23-Oct-2013

Vigor Filter detects spam attempts
For the last few days, I’m informed by the router that an unwanted protocol is blocked:
Event Time : 2013/10/23 05:58:14
, [CSM_AE] [eDonkey] [Block]
Packet info: 192.168.0.200:2525 -> 208.75.123.194:55760, PR tcp
-AP-----------------------------------------------

and that happens once every two hours or so, give or take a few minutes. Receiving port chnaanges (obviously), but the address is always the same.

Port 2525 means PMAS…
Actually, there is nothing wrong. PMAS will contact the sending mailserver to see if that server accepts mail for the user specified in the message beging the sender. Only, as I found out earlier, this will cause a problem if this user has a very long name that seems to resemble the signature of this eDonkey protocol.
Hence the message.
The sending address has been identified as a server at constantcontact.com, a company offering the ability to send bulk email; at least, their home page states:

Be Where Your Customers
are Every Day: Their Inbox

With Email Marketing, you’re right there. Try it free for 60 days.

At the look of the site URL, it uses a Java program to send out mail. That explains the long usernames.

It seems someone tried this site. And since I’m not interested (I think) I blocked it where it should be blocked: at the gate.

20-Oct-2013

Mail in error
For some reason, NOT ANY message has been received for over a day – not even quarantined or discarded. This is pretty weird, so I took a look and found that PMAS has gone into a “DNS-blacklist ALL” mode. Mail sent from my GMAIL account – that normally would arrive – was blocked as well. Even when I explicitly allowed al mail from gmail.com, of any account from that domain, mail sent from gmail was blocked:

Delivery to the following recipient failed permanently:

(my address)

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain grootersnet.nl by mail.grootersnet.nl. [82.161.236.244].

The error that the other server returned was:
554 5.7.0 Address (209.85.223.196) blacklisted (2)

(this was after I disabled the first entry in the configuration).

In order to receive mail – even spam that would otherwise be rejected, discarded or quarantined – I disabled PMAS by opening port 25 and remove the forwarding on port 25 to port 2525 – the one that PMAS listens on. Now mail arrived so it definitively was a PMAS issue. But what cuased it could not be determined.
A few days ago, I downloaded that latest version (PMAS032-050) from Process; I went there after I found I couldn’t create reports for this year and Hunter gracefully admitted he made a mistake and set a new file available – and with this access, I also retrieved this latest version.
I installed it in the right location, moved files (configuration, spam database, log files and statistics database) and restarted PMAS. Now al seems to be in working order again. Just have to copy what’s been quarantined and discarded.
Throttle redefined
The problems I encountered a few days ago: overload to PHP_WASD processes, made Mark Daniel propose another setting. So I have taken some precautions, so the amount of accesses to the blogs is now limited, and hopefully wide enough for normal use, and tight enough to prevent system exhaustion. I’ll monitor this for a few days: you may encounter 503-errrors: stating the service is not available, or some limit is reached. Big abusers may be locked out on a more permanent basis: I now know how to do that 🙂

17-Oct-2013

Thanks to my ISP ?
This may, or may not, be related to my router problems yesterday, that caused connections to drop without notice. Or in another way, since I have no longer the ability to block addresses of networks (since the firewall in that router misses this facility).

