Month: June 2019

Own rules work
The newly added rules do their job. The vast amount of messages I flagged with BAD_MAIL and RAT_MAIL are gone. What is left are ‘normally’ occurring messages. I noticed – scanning the logfile for today – that the vast majority are rejected because they are from a non-authorized source (check of SPF signals ‘fail’ or ‘softfail’ – adding 100 or 75 to the score) and the sender address is mentioned in one or both blacklists that I use – that alone causes the score to pass the rejection score (over 200). Still, looking on the rules, there is non RAT_MAIL and just one BAD_MAIL rule that is hit; that might be feasible if PROCESS has updated the scores for their rules that I have mentioned in mine. Or testing the headers is simply stopped after score is over the threshold.
The only thing I would like is that I could just drop the connection without message. Since there is a rejection message sent:
550 5.7.1 Requested mail action not taken: rejected for policy reasons
the sender will be notified there is a server running – and I want it to believe there is no server…

Question to process.com

Spam, spam, spam
All of a sudden, the number of spam messages increased in the middle of the month, on 12-jun-2019:

These messages have a few things in common:

There is no TO: header

Address is listed in blacklist(s)

Data is base64 encoded HTML, no text.

Signalled as ‘ratware’ (about 30%)

Sent via protected.outlook.com (most)

If not above rejection level (200) most are within the range of discarding (50-200) and the rest – except a few – are quarantined. But the number is quite large so I had to clean both containers a few times a day, otherwise they would fill up quite fast.
I couldn’t filter them easily, because the sender domains are very different, and so are the subjects. Since it looks like most messages are sent via protected.outlook.com (Office365?) it is not feasible to block that domain or the addresses…
Scanning on content is also a lot of work since each message would need to be decoded and examined. The only real solution is to check on what is in the headers, and what PMAS makes of it.
Luckily, it offers the ability to create your own rules and scores, combining different single rules to a more complex one, and adding the score to the total. So I added a number of rules:

If the sender address is in either DNS blacklist (I use 2), and the message contains just base64 encoded HTML, add 200

If the sender address is in either DNS blacklist (I use 2), and the message is already signalled as ratware, add 200

so messages that match either of these criteria, are rejected anyway, and won’t take up diskspace.
Second, since I let PMAS check on SPF, I added rules for that as well; the sender has either no SPF records, of these cannot be found, that’s Ok, since this still is quite common. But if there is one, it should be the right address of that domain – the check should result in ‘pass’. Otherwise, it is not acceptable – but no reason (yet) to reject the message. Just add the score to the current state. If that is high already (likely to be spam), it will be rejected because of this:

if fail: add 100

if softfail, add 75

Now it is a matter of monitoring (and adjusting)

Power grid failure – and the aftermath
On May 31st, at about 7:30, we lost power on the grid so all was off. When power was restored – at about 12:30 – all started again – except for the data center. This can happen – if all machines get their power, all start up which causes the controlling unit to switch off. So I disconnected the Itanium machines and the drives, just the disk controller and Alpha on the grid. But it happened again. As it turned out: the power unit of the Alpha didn’t survive the break, so I was out of all services….
The easy solution: return to the small Personal Workstation – just 512 Mb in size – that was the original base. It’s all there, just moving over cables from one system to the other. But because this is a small machine, I had to switch off the database, blogs and all ‘heavy’ stuff so the most important functions for the home center would work as usual: NTP, DHCP and DNS, Mail and, to access mail and services, the webserver. No database, so no blogs. No downloads. no FTP.
No changes done in the router: the VMS instance was the same, just the hardware changed 🙂

Today I received the new power supply, installed it and restored the functions that I had to disable, and restarted the DS10. It should now all work (but it is possible that some functions are still unavailable, like FTP 🙂 But these will become available later.

That’s the reason I can only now show the logs of May…
Because this runs on June 1st, there was a problem in sipping the logs: there was no DKA0:[LOGS] directory. So this needs to be done now…

Mail log:
PMAS statistics for May
Total messages    :   3253 = 100.0 o/o
DNS Blacklisted   :      0 =    .0 o/o (Files:  0)
Relay attempts    :    330 =  10.1 o/o (Files: 30)
Accepted by PMAS  :   2923 =  89.8 o/o (Files: 30)
  Handled by explicit rule
         Rejected :   2295 =  78.5 o/o (processed),  70.5 o/o (all)
         Accepted :    132 =   4.5 o/o (processed),   4.0 o/o (all)
  Handled by content
        Discarded :    304 =  10.4 o/o (processed),   9.3 o/o (all)
     Quarantained :    126 =   4.3 o/o (processed),   3.8 o/o (all)
        Delivered :     66 =   2.2 o/o (processed),   2.0 o/o (all)

About the same as before.

Still, there seems to be a (minor) problem with the local disk (DKA0) – which seems to be none-existing. This to be handled later. in the mean time, extra pagefiles are created and installed, so the system should work properly.