Cluster-synchronised rate limiting

The next Halon release will feature an improved rate limit implementation. As before, it provides a high-performance, roughly O(log N + log M), and easy-to-use rate limiting. However, it is now managed by a new (privilege-separated) process called rated, making it possible to build inter-flow rate controls. It also provides a light-weight cluster synchronisation over UDP, effectively making all cluster nodes able to collaborate.

Our customers use our rate limiting for all kinds of tasks, such as preventing users and websites from sending too many suspicious messages per day. You can read more on our wiki’s rate limit page. One additional benefit of the centralised architecture, is that one can view and manipulate mail flows’ rate limits from the hsh; Halon scripting language shell, which is accessible using SSH or from the scripting page.

As you can see in the image, the rate limit page now shows both local hits (that is has accumulated itself) as well as the total number of hits, as synchronised by its peers.

Halon 3.1 with restructured web interface

We’re just about to release a new version (codename “lucky”), based on the latest FreeBSD version (9.2) as we track new FreeBSD versions as closely as possible. Our users will get benefits directly out of the amazing work of the FreeBSD team;

  • Improved performance in many areas, increasing the throughput of the system
  • Support for KVM’s VirtIO, allowing for more efficient network and disk accesses
  • Numerous updates in drivers, services, external projects, etc

In addition to that, we’ve improved the web interface even more, making it more convenient for customers with large clusters and traffic volumes. For example, the rate control page now has thresholds, and persistent search filters. Another new feature allows you to create interval statistics (for example “daily”) using the the rate() function instead of stat(), with a script such as

rate("daily-stat", "delivered", 10000000, 3600*24)

and use that when creating pie chart such as


Finally, the web interface’s menu is simplified, and if you’re running a cluster, your default page will be a cluster overview.
The logic behind the new menu, is to avoid having two “Activity” menus. Instead, both clustered and non-clustered versions of those pages (reporting, mail tracking, logging and rate control) are accessed from the same menu. The “node selector” in the upper right corner is used to switch between specific nodes, or the cluster as a whole. All configuration (which is mainly clustered, except for network settings and node overrides) has its own place in the menu, indicated with the dark blue color. Configuration management such as revision management and plain-text editing is placed in the bottom of the Configuration menu.

We hope you will enjoy this new release, and appreciate all feedback we can get!

Halon at CapTech Expo Oct 24th

You’ll find us in our booth (no 38) where you’ll not only be able to speak to our team members, but also get the opportunity to win our new HSR-603. Check-out our poster to find out more how to compete (poster in Swedish). Competing needs no specific language skills however…

Say what “new HSR-603”? Give us a ring (+46 31 301 19 20) or drop us a line ([email protected]) if you won’t be able to make it, and we’ll tell you all about it.

Halon becomes first email gateway to integrate DMARC

Halon, the technology leader in email gateways, today announced the implementation of DMARC, a first of its kind solution to prevent malicious phishing emails for hosting providers. This new implementation will prevent attacks by spammers who use targeted spoof emails from recognized brands. Halon developed DMARC technology, similar to what is being used by companies such as Google, Yahoo, and PayPal, and removes the risk of fraudulent emails by enabling email receivers and senders to work together to protect end users and brands.

Phishing attacks are one of the most effective strategies used by hackers to penetrate unsuspecting user’s computers, but through implementing our DMARC solution, hosting providers can immediately eradicate this threat, said North American CEO and co-founder at Halon, Jonas Falck. We are driving the industry forward as Halon is the only vendor that has fully implemented DKIM in a commercial product that can verify email via DMARC. We hope that soon DMARC integration will become standardized across the industry so that phishing emails will be a thing of the past.

Key product features of Halon’s new DMARC implementation include:

  • Avoids spoofing emails
  • Reduces phishing attacks and malware
  • Makes email more trusted while maintaining openness

Halon has consistently provided an innovative security solution to combat the emerging threats hosting providers face, said Anders Aleborg, CEO at Binero, a web-hosting provider. “With this new update, we are confidant that we can protect our brand and reputation from attacks like phishing emails. It is essential that we are able to verify legitimate senders, and with this new DMARC implementation, we now have access to a secure system that validates the security of our emails and protects our users.

Highlighting this growing trend, A Halon commissioned survey hosted by TNS Global found that nearly one-third of Americans admit to opening an unsolicited email, and these spam emails most often spoofed banking institutions (15.9%), social media sites like Facebook or Twitter (15.2%), and online payment services (12.8%).

Spammers who are continuously changing their strategies for targeted attacks will single out users who do not implement anti-spoofing technologies. In fact, most spammers use forged email addresses, which affect nearly all Americans (94.7%) who received at least one email containing a virus, spyware, or malware. In response to this growing threat, Halon developed DKIM libraries with open source libdkim++ to sign and validate email signatures. Halon combined its DMARC technology with SPF, which now enables email recipients to verify the validity of the sender.

