Posted on

24-Apr-2012

Bogus users – again
Today, I removed about 15 bogus accounts. All residing from domains I’ve seen as spam related elsewhere, and mainly from China:
163.com
21cn.com
yeah.com

and some seem to have a Hotmail acount, but the names simply don’t match.

As a precaution – I don’t want to cleanup the mess every day – I have disabled the creation of accounts, for now.

Spam?
There are still loads of messages that seem to pass the SPAM filter and are next handled by the SMTP settings – at least: it looks that way. If I relate these OPER signals with times in the router logs, these seem to reside from outside the local network – and they are rejected by PMAS. But why do I see them in my OPERATOR.LOG? I’ll ask Process, but I wonder whether I will receive an answer: I have no support….

Posted on

13-Apr-2012

Mail bomber blocked?
For weeks, I’ve been receiving – as shown in operator.log – many, many messages that for some reason were accepted by the spam filter but were caught by the SMTP-client itself. They never made it to the inbox. Quite likely they were passed since the enveloppe_from was from within my own domain, but these headers were al forged: they were not sent from my domain:

X-PMAS-MAIL-FROM: backpedaledsupw@siaminet.com
Received: from unknown ([188.54.93.212] EXTERNAL) (EHLO device.lan) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr
2012 02:18:37 +0000
Received: from 188.54.93.212 (account HELO
grootersnet.nl) by grootersnet.nl (CommuniGate Pro SMTP 5.2.3) with ESMTPA id
712770485 for ; Mon, 9 Apr 2012 05:18:36 +0300
From:

(I don’t use Communigate – I know the product, I even tested it)

X-PMAS-MAIL-FROM: undecipherablex63@realliving.com
Received: from HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de
([95.208.15.185] EXTERNAL) (EHLO
HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr
2012 11:09:39 +0000
Received: from apache by mdbaensicmbdedm.iztzg.hr with local (Exim 4.67)
(envelope-from < >) id MHY1YI-HP2T4L-B6 for
; Mon, 9 Apr 2012 12:09:38 +0100
To:

(I don’t use apache or Exim)

These are just two examples, but the majority have similar signatures..All have been forged!

What caused this flood to stop, all of a sudden? It might be an addtional rule in the filter, rejecteing any text that I found in the messages that were quarantained (I think PMAS did its job in a second pass?)…
Bogus accounts?
I need to shift attention a bit.
Where it was rather usual to find bogus users in the Wiki (and requiring me to de-spam the wiki on a regular (almost daily…) basis, It seems this blog attracts ‘users’. Probably assuming they can abuse the blog, but the default role is ‘subscriber’ so they are not able to spoil the blog with ther ‘content’. Though there is a possibility to tyry to abuse the comments – but again, I have taken precautions: there is a spam-test in place and comments need to be approved before publication.
The last additions seem to originate in China, based on names and domains: a few of the latter are well know to me: the PMAS anti-relay feature logs these domains quite often if there are\ large numbers of relay attempts….
To mention that latest I’ve seen:
126.com
163.com
yeah.com
These are not forged: there is a mail check in the program and if an email-address is fake, I’ll be noticed. (I would like MoinMoin to have the same feature…)
I don’t mind subscribers…But these are known to me to be domains accepting abusive Internet users. So I’m quite willing to rule ANY user from these domains off the blog.

Posted on

28-Mar-2012

Minor glitches on startup
There were still a few gltches in accessing the vmswiki, but it was fairly easy so find the cause: A wrong logical diskname for the LD-device holding Python and moinmoin (the wiki software) and a typo in defining moin_static – that I define as a searchlist, so I don’t have to move around with files when installing a new moinmoin version….
After that was settled and repaired, the wiki works like before – a slow starter but once started, pretty fast.
Blogs more responsive
The blogs are more responsive as well, and suffer less partial crashes – so far. More important: I have less trouble logging in into the admin pages. I must have cleaned up quite some things in the attempt of updating and reversing the whole activity.
But now I got the answers on what the heck had happened, I coud give it a try once more. In which case I may decide to upgrade WP as well. That normally is easy, no trouble at all, though I’ll have to prepare a thing or two. But every update went nice and smoothly. But I’ll take Mark’s suggestion: have a look first what changed between 5.2 (supplied by HP and ported by Mark Berryman – which is the current version I’m using curently) and 5.3 (as ported by Mark Berryman). Anyway I’ll have to use the version op PHPWASD that comes with this kit…

Posted on

19-Sep-2011

Maintenance

Once again, I wasn’t able to check on the site on the change of the month, and other (more, and less important) jobs interfered. But yesterday I blew the wiki – more on that later – so I had to get into the system anyway….
As to be expected, there were no surprises on the monthy cleanup. Mail statistics are in the logfile:

PMAS statistics for August
Total messages    :   1052 = 100.0 o/o
DNS Blacklisted   :    281 =  26.7 o/o (Files: 31)
Relay attempts    :     87 =   8.2 o/o (Files: 31)
Accepted by PMAS  :    684 =  65.0 o/o (Files: 31)
 Handled by explicit rule
        Rejected :    128 =  18.7 o/o (processed),  12.1 o/o (all)
        Accepted :    213 =  31.1 o/o (processed),  20.2 o/o (all)
 Handled by content
       Discarded :    106 =  15.4 o/o (processed),  10.0 o/o (all)
    Quarantained :    180 =  26.3 o/o (processed),  17.1 o/o (all)
       Delivered :     57 =   8.3 o/o (processed),   5.4 o/o (all)

So not too bad indeed. I don not know what happened in the Internet but the number of spam messages has indeed dropped – as well as the number of relay attempts. Perhaps because the Internet address has changed last month…
Wiki trouble

It all started with yet another bogus user.
When a new account is created, I’m informed, and normally I’ll give them the benefit of doubt, and once they have created a file without creating the personal homepage, and espsiaccly when it’s content is inappropiate, I delete the post and the user. In a specific order: Remove all notofications, delete the post and then disable the user forever. And logout.
Here I made a mistake, I guess. and whatever I tried, I could no longer login as administrator….
It seems MoinMoin doesn’t offer a facility so reset the password and signal it by email – or I have to change the address. But I do get signals from the administrator, so what’s wrong here?
Today I restored a beackup of a day before, but that did’t quite work as expected, but after having changed ownership to the user that the webserver uses to access these files, I was able to regain control.
I know I need to upgrade,,,,
sysblog troube
Almost the same applied to the SYSMGR blog, but at last that offers teh ability to reset teh admin password on request. So that was solved easily. And of course: bogus users have been removed.