As usual
No real surprises in cleaning up the mess of one month, but there is some concern on mail…Though in first glance, there seems nothing wrong:
PMAS statistics for October
Total messages : 3963 = 100.0 o/o
DNS Blacklisted : 108 = 2.7 o/o (Files: 1)
Relay attempts : 274 = 6.9 o/o (Files: 31)
Accepted by PMAS : 3581 = 90.3 o/o (Files: 31)
Handled by explicit rule
Rejected : 2762 = 77.1 o/o (processed), 69.6 o/o (all)
Accepted : 129 = 3.6 o/o (processed), 3.2 o/o (all)
Handled by content
Discarded : 288 = 8.0 o/o (processed), 7.2 o/o (all)
Quarantained : 383 = 10.6 o/o (processed), 9.6 o/o (all)
Delivered : 19 = .5 o/o (processed), .4 o/o (all)
and there was one day that the number of relay attemps was scaled up:
20-OCT-2018 01:27:20.28 – 20-OCT-2018 01:31:04.03 228 attempts from address 142.11.210.66 – All the usual: mimicking a Grootersnet.nl user and sending to the very same gmail.com address as the other days, but there is a small difference: Robtex.com states on this address:
The PTR is bientions.net. The IP number is in Tulsa, United States. It is hosted by HOSTWINDS-4-ROUTE.
We estimate that it is used as PTR for 544 IP numbers. We have a premium report available for bientions.net.
Results found
Bonistein.cn, benisonit.com, benisonti.com, bentsioni.com, biointens.com, biotennis.com, bisontine.com, bonistein.com, enbitions.com, inbetsion.com, inbisonte.com and neobisint.com.
So still hosted by Hostwinds – not to blame, it’s one of their customers that is either abusing their connection, or have been hacked or are relaying email (and so don’t have sufficient awareness of security..)
The subnet has been added to the list of connections to be refused.
But looking into the numbers of messages that are rejected – meaning that they cannot pass – which is significantly higher. It is also reflected in the size of the OPERATOR.LOG files – usually about 50 blocks in size but today exceeding this by 2, 3 of even 4 times. It’s mainly lines of email that is accepted by PMAS and passed to the SMTP server – if PMAS rejects quarantines, discards or even rejects a message, he message passed is incomplete and will be dropped by the SMTP server, but I still get that signal…