03-Apr-2019

New spammer
No real issues, as usual:

PMAS statistics for March
Total messages    :   3344 = 100.0 o/o
DNS Blacklisted   :      0 =    .0 o/o (Files:  0)
Relay attempts    :   1599 =  47.8 o/o (Files: 31)
Accepted by PMAS  :   1745 =  52.1 o/o (Files: 31)
  Handled by explicit rule
         Rejected :   1195 =  68.4 o/o (processed),  35.7 o/o (all)
         Accepted :    142 =   8.1 o/o (processed),   4.2 o/o (all)
  Handled by content
        Discarded :    182 =  10.4 o/o (processed),   5.4 o/o (all)
     Quarantained :    133 =   7.6 o/o (processed),   3.9 o/o (all)
        Delivered :     93 =   5.3 o/o (processed),   2.7 o/o (all)

But there is a new spammer on the block. At least, I noted some spams from that area in the past but this one made it over a 1000 attempts on the beginning of the new month, in about 2 hours, hosted in China (China Unicom Guangdong province network China Unicom):

 1-MAR-2019 03:19:48.96 - 05:09:29.23 (1012) from 163.204.176.104 to jobmnc@126.com, hr2008_007@163.com (and others)

apart from the known one, that comes once or twice a month from Hostwinds.com – all the normal:

 6-MAR-2019 10:54:40.75-10:59:31.47  (248) from 142.11.211.42   to 1029mandaditos@gmail.com
28-MAR-2019 21:22:21.22=21:28:34.37  (277) from 142.11.209.120  to 1029mandaditos@gmail.com

The Chinese network is noted in two anti-spam networks, the address explicitly in one. The access should have been blocked by the router firewall, where I blocked Chine altogether. But it may be that this doesn’t work, either completely or incomplete, on the Vigor 2925. Anyway, network 163.204.0.0/16 will be noted as inappropriate and be denied all access.

Last weekend the Certificates have been renewed automatically, twice, in two contiguous nights. Still to determine why that is, but there is no issue with this, the sites are still available so this is low priority.

Possible abuse attempts?
A week ago I dug into access logs and found a huge amounts of accesses like:

GET /HyperReader/download/FREEWAREV40/BLISS/4359PRO.DECW$BOOK?chunk=164&referer=http%3A%2F%2Fwww.sauer-pechelbronn.com%2Fredir.php%3Fgo%3Dhttps%3A%2F%2Fpokeron999.blogspot.com

HTTP/1.1″ 200 1656

Trying this myself showed just the page – no reference to the referrer site like https://pokeron999.blogspot.com – an Indonesian poker (or gamble) site, it seems. Would it be something to influence statistics?

Not sure what it could be the consequence, I renamed FREEWAREV40 directory, now these accessed end in 404.
It seems there is nothing bad happening if this is tried for some reason, the other freeware CD’s are still available, and there are similar requests on thes too, but using my site in reference, and of course, these succeed:

GET /HyperReader/download/FREEWAREV70/VMSFAQ/VMSFAQ.DECW$BOOK?chunk=41&referer=http:/www.grootersnet.nl/HyperReader/download/FREEWAREV70/VMSFAQ/VMSFAQ.DECW%2524B&title=The%20OpenVMS%20Frequently%20Asked%20Questions%252 HTTP/1.1″ 200 1656

This is similar to what Mark has found on another site (bitrix24) causing problems at his WASD host and he updated WASD code to handle things like this.

There is more to come:

  • Update of the webserver (11.3b) including OpenSSL 1.1.1
  • update of MariaDB (and re-installation of the database, in a better configuration)
  • running latest version of PHP that is available (7.2 or higher)
  • Update of WordPress – after testing it
  • and on April 19th some downtime due to work on the home grid – solar panels will be installed and that requires the shutdown of the power for some time

    By the way: WASD’s GZIP is doing a good job:

    System statustics, GZIP section