Monday, 23 November 2015
The password strength requirements for Hosted Email and Hosted Exchange are changing. On January 6, 2016, the Control Panel and Webmail interfaces will begin enforcing new rules when setting or changing a password.
The password rules will now be consistent for both Hosted Email and Hosted Exchange. The new password strength requirements are:
- Must be at least 8 characters long
- Must contain 3 of the following:
- Uppercase letter
- Lowercase letter
- Special character or space
After January 20th, when attempting to set a password that doesn't match these new requirements, an error response will be triggered from the API. You can - and should - update your code to respect the new requirements now. Please refer to the REST or SOAP documentation for error code specifics.
This change will not force any existing users to change their password, regardless of the strength of that password. For that reason, we recommend periodically changing email passwords.
If you have any additional questions, please contact your support team.
Wednesday, 11 November 2015
Earlier this year we faced a severe DDOS attack against our IP address that caused issues for some users accessing some of our domains. Mail service remained unaffected and webmail was also accessible through an alternate url, if the usual webmail site was unavailable. We apologize for the inconvenience and disruption following this unfortunate incident. We have conducted a complete root cause analysis to find out what when wrong and how we can better deal with future attacks.
DNS ArchitectureOur DNS servers are spread out over 16 IPs, in 4 data centers. Each server is isolated at both network level and physically, equipped with bandwidth capacity, network gear etc.
Client domains using our dnsEvery domain name registered through Thexyz, a free managed dns hosting service is offered. Each domain is split into 4 name servers and the graphic below illustrates this.
Yourdomain.com is registered with us and gets 4 Name servers:
ns1.thexyz.com , ns2.thexyz.com, ns3.thexyz.com and ns4.thexyz.com.
Each name server has 4 dedicated IP addresses and in total, we serve our DNS traffic through 4 data centers, each with 2 physical servers which gives us a capacity of 16 GBps network throughput.
On each of these DNS servers we run a optimized version of PowerDNS with a capacity of 50000 qps. The total theoretical capacity of our DNS cluster is around 400,000 qps.
DDoS Mitigation CapacityAs mentioned before, our DNS servers are hosted at SteadFast and SteadFast\'s network has been battle tested many times before during similar DDOS attacks. Each of the Data centers are equipped with multiple 10Gbps or 40 gbps transit links to the network. The data center also uses Arbor Peakflow for DDOS detection and Arbor TMS for DDOS mitigation. Each of the Arbor TMS systems are capable of mitigating 10+ gbps of attack traffic.
What went wrong?Usually when we see a DNS Server IP address getting attacked and they usually get null routed, it is often only attacking just a few of the 16 IP\'s. This activity is pretty common and we see two or three such incidents every week. We have always maintained our service levels during all such incidents.
At its peak during the recent attack, we received 40+ gbps traffic spread out across all our 16 DNS server IP Addresses. The attack traffic was moving from one IP Address to the other at rapid succession. To prevent instability on the data center, they null routed our IP Addresses. The null route is a rule to drop all traffic destined to our IP address at the data center’s upstream internet service provider.
The problem with our setupIssue 1: Relying solely on data center for DDOS mitigation capabilities.
Issue 2: We are bound to /32 static IP addresses. We are not utilizing our own /24 subnets to host the DNS servers. By using our own /24 subnets, we could have swung the traffic to our third party DDOS mitigation partner, Neustar.
Issue 3: All customer name servers point to the same IP addresses. So when attack happens and causes disruption for all customers using our DNS servers.
To solve these problems, we have planned a new DNS architecture and deployed this for use on our DNS services.
The new DNS architectureOur new managed DNS infrastructure architecture is explained below:
We have moved the current DNS server IP Addresses to our own IP Subnets. This ensures we have the ability to use Neustar for DDOS mitigation when needed. All our data centers are already protected by Neustar. We will also start bucketing customers across different IP addresses so that an attack on a domain in one set, will not disrupt DNS service to customers in other sets.
We will start introducing local DNS services in other geographical regions where we have a data center presence and use Anycast. With Anycast, an attack originating from a particular region will only affect that region, while other regions remain unaffected. The affected region will use Neustar DDOS mitigation to mitigate the attack.
We sincerely regret and apologize for the inconvenience caused. We understand that you rely on us and to that effect, we’ll continue to render our services to the best of our ability to serve your business with utmost reliability.
Friday, 6 November 2015
We have released a new feature in Webmail to enhance privacy for Webmail users. When a user receives an email with links to externally hosted images, those images will not be displayed immediately. Instead, a bar will show up at the top of the email to indicate that images are being blocked. The user can click "Show Images" or "Always show images for this sender" to display the images.
This is important because users may not realize that even if they delete an email without responding, they may still be sending information to third parties. Some messages contain links to images hosted on a separate server from their email. To display one of these images, their email client makes a request to the image server. This request includes their IP address, browser version, and any cookies the image server has set. Taken together, the server can use this information to track their online behavior. This is common practice, but we think users should have a choice about who can collect their information. That's why we've implemented protection against external image tracking in Webmail.
Can I turn this feature on or off?
Yes. By default the feature is turned on but you can turn it off by following these directions:
- In the Settings dialog box, click General Settings.
- On the Email Options tab, clear the Block external images check box.
- Click Save.
The password strength requirements for Hosted Email and Hosted Exchange are changing. On January 6, 2016, the Control Panel and Webmai...
Connect your social accounts for easy login You can now login to Thexyz Forum and your Thexyz Server with Facebook or Twitter account...
We tested a bunch of FTP clients for iOS devices and found these to be the best. Most of them cost between $1 to $5 but we found the small p...
Outlook 2013 Works Like Exchange With Thexyz Mobile Sync With Microsoft Outlook 2013 you can setup Thexyz Premium Webmail to work like an...
In recent months, Touchdown has been purchased by Symantec and the development has been put on hold. It is only iOS devices like an ...
- ▼ November (4)
- ► 2014 (40)
- ► 2013 (41)
- ► 2012 (43)
- ► 2011 (69)
- ► 2010 (52)