Posted on

11-Apr-2011

Identiy Theft
Since yesterday there seems to be quite some messages around that use my email-address in Return-Path:, From: (as the real address for a nickname) or Reply-To:. I _know_ these messages don’t come from my site, since they all lack the address of my mail server.

For example (of course, the email address of the recipient is removed)


Return-Path: <willem@grootersnet.nl>
Received: from [93.62.200.186] (93-62-200-186.ip24.fastwebnet.it [93.62.200.186])
by mx1.xxx.xx (8.13.1/8.13.1) with ESMTP id p3B88VmN013149
for <xxx@xxx.xx>; Mon, 11 Apr 2011 10:08:31 +0200
Message-ID: <c61a10a054ccaae438328276ee88c61a(JFR4IU1>
From: "clementius zhigang" <willem@grootersnet.nl>
To: "dionisio kaveh" <xxxx @xxx.xx>

Received: from [151.56.14.97] ([151.56.14.97] verified)
by post.yyyy.yy (CommuniGate Pro SMTP 4.2.8)
with ESMTP id 60263607 for yyyy@yyyy.yy; Mon, 11 Apr 2011 10:05:26 +0200
Date: 11 Apr 2011 08:31:04 +0100
From: “lane jamie” <willem@grootersnet.nl>
X-Priority: 3
Message-ID: <503249808.201104110902@grootersnet.nl>
To: “car zhigang” <yyyy@yyyy.yy>

This way, you may end up in any spam database – without your fault.

The addresses from where these messages were sent are as follows – if I read the headers well:

from [93.62.200.186] (93-62-200-186.ip24.fastwebnet.it [93.62.200.186])
from [151.56.14.97] ([151.56.14.97] verified)
from [84.14.117.130] (HELO host.86.241.23.62.rev.coltfrance.com)
from [208.124.242.230] ([208.124.242.230] verified)
from 15.Red-80-36-135.staticIP.rima-tde.net (80.36.135.15)
from [116.68.64.53] ([116.68.64.53])
from [95.76.105.228] (unknown [95.76.105.228])
from [151.56.14.97] (unknown [151.56.14.97])
from [117.194.41.73] (unknown [117.194.41.73]) (this is a tricky one)
from [194.152.245.26] (unknown [194.152.245.26])
from [117.194.41.73] [117.194.41.73]
from LSt-Amand-152-31-19-235.w193-253.abo.wanadoo.fr ([193.253.222.235])

and that may hold a clue to the originator of the message.

If a mail has it’s origin form my site, it will ALWAYS carry the mailserver as a receiver – either from itself, if I use the web mail client, or as the site’s mail server, as is described in this page

I’m not sure yet what the next step might be. Post the whole bunch at the police and let them have it? Because accessing each postmaster, or domain owner, is way too much work – and at times, even POSTMASTER@target.domain does not exist (despite the fact the standards prescibes the identity…)

Posted on

02-Apr-2011

Licenses terminated….
When trying to access the system to see how processing of last month’s data had worked, I could no longer login: “License terminated”. That means that all have terminated. Fun pasrt is though, that it seems that everyting that IS running, keeps running: the web, mail…Only when a a new session is toe be opened, it fails.
But I already got the new ones, to 31-Dec-2011. The only problem was: how to load them. Since I could no longer login, and I probably couldn’t start a new FTP session for the same reason (which, to be honest, I didn’t try), there was no alternative than to stop the machine the hard way by CTRL-P and minimal boot; next I had to enter a new password since the old one was expired as well, and enter the basic licences by hand: OpenVMS -Alpha, OpenVMS-Alpha-User and, in order to get the whole file to the system, UCX. Once that was done and the system was restarted, I could FTP the license-procedure, login on the VMS box and run the procedure. A last reboot made it all work again.

So next, I could do the checkup:

PMAS statistics for March
Total messages    :   5503 = 100.0 o/o
DNS Blacklisted   :    420 =   7.6 o/o (Files: 31)
Relay attempts    :   4108 =  74.6 o/o (Files: 31)
Accepted by PMAS  :    975 =  17.7 o/o (Files: 31)
 Handled by explicit rule
        Rejected :    141 =  14.4 o/o (processed),   2.5 o/o (all)
        Accepted :    367 =  37.6 o/o (processed),   6.6 o/o (all)
 Handled by content
       Discarded :     77 =   7.8 o/o (processed),   1.3 o/o (all)
    Quarantained :    360 =  36.9 o/o (processed),   6.5 o/o (all)
       Delivered :     30 =   3.0 o/o (processed),    .5 o/o (all)

I’m not surprised by the number of relay attempts; most did occur on March 7th, 8th and 10th, resultinmg in files over 100 blocks in size – all over 700 lines – all Chinese (126.com, 21cn.com, sohu.com) – I’ve seen them before. Allways trying to access (non-existing) accounts at internl.net – my provider).
tr_route floods
There have been several signals by the router last montsh, mainly because of tr_rout flooding attempts. These may cause trouble with the router, most notable that the VMS box looses track of the router – so no HTTP or HTTPS traffic is possible. SMTP however is no problem, that does continue.
For this reason, the router is now automaticly rebooted, and since I cionfigured the router that way, I didn’t encounter this issue anymore. But I have the addresses – and it looks an anonymizing site is used.
In itself, I don’t have a problem when people want to surf the internet, but these abusers cause a lockout for well-behaving people. I could of course try to find out who are behind these attacks – and what sites allow them to do so anonymously. But the only way might be to create a list of these addresses and request all ISP’s to block them alltogether…
Fiber is coming
The fiber has been laid down until the house, and next week, I’ll get my connection installed. NEsxt is to get a new, fixed IP-address, connect the LAN to the Fiber and request a change in DNS, so this site will be accesable on a much higher speed. Stay tuned