Normally, I start SoyMail at work and keep it open all day. It checks for new messages every 15 minutes. Runs silently (Windows sound machine muted 🙂 and no trouble at all). Except for today, where all of a sudden sync failed during retrieval of messages. Restarting fails with a 503 error: “This service is currently unavailable”. Trying some time later, nothing is wrong.
So I started the Admin site, and found System not responsive; however, other actions would work. I found a large number of accesses to this blog, many in idle state, but they could still be active. At some point, I could access the System report and indeed: there were quite a lot of WASD processes that run PHP_WASD, given the current working set. The only way, I could think of, was deleting them, but that didn’t help, so I fugured that is I would purge the idle processes, these would go.
They didn’t.
So the next thing was restartNow. It solved the problem a bit: I could now show the System report and found a large number of PDP_WASD images still around;bur Soymail could be reaccessed and haply refreshed the contents. For a few hours, when the very same happened again. I just restarted WASD, and found even more remaining PHP_WASD processes in LEF state, even LEFO. It solved the issue for an hour, but at that time, to no avail.
It seems all process slots were taken.
Back home, I tried to kill these processed, but even STOP/ID failed, except for one or two. But there were over 60 of them (my processcount is maximized to 110) and the only way to get rid of them easily was to reboot Diana.
That settled the issue, but question remains: how can this happen? I’ve done some investigation and details will be made public later – let the experts look at it first….
A quick look at the number of connections shows that some time today, I have had far more a second (or minute) than I have had ever before. There are some spikes at times but I blocked these networks in the Vigor router, so these would have no opportunity to access ANY service on the LAN. But I am now forced to use the Fritzbox supplied by my ISP. It offers a better IPV6 connectivity (something still not well working on the Vigor – at least not with my ISP) and a more robust telephone connectivity (the Vigor may drop connections – or that is related to the issues I have encountered) but it simply lacks a firewall that allows me to block traffic – and it lacks external logging via syslogd. But it’s the only one they support – officially…
Well, that food for some other rant 🙂

16-Oct-2013

Vigor trouble – again
This morning, I remotely added another IP-object – a complete set of networks – because from these, there is a constant flow of break-in attempts from China as if this were a Linux or Windows machine that is badly configured. I rebooted the router afterwards to get rid of some weird data (Dial-out triggerdata: from 192.160.0.2 to 8.8.8.8 ???) like I have done before without any trouble. Except for this morning: the router did no longer respond.
So when I got home, I tried to connect directly over Wifi, but I could not connect. So I restarted it once again, it does restart, connection is possible, all works – for a minute of so, when the router freezes.
There surely is something wrong. Last week, and earlier there have been a number of interruptions in telephone – connections that broke within a minute, or no connection at all when phoning in….Not constantly, but at times, making it hard, even impossible, to locate the problem.
Anyway, I had to remove the Vigor and re-install the inappropriate Fritzbox, to have Internet access, TV and phone again…

10-Oct-2013

Nothing special
A bit later than expected – but last week we were on a short holiday and today is the first opportunity to check the last clearance job.
Apart from the mail issue last month, there is nothing exceptional:
PMAS statistics for September
Total messages    :   1902 = 100.0 o/o
DNS Blacklisted   :    675 =  35.4 o/o (Files: 30)
Relay attempts    :     81 =   4.2 o/o (Files: 25)
Accepted by PMAS  :   1146 =  60.2 o/o (Files: 28)
  Handled by explicit rule
         Rejected :    583 =  50.8 o/o (processed),  30.6 o/o (all)
         Accepted :    210 =  18.3 o/o (processed),  11.0 o/o (all)
  Handled by content
        Discarded :    132 =  11.5 o/o (processed),   6.9 o/o (all)
     Quarantained :    201 =  17.5 o/o (processed),  10.5 o/o (all)
        Delivered :     20 =   1.7 o/o (processed),   1.0 o/o (all)

The few days that PMAS was out of order (that’s why there were only 28 files to handle the rejections) were not included. The amount that was missed that time is estimated to about 1100 from one address alone, and about half of the second one – all from the beginning of September and I didn’t count the thousands that came in a few weeks later. These are just exceptions: the number of messages has decreased from almost 11.000 a year ago to about 2000 in the last months.
I will need to investigate the router log files for proof, but my feeling is that since I blocked several – mainly .cn – networks from accessing the local network altogether, the amount of attempts to abuse the system in mail (both messages and relay), FTP and web has dropped. (the abilities for controlling traffic amd logging of the Draytek Vigor routers are the main the reasons I don’t use the Fritzbox as delivered by my ISP).
This month there was just one day with a higher amount of attempts of relay: on 30-Sep-2013; but 81 is not exceptional either…
New WASD version
A new version of the webserver has been released, I wil do an update (including some related some related stuff as well).