26-Oct-2010

WAN problems
Once more, incoming mail and FTP traffic were gone last Friday, but this time I could solve the problem by phone – got my son to reset the router. And last week, it happened again but since I was at home, I ran into it quickly and could reboot the router – and look for a reason.
I found it in the log:

Oct 24 01:20:02 Unknown Vigor: 128:41:57.600 wan->lan @S:R=13:1 p 67.195.111.16
Oct 24 01:20:07 Unknown Vigor: 128:42:03.490 wan->lan @S:R=13:1 p 67.195.111.16
Oct 24 01:22:03 Unknown Vigor: WAN 1 is down.
Oct 24 01:22:03 Unknown Vigor: WAN 1 is UP.
Oct 24 01:28:11 Unknown Vigor: --SendMailAlert--
Oct 24 02:14:32 Unknown Vigor: 129:36:36.140 lan->wan @S:R=13:1 p 192.168.0.2,6

and after that, the only incoming traffic passing the router is domain traffic (port 53) and mail (port 2525 in my case). No problem at all for outgoing traffic, just incoming fails time after time. It doesn’t even show up in the log, so the block is basicly on the front end. That also shows by the fact that accessing the secured webs on port 443, all browsers complain that the site’s certificate doesn’t match the one of the site. No wonder: the connection presents the router’s certificate!
Accessing the router from the inside works – but dead slow. Telnet however is fast as ever, so reboot is simple.

This shouldn’t happen in the first place. So I asked the dealer – and he passed information to Draytek – for a solution. Not in, yet…

Spam filter
The spam filter does some checks and the SMTP configuration doesn’t like it:

%%%%%%%%%%% OPCOM 25-OCT-2010 11:38:17.82 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNRSLVMF, MAIL FROM:< > has unresolvable domain

although this address is set to be acceptable in the SMTP.CONFIG file….Well, not much of a problem, it seems.. I only have to find out why this happens, and what is the consequence.

Another way to be a spammer
Spamfiltering, the Microsoft way – bitten, by itself.

15-Oct-2010

Spam filter statistics update
The procedure used to gather statistics of last month’s Spam filter statistics has been updated, it can now handle up to 100.000 messages (well, one less), and it now shows the number of messages that have been rejected, or accepted, by server or user rules, so those that won’t be scanned on their content by the program.
With this changed program, I rescanned the files of September:
PMAS statistics for September
Total messages    :  10365 = 100.0 o/o
DNS Blacklisted   :   1547 =  14.9 o/o (Files: 31)
Relay attempts    :   7655 =  73.8 o/o (Files: 31)
Accepted by PMAS  :   1163 =  11.2 o/o (Files: 31)
 Handled by explicit rule
        Rejected :    580 =  49.8 o/o (processed),   5.5 o/o (all)
        Accepted :    200 =  17.1 o/o (processed),   1.9 o/o (all)
 Handled by content
       Discarded :    104 =   8.9 o/o (processed),   1.0 o/o (all)
    Quarantained :    192 =  16.5 o/o (processed),   1.8 o/o (all)
       Delivered :     87 =   7.4 o/o (processed),    .8 o/o (all)

Halfway october, the result is:
PMAS statistics for October
Total messages    :   7307 = 100.0 o/o
DNS Blacklisted   :   1941 =  26.5 o/o (Files: 44)
Relay attempts    :   3762 =  51.4 o/o (Files: 14)
Accepted by PMAS  :   1604 =  21.9 o/o (Files: 44)
 Handled by explicit rule
        Rejected :    779 =  48.5 o/o (processed),  10.6 o/o (all)
        Accepted :    300 =  18.7 o/o (processed),   4.1 o/o (all)
 Handled by content
       Discarded :    139 =   8.6 o/o (processed),   1.9 o/o (all)
    Quarantained :    282 =  17.5 o/o (processed),   3.8 o/o (all)
       Delivered :    104 =   6.4 o/o (processed),   1.4 o/o (all)

10-10-10


Back from a short holiday (just over a week) I found that everything still worked fine, and that the monthly work was pretty much done correctly by the clean-up procedure – except that something went wrong in checking the mail statistics:

PMAS statistics for September
Total messages    : **** = 100.0 o/o
DNS Blacklisted   : 1502 =  14.6 o/o (Files: 30)
Relay attempts    : 7642 =  74.3 o/o (Files: 30)
Processed by PMAS : 1131 =  11.0 o/o (Files: 30)
       Discarded :   95 =   8.3 o/o (processed),    .9 o/o (all)
    Quarantained :  185 =  16.3 o/o (processed),   1.8 o/o (all)
       Delivered :  851 =  75.2 o/o (processed),   8.2 o/o (all)

The amount of relay attempts has been huge – causing an overflow in the number of messages to be shown. I didn’t expect over 9999 messages a month….
Nor are all rejected messages shown, that have been added by the extraneous entries in the system rule set. At least, it looks that way. So there is some room for improvement here.

What’s more, I now need to scan 11 files, in size ranging between 66 and 354 blocks – 260 to 1224 lines. But a first glance shows that most of these attempts on a given day are originated from the same domains: 126.com, sohu.com, and 21cn.com; these are quite common. New to me however is yahoo.com.hk. At least, that’s the domain that shows up. But the address is located in Taiwan. So the FROM: line is a fake.

Well, I’ve been working on a Perl program to add this type of data into a database. Will make fun one day:)

But for the rest, it all seems to have worked fine. At least, no errors in the log file, and the archive is complete.

Router problem ?
There was one problem, though: I couldn’t reach any web on the local server using the external URL, all accesses timed out. The web server was running fine, but didn’t get a request. Outbound requests were no problem at all – but slow, compared to normal traffic. Accessing the router directly, using it’s own web interface was even slower.
Restarting the webserver made no difference – which was to be expected – but once I logged in to Diana, I could telnet to the Vigor router and rebooted it – and that solved the problem.

Looking at the server performance using the HyperSpi++ package, shows that there have been huge amounts of paging last week – causing a drastic sudden decrease of memory utilisation, twice: On 05-Oct-2010, just over midnight, and just over 24 hours later once more. This typically is a sign of flooding the system with PHP requests – I’ve got to check the log for that. And on 06-Oct-2010, at about 14:00, traffic seems to be minimal, compared to the normal pattern, as at the beginning of the week:

This was also show in the WASD traffic log over last week:

Two spikes of requests, over 150 a second, very likely requesting the same page. It didn’t harm the webserver – that will stall requests by it’s configuration – but the router was overwhelmed by the number of requests and stopped all incoming HTTP traffic. Mail just got on, as proven by the fact that since that time, all mail was normally handled – and rejected, discarded, quarantined or delivered.

Yet another thing to investigate. But I do have the approximate times – which makes it a lot simpler. The files are not yet archived.