Halon receives award ‘Messaging Security Solution’ of the year at British Computing Security Awards 2013

Yesterday evening on the 17th of October Halon Security had the honor to receive the award for ‘Messaging Security Solution’ of the year. The competition showcase and reward the technology, tools and solutions, as well as the companies and organisations, that have made a major contribution over the past 12 months to promoting best practice and keeping organisations safe. Halon’s Joakim Sundberg attended the grand ceremony hosted by CSMagazine, that took place at Hotel Russel in London, UK.

Halon adds automated deployment of self-configured virtual machines through VMware’s vApp

Datacenters and Web hosting providers benefit from automated licensing, provisioning and fully customizable solutions

Halon, the technology leader in email security, routers and load balancers, today announced the full support of vApp to integrate Halon Security Suite into VMware, the global leader in virtualization and cloud infrastructure. vApp provides an automated and customizable solution for Web hosting providers who need immediate deployment of virtual machines through VMware’s vApp technology. Halon’s reputation has been built on the ability to simplify the deployment of its technology and vApp is the next solution in line with that philosophy.

— The modern data center must be automated to run at full capacity and Halon is committed to providing the best and most efficient hosting and service provider solutions available,” said Jonas Falck, Halon’s COO and senior technical director. “Security infrastructure is following the lead of data centers and cloud providers by moving away from legacy hardware and towards virtualization. Halon Security Suite is leading the charge with vApp integration to provide security solutions with decreased cost, improved quality, and shortened time to market.

Following the lead of datacenters and cloud providers, the network and security infrastructure of hosting and service providers is becoming less reliant on legacy hardware installations and is gravitating towards full software solutions. Now that VMware’s vApp is integrated into the Halon Security Suite, Halon’s hosting and service provider customers will be able to automatically and cost-effectively deploy virtual machines. This enables providers to immediately get new applications up and running in little time while also allocating fewer IT resources.

VMware’s vApp’s self-configuration makes it easy to deploy virtual machines. Pre-packaged virtual machines –such as a windows server and firewall bundled together—don’t require individual IP addresses for every virtual machine. This means applications get running quickly and are easier to operate.

Nearly all Americans spammed with malware & viruses

Email security firm Halon discovers why 1 in 3 Americans would knowingly open a suspicious email and the subsequent retaliation they take on spammers

Halon, the technology leader in email security, today announced the results of its U.S. survey ‘Email Spam and Related User Behavior’. Conducted by market research group TNS Global, the survey discovered that 94.7 percent of Americans received at least one email containing a virus, spyware, or malware. About one in eleven (8.8%) opened the attachment and infected their computer. Almost a third (30.2%) came dangerously close to doing the same, opening the email but stopping short of opening the attachment. These spam emails bogusly claim to come most often from banking institutions (15.9%), social media sites like Facebook or Twitter (15.2%), and online payment services (12.8%).

One in three Americans admit they would open an unsolicited email—even if it seems suspicious—depending on its subject line. For women, spam email messages containing invites from social networks are alluring, while men are tempted to open ones with the time-tested suggestions of money, power, and sex. Specifically, the survey found that women are more likely to open emails from social-media related accounts (8.2% to 5.6%), but that men are nearly three times as likely to open unsolicited bulk emails that promise monetary rewards (9.4% to 3.8%) and far likelier to open emails professing to include naked photos of celebrities (2.8% to 0.6%), themselves (2.3% to 0.9%) or friends (1.1% to 0%).

— Spam email is an unfortunate fact of life in the computer age. Users have become more aware of the threats they face, but spammers have also become craftier in disguising these messages. said Halon’s North American CEO and co-founder, Jonas Falck. Web hosting and email service providers don’t always prevent spam email threats from being delivered, so people need to be careful when encountering suspicious emails that may hijack their computer or render it inoperable.

Halon’s survey also indicates that Americans’ traditional understanding of spam has expanded beyond unsolicited sales offers. These include social media posts (mentioned by 41.5%), text messages (40.8%), and phone messages (35.1%). Even people’s friends and acquaintances weren’t immune from the spam “tag,” with 26.2% sending messages people didn’t find interesting and, thus, earning the distinction.

Nearly one in three Americans (31.4%) are likely to take action against people who sent spam. In fact, men were more likely than women to take action against the sender when discovering spam (35.5% to 26.5%), especially in a more confrontational manner, such as an angry email (8.9% to 1.0%), angry phone call (7.0% to 4.2%), angry social media post (3.8% to 1.9%), or angry text (3.1% to 0.4%).

