Blog

Patching OpenSSL for the Heartbleed Vulnerability

A security vulnerability in OpenSSL dubbed Heartbleed has been found. This vulnerability was only recently discovered openly, but has been “in the wild” for over a year. It’s important to update your local version of OpenSSL to correct this issue. This brief guide will walk you through ensuring that the patch is installed on your Linode, and suggest additional steps you can take to ensure your server’s security. As always, we suggest having backups of your system prior to making any changes.

This guide is written for a non-root user. Commands that require elevated privileges are prefixed with sudo. If you’re not familiar with the sudo command, you can check our Users and Groups guide.

Installing the Patched Version

Here are the steps for ensuring you have the patched versions of OpenSSL on our most popular distros. If you’ve compiled from source, you’ll want to compile and reinstall using version 1.0.1g. Alternately you can recompile previous versions with the OPENSSL_NO_HEARTBEATS flag enabled to close the vulnerability.

Ubuntu and Debian

1.Check to see what your current OpenSSL version is:
$ openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Sat Feb 1 22:14:33 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector –param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,–noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/usr/lib/ssl”

Pay attention to the built on: line. Versions built before April 7th are vulnerable.

2.For Debian and Ubuntu systems, run these commands to update and upgrade your packages:
sudo apt-get update
sudo apt-get upgrade

3.During the upgrade, you may be given a prompt like the one below. This window warns you about the security issue, and lists services that utilize OpenSSL and need to be restarted to apply the patch. You can add any additional services, by matching the init.d script name in this field.

An option window..

If you do not receive this prompt, be sure to manually restart any services that use OpenSSL.

4.After updating, run openssl version -a again to confirm the newer build:
openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014

CentOS

1.Check to see what your current OpenSSL version is:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan 8 18:40:59 UTC 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: dynamic

Pay attention to the built on: line. Versions built before April 7th are vulnerable.

2.To update OpenSSL from the repositories, run:
yum -y install openssl

After updating, run openssl version -a again to confirm the newer build:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014

3.Be sure to manually restart any services that use OpenSSL.

Fedora

1.Check to see what your current OpenSSL version is:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Fri Dec 20 13:57:26 UTC 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: dynamic

Pay attention to the built on: line. Versions built before April 7th are vulnerable.

2.On Fedora systems, the patched version is currently being propagated through mirrors. You can update from the repositories with the following command:
sudo yum -y install openssl

You can also directly download the patched version and install it manually. For Fedora 20 (64-bit), run the following set of commands to install the patched version:
sudo yum -y install koji
koji download-build –arch=x86_64 openssl-1.0.1e-37.fc20.1
sudo yum localinstall openssl-libs-1.0.1e-37.fc20.1.x86_64.rpm openssl-1.0.1e-37.fc20.1.x86_64.rpm

3.After updating, run openssl version -a again to confirm the newer build:
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 00:32:22 UTC 2014

4.Be sure to manually restart any services that use OpenSSL.

Reissue Certificates

The Heartbleed security bug would allow an attacker to read a portion of the memory on an unprotected system, including private keys used in SSL key pairs. It’s suggested that you reissue all key pairs, and revoke ones made previously. This can include keys used to create SSL certificates for web and mail servers. This means new SSL certificates should be generated or purchased.

You can follow the instructions here to create a new certificate signing request (CSR) and key, or check out the Apache-specific instructions here.

Additional Security Steps

While this security flaw has only recently been discovered openly, it has existed on many servers for well over a year. This means that any third party services you use that employ SSL encryption have been vulnerable. It’s suggested that you ensure that said services patch their systems, then reset your passwords.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Heartbleed.com

cPanel & WHM 11.44 Now in RELEASE Tier

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which will soon be available in the RELEASE tier.

cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.

Transfer & Restore Renovation
From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.

Configuration Clusters
cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.

Paper Lantern
With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.

Support Access
Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.

Detailed information on all cPanel & WHM 11.44 features can be found at https://documentation.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

Shift Gears, You’re a Security Provider Now

In 2013, it seemed that not a week went by without at least one announcement of some kind of serious security breach. The year was a massive challenge for service providers who have faced rapidly escalating threats to their infrastructure and the security of their customers. Massive DDoS attacks, SQL injection vulnerabilities and the potentially disastrous Heartbleed vulnerability are only a few examples of major incidents to strike hosts in the past year. Equally disturbing were instances where Drupal announced a security breach of its servers and MongoHQ revealed that a hacker had breached Amazon Web Services S3 storage accounts, gaining access to several client databases.

