31-May-2013

Holiday is over
Returned last Monday from a 2-week trip to Morocco, mainly walking in the willd inlands; meaning no internet access except the few moments on intermediate travel when we stopped at locations that offered wireless network access.

Of course, no trouble on the VMS side. All went well, as was to be expected.

Quite a lot of messages. I may have lost messages that were captured by the spam filter, and were not handled within the retention period of one week (I forgot to extend the period…) but I guess there wasn’t any: no complaints received.

12-May-2013

Memory leak?
In time, usage of virtual memory increases from less than 25% to about 60. All in all, it took 140 days so it’s not that dramatic. Nevertheless, it’s something that should not occur; it means that some process in the system requires more and more memory and doesn’t return it. This might be legitimate, but it could also reveal an error. It must be a process that is continuously running, and that rules out PHP, because these run idle for a very limited time. I can also rule out VMS itself, because that has been tested on this amount of memory leakes. Leaves the webserver itself, MySQL and the spam filter.
WASD is unlikely, I know it’s memory requirements are limited, memory is allocated once (on start of the server) and all worker processes on my system run as long as there is something to do – and they disappear when idle for some time, so allocated memory is returned automatically (that’s the way VMS is built 🙂 ).
MySQL could be a cause; it keeps record of changes and caches results. So I stopped and restarted the MySQL server, memory usage dropped somewhat but just about 5%.
Next culprit is the mail filter, and indeed, stopping and starting these processes caused the memory use to drop below 25:

after this action was completed.
There is something to look into.
I have observed that the increment of memory usage occurs in steps, that coincide with high CPU requirements, a increment of number of processes, and, by that, increased paging (in fact: usage of real memory drops dramatically, at the same time, usage of the page file increases. This means that modified pages are written to disk….). If this coincides with the heavy mail usage found in the logs (operator, PMAS and router) this means there is something for Process to look into. Such an event may start a lot of worker processes, that exit when idle for some time. Memory should be returned in that case, but it looks as if memory, once allocated, is kept allocated. It might be legitimate, since the memory recommendation for PMAS is 1 Gb minimal and Diana has only half of that. But if this coincidence exists, it may be worthwhile to note this to Process. Better be sure….

10-May-2013

New router installed
The replacement router that I received some time ago, has been installed. I had to revert to a configuration of some time ago, since the latest one contained errors that might have been related to the problems I encountered: login for instance wasn’t possible.
The biggest issue I have now is to redefine the filters, and since the configuration backup is an encrypted, binary file, that means re-scanning log files. Or Draytek is able (and willing) to send me a program to de-encrypt and read the configuration….

02-May-2013

Replacement has arrived
It seems the Vigor router was broken beyond repair. Not really a surprise knowing that it is impossible to repair anything that is soldered on a board by robots….The problem was not software, that’s for sure.
Today I received a box that contained the whole lot: router, antennas, power unit, cables and docs.
Next step is to reload the saved configuration, and re-install it.And find out what can be improved in the installation.

01-May-2013

Monthly maintenance.
Nothing special…
PMAS statistics for April
Total messages    :   2281 = 100.0 o/o
DNS Blacklisted   :    624 =  27.3 o/o (Files: 30)
Relay attempts    :    119 =   5.2 o/o (Files: 30)
Accepted by PMAS  :   1538 =  67.4 o/o (Files: 30)
  Handled by explicit rule
         Rejected :    803 =  52.2 o/o (processed),  35.2 o/o (all)
         Accepted :    313 =  20.3 o/o (processed),  13.7 o/o (all)
  Handled by content
        Discarded :    154 =  10.0 o/o (processed),   6.7 o/o (all)
     Quarantained :    246 =  15.9 o/o (processed),  10.7 o/o (all)
        Delivered :     22 =   1.4 o/o (processed),    .9 o/o (all)

just that o April 13th and 14th, there have been quite a lot of relay attempts: this must have been some bot, sending from a vast number of addresses, from one “user” (test@live.com) to another (therichsheickc@yahoo.com), starting at 13-APR-2013 14:58:39.29 up to 14-APR-2013 11:21:34.96, 4 messages per hour:
<timestamp>|test@live.com|therichsheickc@yahoo.com|550 5.7.1 Relaying not allowed: therichsheickc@yahoo.com
The messages were sent from the following addresses – as logged in the PMAS logfiles – with the number of messages, the owner (using a DNS tool) and country:

151.12.152.26 (2) Local (italy) via Infostrada
151.84.95.177 (5) WIND telecommunicatione (Italy) via Infostada)
178.17.46.156 (4) ADSL pool of 4D Sirius (GB)
178.23.215.191 (2) VOZTelecom (Spain)
209.159.40.34 (6) (cannoty define)
212.91.92.30 (7) Enter S.r.l. (Italy)
217.92.137.209 (1) t-ipconnect = Deutsche Telecom (Germany)
24.227.47.42 (6) Roadrunner (USA)
63.252.106.18 (1) McLeodUSA.net (USA)
65.9.239.119 (4) BellSouth.net (USA)
70.155.43.226 (5) BellSouth.net (USA)
70.62.15.91 (4) Roadrunner (USA)
71.1.58.20 (6) Embarghsd.net (USA)
71.171.32.33 (1) Verizon.net (USA)
72.151.147.148 (5) BellSouth.net (USA)
74.164.14.171 (2) BellSouth.net (USA)
74.7.177.82 (2) Multiple possible (USA)
74.95.89.172 (2) Comcast business (USA)
75.140.37.134 (1) Charter.com (USA)
80.13.177.2 (2) Wanadoo (France)
80.153.175.201 (3) t-ipconnect = Deutsche Telecom (Germany)
80.24.188.248 (2) rima-tde.net = Telefonica-data (Spain)
80.60.149.209 (2) Planet.nl = KPN (Netherlands)
81.60.149.209 (2) ono.com (Spain)
83.160.13.31 (3) Demon.nl = XS4ALL.nl = KPN (Netherlands)
89.119.220.57 (6) Albacom.net (Italy)
93.57.70.125 (2) Fastweb.it (Italy)
94.91.131.100 (2) TelecomItalia (Italy)
95.154.55.52 (6) Multiple possible (Denmark)

The addresses cycle – more or less – during the period they have been sent (and processed).
Most of them are blacklisted, some in multiple lists; it is my assumption that most of these addresses refer to open mail relays – or hacked machines that have been sending spam for quite some time.
In between there was one different address, relayed to, or from, another email address:
24.220.222.194 ( tsegadora0@yahoo.com) owned by Midco.net (USA)
Besides this, there have been numerous attempts to access the system using FTP, from networks I had locked out by the Vigor router; this hasn’t been returned yet, so there is no way at the moment tpo prevent this from happening except by disabling FTP altogether. But the amount of attempts have not been as frequent as before – some years ago – so I leave it at the moment. Perhaps, if the router isn’t returned in time, I may decide to do so during times that I’m not near the machines for some time (due to holidays, for instance);
Update postponed
For several reasons, the update of VMS to 8.4 could not take place last weekend, it will now be some time next week that I will update the main machine. One other thing I need to address is the configuration of a terminal server (m90) to access the consoles from the internet. Just in case a power failure requires access to boot the machines…..Just to find out HOW to do that….