself.

Once we determined what the issue was, it took us some time to go through the outgoing queue and remove the offending messages from the queue manually to reduce the amount of work the gateway had to do so that processor levels could be reduced enough to enable SMTP again.

SMTP services were re-enabled at approximately 8:30am central time and all mail should be flowing normally. No mail will have been lost during this outage, though some mail may be delayed past the point where services were restored due to the retry settings on the sender’s mail server.

We apologize for this outage and will be discussing internally ways to prevent something like this from happening again. The most likely outcome of this will be that we will fully activate the automated catch-all checking and disabling, which is designed to disable domains that accept mail for all users like this. We’ve put off doing so several times in the past due to customers expressing concern about it, but I believe it’s time to go ahead and implement this for the sake of all of our users.

All customers with service on MF2 will be receiving a 5% service credit due to this outage.

This is just a reminder to check the Catch-all Report under the Tools menu in the Account Manager to see if you have any domains that have catch-alls enabled.  Purity Networks does not support domains with catch-alls enabled.

We have not been running the automatic disable process that will disable these domains for some time, but we will be starting to run this process again on 10/10/2009.  If you have not taken care of the issue before then, any domains that have catch-alls enabled will be disabled and mail will no longer be accepted for them.

For more information on catch-alls and why we don’t allow them, see this knowledgebase article and this knowledgebase article. For Exchange users, please see this knowledgebase article on how to properly configure Exchange to reject invalid users at the SMTP transaction level.

We’re temporarily re-enabling the domains that have catch-alls or are not properly rejecting unknown users during the SMTP transaction to give our customers some time to get the issue fixed.  Please remember that you can log into the Account Manager and go to the Tools tab to see the catch-all report so you know which domains you need to fix.

We will be re-running the disable process this weekend, so get these fixed before the end of the week. We will be running the disable process at 11:59pm central US time on Saturday, February 28th.

For more information on catch-alls and why we don’t allow them, see this knowledgebase article and this knowledgebase article. For Exchange users, please see this knowledgebase article on how to properly configure Exchange to reject invalid users at the SMTP transaction level.

If you have a ServerProtect account, you may not be aware that you have access to a “Catch-all Report” that will list domains that have a “catch-all” set up on them — that is, they accept mail for ALL addresses at that domain.

You can access this report by logging into the Account Manager and going to the Tools tab.  We ask that you remove the catch-all from any domains that show up in the report, as we do not support domains with catch-alls enabled.  At some point in the future we will begin automatically disabling mail services for domains that have catch-alls enabled until that situation is addressed.  We will, of course, notify you with a post here before we put such practice into place. For more information on why we don’t support catch-alls, see this knowledgebase article.

As always, if you have any questions, please contact us.