As hackers become adept at bypassing traditional security walls and increasing sophisticated at evading detection (e.g., The New York Times incident), what role do hosting providers play in finding solutions to these problems?

The solution is for hosting providers to become security providers. Leading security experts specializing in the hosting industry will discuss this paradigm shift and answer questions in an open forum. Panel members include: Hemant Jain of Fortinet, Jeffrey Lyon of Black Lotus Communications, Steven Ciaburri of Rack911, and Vann Abernethy of NSFOCUS Inc., Shay Rapaport of Fireblade, and Piero DePaoli of Symantec.

The panel is the last scheduled educational session at HostingCon 2014, taking place on Wednesday, June 18th from 11 a.m. until noon. It’s guaranteed to be a thought-provoking and lively way to mark the end of the educational sessions. Finish up the day with a networking lunch and make your way to the Exhibit Hall for the afternoon! The floor plan for the Hall has been pretty much finalized — take a look here.

But you can’t do that unless you are registered. Luckily, there’s still time to register for this year’s HostingCon.

For all the latest HostingCon news and information, visit HostingCon – Premier Industry Conference and Trade Show for Web Hosting and Cloud Service Providers

by Frances Krug

Spammers Prompt Users to Download Malware Disguised as Heartbleed Bug Removal Tool

Spammers are targeting people concerned about the aftermath of the Heartbleed bug with emails prompting users to unknowingly download malware once they run a Heartbleed bug removal tool.

According to a blog post by Symantec last week, the spam requests users run the tool that is attached to the email to clean their computer from the infection. The email warns users that although they may have changed passwords on websites they use, they are still not completely secure and should run the removal tool to ensure complete protection.

The email preys on users who don’t know much about Heartbleed, and probably only heard about it in the media coverage. Heartbleed is not malware, therefore there is no way for it to infect computers.

Heartbleed impacted OpenSSL version 1.0.1 and could expose up to 64KB of memory to a connected client or server. The issue impacted a range of companies, websites and service providers, and this week The Core Infrastructure Initiative announced that it would prioritize funding to OpenSSL to improve its security.

The subject line, “Looking for Investment Opportunities from Syria,” should raise a red flag for users, since it is in no way related to the body, and is pretty typical language used with spammy emails.

The attached file is a .docx file, but once it is opened it appears as a encrypted zip file. Once the file is extracted, users find the heartbleedbugremovaltool.exe. This downloads a keylogger in the background and a progress bar shows up on screen. A pop-up evenutally appears, notifying the user that Heartbleed was not found on their computer.

DataCenterKnowledge has more on how companies are staying ahead of future Heartbleed-like security vulnerabilities by implementing effective security policies and proactively monitoring across their platforms.

by Nicole Henderson on June 3, 2014

cPanel 11.44 Now in CURRENT Tier

cPanel, Inc. is thrilled to release cPanel & WHM software version 11.44, which is now available in the CURRENT tier.

cPanel & WHM 11.44 offers a transfer and restore renovation, configuration clusters, a new edition of Paper Lantern, support access, and more.

Transfer & Restore Renovation
From simple log files and reports to a continuous transfer and restore process, a series of changes to transfer and restore functionality brings widespread benefits.

Configuration Clusters
cPanel & WHM now offers configuration clustering to streamline the process of updating multiple servers, adding a powerful boost in efficiency.

Paper Lantern
With a more agile, consistent framework, Paper Lantern for cPanel & WHM 11.44 signifies progress towards user interface perfection and stunning, user-created themes.

Support Access
Grant cPanel Support Access enables customers to quickly grant server access to cPanel support staff, therefore speeding up the resolution of issues with just a few mouse clicks.

Detailed information on all cPanel & WHM 11.44 features can be found at https://documentation.cpanel.net. An overview of the latest features and benefits is also available at http://releases.cpanel.net.

cPanel-EasyApache 3.24.19

SUMMARY

cPanel, Inc. has released EasyApache 3.24.19 with PHP versions 5.5.13 and 5.4.29. This release addresses the PHP vulnerabilities CVE-2014-0237 and CVE-2014-0238 with fixes to bugs in the fileinfo extension. We encourage all PHP users to upgrade to PHP version 5.5.13 or PHP version 5.4.29.

AFFECTED VERSIONS

All versions of PHP version 5.5 before 5.5.13.

