Posted on

24-Apr-2012

Bogus users – again
Today, I removed about 15 bogus accounts. All residing from domains I’ve seen as spam related elsewhere, and mainly from China:
163.com
21cn.com
yeah.com

and some seem to have a Hotmail acount, but the names simply don’t match.

As a precaution – I don’t want to cleanup the mess every day – I have disabled the creation of accounts, for now.

Spam?
There are still loads of messages that seem to pass the SPAM filter and are next handled by the SMTP settings – at least: it looks that way. If I relate these OPER signals with times in the router logs, these seem to reside from outside the local network – and they are rejected by PMAS. But why do I see them in my OPERATOR.LOG? I’ll ask Process, but I wonder whether I will receive an answer: I have no support….

Posted on

18-Apr-2012

Viewing T4 data – on OpenVMS
On a Dutch OpenVMS-SIG meeting last February, there were a number of demos of displaying T4 data other than using TlViz (TimeLine Vizualisation) – which is a Windows application and so requires the files being copied to a location that can be reaced by the program.
But now you can do so on a VMS box using DIX – by Fekko Stubbe, that allows you the same functionality as TlViz does, but on an (XWindows) screen. There are packages for Vax, Alpha and Itanium.
Without the nice features in combining them, there is also a PHP script that I got from one of the ambassadors, it took some tweaking to get it running the way I wanted it, but I’ve got it running from the basic locations: t4$data (for the data) and t4$sys (for the executables). It meant a little adaptation to the PHP-script, and allowing W:E on t4$SYS and the files within, plus setting t4$DATA to be W:RE, all files within W:R, and making that the default protection. By ACL, of course. Acess is limietd to the webserver executor – in my case HTTP$NOBODY, but you may choose to make it generally open…
One more thing that I found: t4$DATA normally contains ALL files that have ever been created. In my case, that includes files dating back to 2006…And since the PHP-code doesn’t scan on date, but on system, it takes a huge amount of time to get the files. And due to the naming convention used, the list is not ordered on date….So it makes sense to cleanup this directory to begin with; next the procedures creating the zip-files (and probably the T4-CSV-files as well) should be adapted to produce a more workable filename – so you’ll get them BY DATE.

Posted on

13-Apr-2012

Mail bomber blocked?
For weeks, I’ve been receiving – as shown in operator.log – many, many messages that for some reason were accepted by the spam filter but were caught by the SMTP-client itself. They never made it to the inbox. Quite likely they were passed since the enveloppe_from was from within my own domain, but these headers were al forged: they were not sent from my domain:

X-PMAS-MAIL-FROM: backpedaledsupw@siaminet.com
Received: from unknown ([188.54.93.212] EXTERNAL) (EHLO device.lan) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr
2012 02:18:37 +0000
Received: from 188.54.93.212 (account HELO
grootersnet.nl) by grootersnet.nl (CommuniGate Pro SMTP 5.2.3) with ESMTPA id
712770485 for ; Mon, 9 Apr 2012 05:18:36 +0300
From:

(I don’t use Communigate – I know the product, I even tested it)

X-PMAS-MAIL-FROM: undecipherablex63@realliving.com
Received: from HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de
([95.208.15.185] EXTERNAL) (EHLO
HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr
2012 11:09:39 +0000
Received: from apache by mdbaensicmbdedm.iztzg.hr with local (Exim 4.67)
(envelope-from < >) id MHY1YI-HP2T4L-B6 for
; Mon, 9 Apr 2012 12:09:38 +0100
To:

(I don’t use apache or Exim)

These are just two examples, but the majority have similar signatures..All have been forged!

