Posted on by SYSMGR

07-Sep-2019

No issues
Due to a short trip abroad, the statistics of this month’s maintenance have been delayed a week.
But no real surprises. The number of messages remains huge (because I cannot block them in the router) and so is the number of rejected messages:

PMAS statistics for August
Total messages    :  91699 = 100.0 o/o
DNS Blacklisted   :      0 =    .0 o/o (Files:  0)
Relay attempts    :    626 =    .6 o/o (Files: 31)
Accepted by PMAS  :  91073 =  99.3 o/o (Files: 31)
  Handled by explicit rule
         Rejected :  90423 =  99.2 o/o (processed),  98.6 o/o (all)
         Accepted :    164 =    .1 o/o (processed),    .1 o/o (all)
  Handled by content
        Discarded :    320 =    .3 o/o (processed),    .3 o/o (all)
     Quarantained :    103 =    .1 o/o (processed),    .1 o/o (all)
        Delivered :     63 =    .0 o/o (processed),    .0 o/o (all)

The messages that have been rejected carry fake senders, or originate from hacked of infected systems, the subjects are within a limited set of texts, and most have the same signature that I configured PMAS for to reject them.

There have been two days of many relay attempts, 290 messages each, using a fake grootersnet.nl sender, and trying to reach danivela1029@gmail.com:

  • 6-AUG-2019 10:47:52.93 – 10:53:39.72, from address 142.147.97.179
  • 19-AUG-2019 19:09:30.32 – 19:11:55.67. from address 81.719.222.10

    • Of course, failed.
    Scanning the anonymous FTP log however, there is a new tendency occurring since 9-Jum-2019: Trying to store a file on a (read-only) directory:

    9-JUN-2019 02:01:55.96 User:anonymous logged in ident:anonymous from Host:60.23.24.190
    9-JUN-2019 02:01:57.68 User:anonymous ident:anonymous status:FFFFFFFF STOR file:L500:[openvms]GXHLGSL.txt;1
    9-JUN-2019 02:02:05.31 User:anonymous ident:anonymous logged out

    Obviously Dates and time change, and the requests come from different hosts – also to be expected. I guess this script is exchanged by the requesters, but it seems to check on status (FFFFFFFFFF = -1, indicating failure) since this is the same sequence again and again.

    Probably a way to get rid of these is scanning the logfile and hand the results to law enforcement, but since most of there request originate outside the Netherlands, or even the European Union, it is unlikely to stop – same holds for the bulk of the email messages, it is no problem to extract the sender addresses from the PMAS log, but to get the sending domains (forged or not) I need to accept them in either discard or quarantine folders….

    Updates postponed
    A few updates need to be done but due to problems with PHP 7.2 and the inability to get the new version up and running, the update to WordPress 5.2.3 (now available) cannot be installed. Perhaps it never will, because I’m designing a (real VMS) alternative.