All versions of PHP version 5.4 before 5.4.29.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2014-0237 – MEDIUM

PHP 5.5.13

Fixed bug in the fileinfo extension related to CVE-2014-0237.

PHP 5.4.29

Fixed bug in the fileinfo extension related to CVE-2014-0237.

CVE-2014-0238 – MEDIUM

PHP 5.5.13

Fixed bug in the fileinfo extension related to CVE-2014-0238.

PHP 5.4.29

Fixed bug in the fileinfo extension related to CVE-2014-0238.

SOLUTION

cPanel, Inc. has released EasyApache 3.24.19 with the updated versions of PHP 5.4 and 5.5 to correct these issues. Unless you have disabled EasyApache updates, EasyApache will include the latest versions of PHP automatically. Run EasyApache to rebuild your profile with the latest version of PHP.

REFERENCES

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0237

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0238

http://www.php.net/ChangeLog-5.php#5.4.29

http://www.php.net/ChangeLog-5.php#5.5.13

Configuration Clusters in cPanel & WHM version

cPanel & WHM version 11.44 will introduce a new feature to help you manage configurations for multiple servers quickly and easily.

New-Configuration-Cluster-UI-in-cPanel-WHM-v11_44-300x130
New Configuration Cluster interface in cPanel & WHM version 11.44

The Configuration Cluster interface in WHM will allow root users to access a configuration cluster, with a master server and one or more additional servers, using their remote access keys. You can then choose to share certain server configuration settings for the master server with other servers in the cluster. These settings will push to all of the configuration cluster servers whenever you make changes to the master server, saving time and making it easier than ever to add new cPanel & WHM servers.

Initially, this feature will only allow you to share settings from WHM’s Update Preferences interface. However, we plan to add configuration cluster integration to more features in the near future.

Send-your-settings-from-the-Update-Preferences-UI-to-multiple-servers-294x300
Sharing settings from Update Preferences interface with multiple servers

Integrated interfaces will include an option to share settings with configuration cluster servers and will display a confirmation message, indicating success or detailing any issues.

clusterconfig-800x74
Confirmation of successful update to configuration cluster server from Update Preferences interface

US Search Awards 2014

US Search Awards 2014

Welcome to the second US Search Awards delivered in association with Pubcon Las Vegas and our joint headline sponsor Marketing Signals. The awards are also supported by SEMPO and recognize and reward organizations, agencies and individuals based or working in the USA search and digital marketing industry.

The 2014 US Search Awards ceremony will take place at Treasure Island on Wednesday 8 October 2014 during Pubcon Las Vegas and will be the biggest celebration of search, PPC and digital marketing in the USA attracting hundreds of entries from some of the leading search and digital agencies and professionals from across North America and beyond.

The timetable for the 2014 awards is:

Monday 7 April – Awards launch, entries open
Friday 18 July –Deadline for all entries
Tuesday 26 August – Judging session
Monday 1 September – Shortlists announced
Wednesday 8 October – Awards ceremony

The inaugural awards were presented at a ceremony on the evening of Wednesday 23 October at Treasure Island Las Vegas and you can see a full list of our 2013 winners here. The US Search Awards were a major hit at last year’s Pubcon and winners have realized significant business benefits through their wins –

“Winning the 2013 US Search Personality Of The Year award in Las Vegas opened a number of professional doors for aimClear. It was also incredibly humbling and gratifying personally to be held in high regard by such an esteemed panel of judges in this unique competition. Therefore it is with full heart that I recommend entering the 2014 US Search Awards. There’s a lot to gain for you and your company.” Marty Weintraub, Founder & Evangelist, aimCear

Catalyst Canada scooped four awards for their work in the States at last year’s ceremony including Best PPC campaign and Innovation awards for their work with HSBC USA.

Ira Kates, Account Supervisor, Catalyst Canada said “We at Catalyst are really proud of everything our team has been able to accomplish. We’ve always maintained a strong focus on finding innovative ways to help our clients meet their goals and it’s an honour to be recognized internationally for the work done. The awards mark very important third-party recognition of campaigns, software and those working within our search industry. Our wins allow us to remain focused on using innovation as a tool to drive competitive advantage for our clients, and the work done on the HSBC account is a great example of this.”

Lane R. Ellis, lead editor at Pubcon added “We’re honored to once again host the U.S. Search Awards at Pubcon. The inaugural awards were a highly-successful feature at last year’s Las Vegas conference, and we’re excited to make the second annual awards event an even more vital part of our big Pubcon Las Vegas 2014 event during the week of October 6 – 9.

