Spamhaus RBL issues with Google Public DNS

Leave a reply

Today I noticed a very busy Exchange server. Looking more closely the logs showed up that lots of spammy messages were being allowed in and not rejected despite the fact that Spamhaus RBL was set up.

The Exchange server (or rather the network the server is on) was set to use Google DNS (8.8.8.8 and 8.8.4.4) for all queries to provide a little bit more protection to the clients. The reason for doing this is that Google DNS seems to block some sites that are harbouring malicious software etc - every little bit of protection helps

After some research I found that the issue lay with the Google DNS set up. Spamhaus does not seem to allow queries made via Google DNS. As soon as I changed the servers back to the “ISP default” the RBL look ups started working again. Exchange server now back to sleep…

Battling SageLine 50 network performance issues

Leave a reply

I have seen another client with issues with SageLine 50 in a multi-user environment. Sage of course will blame “the environment” and tell you that you need PC/network/server upgrades.

The truth of the matter is that the database behind SageLine 50 was never designed for multi-user network access. SageLine 50 operates on a flat file database system. Sage 50 should really be on SQL by now – this way the client would request the data, SQL would query and find it and return it to the client without pulling lots of data across your network. But it’s doubtful that Sage 50 will move to SQL – the opportunity to upsell to the next version makes more money for them.

Best tips for Sage 50 network multi-user usage

Here’s what we found in our tests and some tips for optimisation in an environment using Sage 50:

1. Exclude all Sage data and program files from antivirus scanning.

2. Store the Sage data share on a machine that does not have someone sitting at it. It’s better for all machines to access the data in the same way i.e. network access as opposed to a mixture of network and direct disk access from the console).

3. Ensure all Sage clients are accessing the share via a mapped drive and not a UNC path.

4. Ensure you are using gigabit Ethernet (recommended but a bit hit and miss – see below).

5. If you are using Windows Vista or 7, disable the network autotune feature.

Sage and the Gigabit Ethernet myth

Gigabit Ethernet is a bit hit and miss though – the Sage 50 program does not use the available bandwidth. To test this we had 2 machines – A & B.

We tested the bandwidth available by copying a large file from machine A to machine B across the gigabit network (the file was actually Win XP SP3) using Windows Explorer and UNC paths. Looking at the Task Manager Network monitor we could see the utilisation was a healthy 15% (well healthy for two desktop machines on gigabit!).

Then using Task Manager Network monitor again we observed the bandwidth in use in Sage 50 with the data stored on machine A and the Sage 50 client on machine B. Even when Sage 50 appeared to lock up or act really slowly, the bandwidth in use never rose about 4%. So Sage just doesn’t use the bandwidth available. Much of the reason for this will be down to the TCPIP window / MTU and that some of the data files are small (lots of small files take longer to copy than a large big one).

So although it’s possible to improve user experience a bit, it will never be that great. It’s a shame really.

Outlook 2007 slow to launch – outcmd.dat

Leave a reply

Last week I saw an annoying problem with an Outlook 2007 client connected to POP accounts. Outlook would take around 60 seconds to open and take equally as long opening the first item you clicked on. In Task Manager you would also see the Outlook Lifeboat (OffLB.exe) rearing its head.

I tried all the usual stuff of disabling add-ons, swapping PST files, excluding PST from A/V scanning etc. but the problem remained. However Outlook would run fine in Safe mode.

Using the excellent SysInternals Process Monitor I monitored what was being accessed during Outlook launch and tracked down the problem – it was the outcmd.dat file which had grown to over 15Mb and must have contained errors. Deleting this file and re-launching Outlook instantly fixed the error.

I was surprised that I’d never seen this issue in the last 10 years.

win32/olmarik.AJL Master Boot Record Infection

Leave a reply

Recently I’ve seen another infection of the win32/olmarik.AJL master boot record virus on a Windows 7 machine which was running the latest version of Norton 360.

The symptoms were all there – the machine could not get to the Windows Update website, occasional browsing redirects, random blue screens. The virus hides itself from the O.S. and interferes with network traffic.

Running an Eset Rescue CD scan found many infections which it cleaned but the Eset Rescue CD sometimes cannot remove MBR viruses. For this I used Kaspersky’s excellent TDSSKiller which can run in Normal of Safe mode and quickly identifies and removes these.

Lots of scare-ware

Leave a reply

I have seen a lot of scareware around in the last few weeks which most antivirus software (including all the big names) don’t always pick up. You know the type of thing – a changed wallpaper with the message “Your computer is at risk and has lots of viruses – click here to fix otherwise your car will break down and your children will be sold”. Or similar!

Unless it’s particularly nasty, it just seems to add an executable file to the start up which then stops you from running some of your programs and antivirus. Restarting the machine in Safe Mode enables the deletion of the file.

As a side note, some of the scare-ware has such bad grammar and spelling…

Exchange 2010 SMTP and Cisco ASA ESMTP inspections

Leave a reply

I’ve been observing problems on an Exchange 2010 server receiving email via SMTP. Certain hosts (especially Google Mail servers) would not complete connection to SMTP and the sending messages would eventually fail and be returned to sender.

The problem turned out to be the Cisco firewall between the Exchange server and outside world. The Cisco box was inspecting incoming SMTP traffic and obfuscating/re-writing the server banner.

Removing the Inspect ESMTP rule cleared the problem and mail flowed fully again.

Cisco 877 ATM DSL stability issues

1 Reply

I’ve experienced some problems getting a Cisco 877 with integrated Alcatel ATM port to work solidly on UK ADSL. The ADSL firmware provided with the 877 was version 3.0.014. I read somewhere that stability greatly improves by upgrading to version 3.0.33.

So I upgraded and found that I still kept getting drop outs even with the newer firmware.

In the end I fixed the stability issue by keeping the newer firmware version and additionally telling the ATM interface to operate in ITU-DMT mode (dsl operating-mode itu-dmt).

Previously the ATM interface had been set to run in auto mode.

DNS poisoned router

Leave a reply

Today I saw a Netgear DG834GT gateway poisoned with bad DNS servers (213.109.66.237 & 213.109.65.28). Even though the router had a strong password set, an infected machine within the network had found a way to change these settings. Because of this the user was getting lots of popups and diverted to different sites whilst browsing.

This is something I hadn’t seen before (well not on a strong password-protected box at least). There must be vulnerabilities with the firmware of the Netgear despite it already running the latest firmware (v1.03.23).

I hope we don’t see more of this type of attack.

Hello world!

1 Reply

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!