Maintenance
Nothing weird – of course.
But since the Vigor router has been replaced by the ‘official’ router supplied by my ISP, it may cause extra spam and extra ‘bad traffic’. So extra attention to be paid to all logfiles.
PMAS statistics for April
Total messages : 2311 = 100.0 o/o
DNS Blacklisted : 0 = .0 o/o (Files: 0)
Relay attempts : 1540 = 66.6 o/o (Files: 30)
Accepted by PMAS : 771 = 33.3 o/o (Files: 30)
Handled by explicit rule
Rejected : 190 = 24.6 o/o (processed), 8.2 o/o (all)
Accepted : 211 = 27.3 o/o (processed), 9.1 o/o (all)
Handled by content
Discarded : 128 = 16.6 o/o (processed), 5.5 o/o (all)
Quarantained : 206 = 26.7 o/o (processed), 8.9 o/o (all)
Delivered : 36 = 4.6 o/o (processed), 1.5 o/o (all)
Not bad indeed – except for the number of relay attempts; and these come from a (Chinese) site that I locked out for accessing the network. There were just a few others’, but the rest was of one user, most from domain sina.com but from different addresses, on one day from 163.com”. The next lines show the first and last of that day – and the number of entries from this user:
13-APR-2015 12:07:58.91|R|122.13.2.195|losw@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@s♦
...
13-APR-2015 12:52:20.59|R|122.13.2.195|cgruh@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@♦
205
19-APR-2015 16:27:30.33|R|58.251.146.197|xwu@grootersnet.nl|xiaonanzi11162@163.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@1♦
...
19-APR-2015 16:49:39.85|R|58.251.146.197|mrva@grootersnet.nl|xiaonanzi11162@163.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@♦
216
23-APR-2015 00:42:01.74|R|114.112.190.22|test@82.161.236.244|mtyndallo@yahoo.com.tw|550 5.7.1 Relaying not allowed: mtyndallo@yahoo♦
23-APR-2015 15:15:52.57|R|91.236.75.224|smtp2001soho@yahoo.com|rk85r@freemailhost.ru|550 5.7.1 Relaying not allowed: rk85r@freemail♦
23-APR-2015 22:34:53.54|R|157.255.16.36|wadfil@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi1116♦
...
23-APR-2015 23:58:35.65|R|157.255.16.36|wacehl@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi1116♦
806
24-APR-2015 00:04:02.21|R|157.255.16.36|ior@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162@s♦
...
24-APR-2015 00:36:58.43|R|157.255.16.36|twycf@grootersnet.nl|xiaonanzi11162@sina.com|550 5.7.1 Relaying not allowed: xiaonanzi11162♦
271
13-APR-2015 and 14-APR-2015 are adjacent|, so the session started 13-Apr-2015 just after 22:34 and continued to 00:36 the next day. Over a 1000 attempts that failed…
DNS trouble?
There was another thing that was different with the router: From the start, I had port 53 opened – I cannot recall why – and I never had any problem, accept that occasionally. the DNS server, or the resolver, tries to send out a 20-byte UDP-package to some other system. This is blocked by the router as a [teardrop] DDos attempt so it won’t get out.
After the router had been installed for a day or so, this started again and more often than before. Now I got a message from my ISP that something was wrong: It could cause my DNS server to act like an open DNS server that could get involved in an DDOS attack.
This is weird. Since my DNS server will only handle internal addresses, and the resolver doesn’t get onto the Internet, instead requests the router to handle the request – and that will forward the request to the DNS servers of my ISP – as is setup in the handshake between the access points.
Apparently, my DNS server could receive requests from anywhere and loop back. So now port 53 has been closed – and from that moment on, I don’t get these messages any more. I’ll scrutinize the logs for some time, and add all requestors on the blacklist.
PHP and WP update
WAY overdue, I know. but updating this version won’t work. probably. So I’ll take another approach: Start a new blog, with the latest software versions of PHP and WP, probably database as well (MariaDB, a branch from MySQL that seems to be more stable and more reliable). If possible, this content will be imported directly, or I will have to do some work to get it into the new database. Well, if the structures are compatible, I may use the current database as well…