“With so many industry leaders gathered to speak at and attend Pubcon Las Vegas 2014, it’s the perfect setting to honor and celebrate the best new media and digital marketing innovators at the year’s largest industry conference. We look forward to once again having the U.S. Search Awards at Pubcon Las Vegas 2014 and expect the event to be an exciting and integral part of the week for all our attendees.”

The US Search Awards followed the success of the UK Search Awards and the European Search Awards which were launched by British events agency Don’t Panic in 2011 and 2012 respectively. Both awards have become key celebrations for the search industry in those territories.

The Event

The US Search Awards will be presented at an awards dinner at Treasure Island in Las Vegas on the evening of Wednesday 8 October 2014 in association with Pubcon. Photos of the 2013 event and our winners can be viewed here.

Tickets for the awards are priced as follows:
$225 for individual places
$2000 for a table of 10

The price includes drinks reception, three course dinner including half a bottle of wine per person and a free bar* until 11.30pm. The evening will also include entertainment.

Dress code will be smart and glamourous but not black tie so we’d recommend suits and shirts for the men and dresses for the ladies.

To book tickets please click here, alternatively please contact Sarah Collis at Don’t Panic on 00 44 (0)1706 828855 or e-mail sarah@dontpanicprojects.com

Please note: Tickets are allocated on a first-come first-served basis. Bookings will be held on a provisional basis but will not be confirmed until payment is made in full. All payments are due in advance of the event.

Cancellations: We regret that refunds cannot be made if tickets are cancelled within 21 days of the event.

*Free bar includes house wine, sodas, TI bottled water and juices?; Budweiser, Bud Light, Miller, Miller Light, Heineken, Corona and O’Douls; mixed beverages with liquors (Absolut, Stolichnaya, Crown Royal, Johnny Walker Black, Jack Daniels, Bacardi Silver, Captain Morgan, Malibu, Sauza Commemorativo, Bombay Sapphire, Hennessey VS)

WordPress 3.8.3 Maintenance Release

WordPress 3.8.3 is now available to fix a small but unfortunate bug in the WordPress 3.8.2 security release.

The “Quick Draft” tool on the dashboard screen was broken in the 3.8.2 update. If you tried to use it, your draft would disappear and it wouldn’t save. While we doubt anyone was writing a novella using this tool, any loss of content is unacceptable to us.

We recognize how much trust you place in us to safeguard your content, and we take this responsibility very seriously. We’re sorry we let you down.

We’ve all lost words we’ve written before, like an email thanks to a cat on the keyboard or a term paper to a blue screen of death. Over the last few WordPress releases, we’ve made a number of improvements to features like autosaves and revisions. With revisions, an old edit can always be restored. We’re trying our hardest to save your content somewhere even if your power goes out or your browser crashes. We even monitor your internet connection and prevent you from hitting that “Publish” button at the exact moment the coffee shop Wi-Fi has a hiccup.

It’s possible that the quick draft you lost last week is still in the database, and just hidden from view. As an added complication, these “discarded drafts” normally get deleted after seven days, and it’s already been six days since the release. If we were able to rescue your draft, you’ll see it on the “All Posts” screen after you update to 3.8.3. (We’ll also be pushing 3.8.3 out as a background update, so you may just see a draft appear.)

So, if you tried to jot down a quick idea last week, I hope WordPress has recovered it for you. Maybe it’ll turn into that novella.

Download WordPress 3.8.3 or click “Update Now” on Dashboard → Updates.

This affected version 3.7.2 as well, so we’re pushing a 3.7.3 to these installs, but we’d encourage you to update to the latest and greatest.

Now for some good news: WordPress 3.9 is near. Expect it this week

What is the right way to send bulk e-mail?

This is intended only as a basic outline of what it takes to manage a legitimate bulk e-mail list. Seek expert advice from appropriate companies and consultants for a more complete understanding of the complicated issues of legitimate bulk e-mail. Remember, all bulk e-mail must be opt in, otherwise it is unsolicited. And Unsolicited Bulk E-mail (UBE) is spam!

1. Address acquisition – Make sure it’s Opt In. E-pending is not Opt In. If the recipient didn’t ask for it in the first place, the rest of the list management processes are irrelevant. While various transactions and business relationships can infer permission, if there’s any doubt, or for any on-going bulk e-mail relationship, closed-loop Confirmed Opt In (COI) is the gold standard for verifying permission, in use since about 1996. Some examples of software which use COI include Majordomo-2, EZMLM, Mailman, and Lyris.