What caused this flood to stop, all of a sudden? It might be an addtional rule in the filter, rejecteing any text that I found in the messages that were quarantained (I think PMAS did its job in a second pass?)…
Bogus accounts?
I need to shift attention a bit.
Where it was rather usual to find bogus users in the Wiki (and requiring me to de-spam the wiki on a regular (almost daily…) basis, It seems this blog attracts ‘users’. Probably assuming they can abuse the blog, but the default role is ‘subscriber’ so they are not able to spoil the blog with ther ‘content’. Though there is a possibility to tyry to abuse the comments – but again, I have taken precautions: there is a spam-test in place and comments need to be approved before publication.
The last additions seem to originate in China, based on names and domains: a few of the latter are well know to me: the PMAS anti-relay feature logs these domains quite often if there are\ large numbers of relay attempts….
To mention that latest I’ve seen:
126.com
163.com
yeah.com
These are not forged: there is a mail check in the program and if an email-address is fake, I’ll be noticed. (I would like MoinMoin to have the same feature…)
I don’t mind subscribers…But these are known to me to be domains accepting abusive Internet users. So I’m quite willing to rule ANY user from these domains off the blog.

Posted on

03-Apr-2012

Disk full

Before I was able to check the results of the montly maintenance job yesterday – done remotely this time – I found out the system didn’t respond at all. I could acess the router and that showed me a number of connections on the different ports, but hardly any traffic. I could start a VPN session to the home network, but all I could do was ping. No other access was possible. Would it again be a problem with the quorum disk, that I had some weeks ago – no way to tell….
This evening, it turned out there was nothing worng with the quorum disk, but the DecWindows sessions that I have opened didn’t show up after I switched on the monitor. I would expect the unlock panel top show up, but it was just the background of the window and the system was not responsive at all.
After having started my other node in the cluster, it happily joined the cluster, and there seemed nothing wrong with the disks. Bot any of them. Now I tried to mount the system disk of the main system – but that failed. Not any disk could be mounted….So the systen ran, but was unable to react.
Not even CTRL-P on the console…So the only option was to use the reset button.
Next, I rebooted. The process continues as usual – until, in the end, the main part is started in batch.
Now the real issue was obvious: the queue manager couldn’t start because free space was exhausted.
The procedure ended normally, but again, the system did not respond to teh keyboard, but now I knew what caused the problem.
So I started the system in MIN mode, but once mre, I couldn’t enter the system because it didn’t respond to the keyboard….
The last resort: Start from CD, choose option 8 to do some DCL, Mounted the system disk to find out what caused it. It must have been files created since yesterday after 18:00 system time, so
$ DIR/SIN=yes/SIZE/unit=byte DKB100:[...]
woud show what caused it.
BINGO. Almost immediately.

It turned out to be the backup of the public webs: that contains a load of photographs, the backup is now over 10Gb in size. Pushing that onto e 33Gb disk – well, you can expect trouble.
Removed these files end rebooted – back to normal – solved the problem
Now I’ll have to find a way to backup these files. But I doubt Í really need to, since all files are copied to DVD anyway.
Back to what I would have done yesterday
Maintenance
First of all: mail statistics:
PMAS statistics for March
Total messages    :   7950 = 100.0 o/o
DNS Blacklisted   :   1191 =  14.9 o/o (Files: 31)
Relay attempts    :     28 =    .3 o/o (Files: 16)
Accepted by PMAS  :   6731 =  84.6 o/o (Files: 31)
 Handled by explicit rule
        Rejected :   5899 =  87.6 o/o (processed),  74.2 o/o (all)
        Accepted :    287 =   4.2 o/o (processed),   3.6 o/o (all)
 Handled by content
       Discarded :     86 =   1.2 o/o (processed),   1.0 o/o (all)
    Quarantained :    415 =   6.1 o/o (processed),   5.2 o/o (all)
       Delivered :     44 =    .6 o/o (processed),    .5 o/o (all)
Quite a number of blacklisted domains (15% of all), these don’t pass the first phase of filtering. But the next large group is the number of rejected messages based on their content: almost 3/4 of all. These are the messages seem the ones that clutter operator.log, because they seem to pass the filter for some reason – where I would expect them to be hidden – something to ask Hunter about. Less tham 1 percent is Ok…. And on relay-attempts: there is only one file exceeding 4 blocks; A bit (it’s just 6 blocks in size): I guess March 19th was the big day in relay attempts.
Cleanup and archiving show no problems at all.