Monthly maintenance.
Nothing special…
PMAS statistics for April
Total messages : 2281 = 100.0 o/o
DNS Blacklisted : 624 = 27.3 o/o (Files: 30)
Relay attempts : 119 = 5.2 o/o (Files: 30)
Accepted by PMAS : 1538 = 67.4 o/o (Files: 30)
Handled by explicit rule
Rejected : 803 = 52.2 o/o (processed), 35.2 o/o (all)
Accepted : 313 = 20.3 o/o (processed), 13.7 o/o (all)
Handled by content
Discarded : 154 = 10.0 o/o (processed), 6.7 o/o (all)
Quarantained : 246 = 15.9 o/o (processed), 10.7 o/o (all)
Delivered : 22 = 1.4 o/o (processed), .9 o/o (all)
just that o April 13th and 14th, there have been quite a lot of relay attempts: this must have been some bot, sending from a vast number of addresses, from one “user” (test@live.com) to another (therichsheickc@yahoo.com), starting at 13-APR-2013 14:58:39.29 up to 14-APR-2013 11:21:34.96, 4 messages per hour:
<timestamp>|test@live.com|therichsheickc@yahoo.com|550 5.7.1 Relaying not allowed: therichsheickc@yahoo.com
The messages were sent from the following addresses – as logged in the PMAS logfiles – with the number of messages, the owner (using a DNS tool) and country:
151.12.152.26 (2) Local (italy) via Infostrada
151.84.95.177 (5) WIND telecommunicatione (Italy) via Infostada)
178.17.46.156 (4) ADSL pool of 4D Sirius (GB)
178.23.215.191 (2) VOZTelecom (Spain)
209.159.40.34 (6) (cannoty define)
212.91.92.30 (7) Enter S.r.l. (Italy)
217.92.137.209 (1) t-ipconnect = Deutsche Telecom (Germany)
24.227.47.42 (6) Roadrunner (USA)
63.252.106.18 (1) McLeodUSA.net (USA)
65.9.239.119 (4) BellSouth.net (USA)
70.155.43.226 (5) BellSouth.net (USA)
70.62.15.91 (4) Roadrunner (USA)
71.1.58.20 (6) Embarghsd.net (USA)
71.171.32.33 (1) Verizon.net (USA)
72.151.147.148 (5) BellSouth.net (USA)
74.164.14.171 (2) BellSouth.net (USA)
74.7.177.82 (2) Multiple possible (USA)
74.95.89.172 (2) Comcast business (USA)
75.140.37.134 (1) Charter.com (USA)
80.13.177.2 (2) Wanadoo (France)
80.153.175.201 (3) t-ipconnect = Deutsche Telecom (Germany)
80.24.188.248 (2) rima-tde.net = Telefonica-data (Spain)
80.60.149.209 (2) Planet.nl = KPN (Netherlands)
81.60.149.209 (2) ono.com (Spain)
83.160.13.31 (3) Demon.nl = XS4ALL.nl = KPN (Netherlands)
89.119.220.57 (6) Albacom.net (Italy)
93.57.70.125 (2) Fastweb.it (Italy)
94.91.131.100 (2) TelecomItalia (Italy)
95.154.55.52 (6) Multiple possible (Denmark)
The addresses cycle – more or less – during the period they have been sent (and processed).
Most of them are blacklisted, some in multiple lists; it is my assumption that most of these addresses refer to open mail relays – or hacked machines that have been sending spam for quite some time.
In between there was one different address, relayed to, or from, another email address:
24.220.222.194 ( tsegadora0@yahoo.com) owned by Midco.net (USA)
Besides this, there have been numerous attempts to access the system using FTP, from networks I had locked out by the Vigor router; this hasn’t been returned yet, so there is no way at the moment tpo prevent this from happening except by disabling FTP altogether. But the amount of attempts have not been as frequent as before – some years ago – so I leave it at the moment. Perhaps, if the router isn’t returned in time, I may decide to do so during times that I’m not near the machines for some time (due to holidays, for instance);
Update postponed
For several reasons, the update of VMS to 8.4 could not take place last weekend, it will now be some time next week that I will update the main machine. One other thing I need to address is the configuration of a terminal server (m90) to access the consoles from the internet. Just in case a power failure requires access to boot the machines…..Just to find out HOW to do that….