For more on COI, see:

• http://www.spamhaus.org/whitepapers/mailinglists.html

• http://www.spamhaus.org/whitepapers/permissionpass.html

• http://www.spamhaus.org/news.lasso?article=635

2. Truth in advertising – State your policies and the nature of the bulk e-mail at the point of subscription. Tell the subscriber what to expect: how often, how big, what kind, what topics and content, etc. Don’t hide information about the subscription on remote pages, behind hyperlinks, or buried in jargon, legalese, and obfuscation.

3. Identify your company properly in the message itself and in Internet records. Use properly registered domains with working mail and web addresses. Every domain you use should identify your company and lead to a website identifying your company. Don’t hide behind ever-changing mazes of domains (snowshoe spamming). Anonymized whois records just shout “hey, I’m trying to hide something!” So does using only an image for your name and address in the mail. Use proper SPF records and DKIM signatures. Stand behind every message you send saying “we sent that mail and we accept responsibility for sending it.” Make your online identity as solid as a brick-and-mortar business.

4. Maintenance – Keep your list current! Remove unsubscription requests and bounces promptly, as close to real-time as possible, no later than the same day. Mail the list at regular intervals. Unmailed lists provoke high complaint rates when they reactivate, even from truly opt-in addresses. Addresses “churn” over time, that is, they are abandoned or re-used. For most commercial lists, mail at least once per week and remove any address with three sequential bounces, or with sequential bounces for more than two weeks.

5. Bounce processing – Respect what the recipient’s server tells you. SMTP “5xy” codes mean “No!” Bouncing your mail off the filters but showing up in the logs, or resuming spamming after filter rules come down, is a sure-fire way to really annoy server operators and mailbox owners alike. Addresses being converted to spamtraps will typically reject (5xy) all deliveries for about six months…you certainly don’t want those on your list so make sure they bounce off!

Similarly, a receiver’s TEMP FAIL response (4xy) should be respected by your server. All standards-compliant servers will automatically retry such deferred deliveries at increasing time intervals. Generally retries cease and the message is considered undeliverable after 5 days. The interval before pruning a deferred address from your list is usually longer and takes more bounces than a hard “5xy” rejection, but eventually such addresses should also be retired from your list.

6. Unsubscription must work! Promptly. And for all the bulk mail you’re sending to that address. It must work via e-mail (include correct info in headers) and many subscribers also appreciate a web link included in message body. Sign up for feedback loops, and consider that abuse reports may indicate more serious problems than can be fixed by simply unsubscribing the reporting address. Some jurisdictions also require unsubscription via snail-mail. Basically, if someone wants off your list, help them with their request no matter how they ask.

7. Concurrency – Respect the receiving server’s SMTP dialogue. If it says pipelining allowed, give it what it wants. If it says “try again later” (4xy), don’t despair, let your server queue the message and do what good servers are supposed to do. If it accepts a bit slowly, throttle back your server so as not to flood smaller sites. Opening up lots of threads to a slow server is an excellent way to get tarpitted and blocked. (Good servers do all that stuff by default, automatically.)

8. Seek expert advice! There are highly qualified delivery consultants and some who aren’t so qualified; buyer beware. Ask your ISP for advice. Consider using a reputable E-mail Service Provider (ESP) to send your mail and manage your lists. If any delivery consultant is not aware of the terms and problems in this very brief outline, or if they make promises that they can get you “whitelisted” at ISPs, well, again, caveat emptor! (No one but Spamhaus decides what IPs we list or remove from our lists. The only way to be removed is to fix the spam problem that caused the listing.)
http://tinyurl.com/kda37

Info provided by The Spamhaus Project

Important Doc to read for Email Marketing Companies:
Yes. All firms engaged in marketing via email should read the following documents:

The Definition of “Spam”
http://www.spamhaus.org/definition/

Responsible Mailing Lists -vs- Spam Lists
http://www.spamhaus.org/whitepapers/mailinglists/

Permission Pass – How to rescue your mailing list
http://www.spamhaus.org/whitepapers/permissionpass/

What is the right way to send bulk e-mail?
http://www.spamhaus.org/faq/section/Marketing FAQs#214

“Role Accounts” & “Feedback Loops”
http://www.spamhaus.org/faq/section/ISP Spam Issues#119

Email Marketing Best Practice Document
http://www.m3aawg.org/sites/maawg/files/news/MAAWG_Senders_BCP_Ver2a-updated.pdf