People were alerted to email spam in many cases by a message’s subject line (70.5%), more than half of the time (42.9%) when the text in the subject line was in “ALL CAPS.” Other common triggers that made users aware of spam were the senders email address (67.9%), strange formatting (62.4%) and strange language (56%).

Survey Methodology: 
This survey was conducted online within the United States by TNS via its omnibus product on behalf of Halon in August 2013, among 1,000 adults ages 18 and older. For complete survey methodology, including raw data and weighting variables, please contact William McCormick at Grayling.

Sneak peek of Halon 3.0

We have some exciting news! The upgrade to FreeBSD 9 and overall refactoring was not the only treatment the Halon MTA got this autumn and winter. We have collected feedback and performed evaluations of how our customers uses the web interfaces, trying to figure out what the best possible reporting and logging experience would be like. Read on to see what this has resulted in.

We have migrated to the new web interface from the security router series. That means a prettier UI, faster loading times, the ability to link directly to certain views using URLs with query strings, and better utilisation of your screen’s full width.

Let’s start with the mail tracking. The new UI provides some benefits of its own; displaying more information, auto-scaling all columns, and faster loading. We have combined the history, queue and quarantine within the same page. It’s pageable with a variable page size, so that you can view as many messages as you like per page. It has multi-select actions, for better queue management (viewing perhaps 1000 messages matching a certain search query, and bouncing them all). Finally, the “eye” icon brings up an inspector which you can use to view details for a message by just hovering items in the list.

The new log searcher is a lot faster than the previous, and can render thousands of lines without hogging your web browser. Most importantly, it can search multiple cluster nodes at the same time, viewing the number of hits (in real-time) per cluster node as a green badge. In that way, you can start a search for an IP address, and then ask someone to try sending the message again, and you will (when tailing in real-time) see a green badge on the cluster node which received the connection. Extremely handy.

The new reporting and graphs are based on the SR series code. That means a new statd which is fast, produces beautiful graphs, with real-time graphs, customisable legends, etc. Best of all is however that you can graph anything you like. To start with, you can create legends yourself; just look at the pie chart in the bottom right width the edit button clicked. You can even use math expressions to calculate values. Even cooler, you can use the new HSL stat() function in any flow, producing counters for whatever you like. There counters automatically becomes graphs and pie charts. I believe this is the most powerful reporting available in any mail security product ever. Perhaps any appliance.

Scripting, such as the system authentication script that allows for remote authentication and custom access levels, has become a lot better thanks to a great scripting editor with syntax highlighting and the ability to test the script using a “sandbox environment”.

The new web UI from the SR series doesn’t only bring nice real-time graphs, but also a true ANSI terminal.

We have made the already awesome clustering a lot easier to configure; with one “create cluster” guide joining two initial units, and one “add node” guide for adding a third, fourth, etc node to an existing cluster.

One spam accounting for ~80% of all traffic tonight

Have you received spam with subjects like

  • Tjana pengar pa ett socialt ansvarstagande arbete
  • Skapa ett battre liv for dina medmanniskor och tjana pengar pa det
  • Vi erbjuder dig ett arbete pa fritiden, lon fran 90 EUR i timman
  • Fa 90 EUR kontant i handen for den forsta timmens arbete inom tre dagar

you’re certainly not alone (and not using our spam filters). At about 7 pm yesterday (Swedish time) someone thought it would be a good idea to send a massive burst of spam. It seems that for many of our customers, that single spam outbreak accounted for as much as 70-90% of the total traffic. It seems that all of them used “” as sender domain, which (unsurprisingly) doesn’t use SPF.

Fortunately, the combination of Commtouch’s RPD and our own (Halon) outbreak signatures was able to block it entirely, from 6 pm.

We can see that a lot of this was also blocked at IP level. The “normal” amount of IP blocks is almost invisible in the graphs, compared to the spam outbreak. I’ve removed the axis of the graphs, but let me tell you this. One of our customers, which is a large hosting provider, blocked more than 4 million of those per hour. That sure is a pretty persistent spammer.

Developing live graphs

We said to ourselves; “wouldn’t graphs that update every second with live data be useful”, and a few hours later the statd process was tweaked to output 1-second measurements of traffic, CPU, firewall states, etc. and the graph library was modified to dynamically populate data-points (in addition to the “historical” rrdtool file format support that it currently has).

API-wise, this translates into the commandRun API. The normal graphs, populated over time, is fetched using the graphFile API call, which takes an argument such as “interface-em0-packets” and returns the raw rrdtool database data. For real-time graphs, this translates into executing “statd -g interface-em0-packets” using the command-API. While we were at it, we added both “historical” and real-time graphs for firewall states.

In the web user interface, add graphs as usual, and select “Real-time” as time interval (instead of Recent, Day or whatever it says).