Maintenance report delayed
This should have been reported a week ago, but there have been trouble in paradise….About that later.
Actually, the system has run fine last month, even mail was not exceptional:
PMAS statistics for November
Total messages : 52976 = 100.0 o/o
DNS Blacklisted : 0 = .0 o/o (Files: 0)
Relay attempts : 621 = 1.1 o/o (Files: 30)
Accepted by PMAS : 52355 = 98.8 o/o (Files: 30)
Handled by explicit rule
Rejected : 50210 = 95.9 o/o (processed), 94.7 o/o (all)
Accepted : 194 = .3 o/o (processed), .3 o/o (all)
Handled by content
Discarded : 336 = .6 o/o (processed), .6 o/o (all)
Quarantained : 151 = .2 o/o (processed), .2 o/o (all)
Delivered : 1464 = 2.7 o/o (processed), 2.7 o/o (all)
Apart from the huge amount of rejected messages – mainlu because then headers conformed to the exceptions I specified in PMAS – there was no surprise, even on the area of relay attempts. Just two days, same as always:
4-NOV-2019 11:44:48.23 - 4-NOV-2019 11:49:55.93 185.208.211.194 (291)
15-NOV-2019 11:32:25.33 - 15-NOV-2019 11:37:57.24 173.44.51.8 (290)
sending from a (bogus) grootersnet.nl user, to danivela1029@gmail.com.
My current believe is that this recipient is either an accomplish of the sender, or the sender itself.
Anyway, the ISP’s have been notified, and the networks excluded access.
For the rest, no surprises or weird issues on this job.
However, there IS an issue to be addressed, and that is a harder nut to crack.
One reason I couldn’t get things entered a weeg ago, is at that moment, CPU load peaked over 90% – where is usually doesn’t exceed 10%. Sometimes it does, for instance when running the script handling last months’s logfiles (that culminate in this type of entry). But that is ‘normal behaviour’ and to eb expected. But not on random occasions during the day, for hours – I’ve noted days where CPU-load was about 90% for 8 hours in a row).
So there is definitively something going on what is not right.
Since this behaviour shows up in WASD reports, it’s obviously something that is executed from the internet, so I had a look into the WASD logfiles. The server logs show nothing weird, but the access logs do:
188.213.49.210 - - [02/Dec/2019:01:31:53 +0000] "POST /sysblog/xmlrpc.php HTTP/1.1" 200 719
188.213.49.210 - - [02/Dec/2019:01:31:57 +0000] "POST /sysblog/xmlrpc.php HTTP/1.1" 200 719
...
188.213.49.210 - - [02/Dec/2019:09:05:11 +0000] "POST /sysblog/xmlrpc.php HTTP/1.1" 200 719
188.213.49.210 - - [02/Dec/2019:09:05:16 +0000] "POST /sysblog/xmlrpc.php HTTP/1.1" 200 719
almost 6000 of these entries in one access file only. The problem is the file just shows the URL, not the data POSTed. So it could mean anything. But what I’ve seen is that when this happens, there is quiet a lot of data returned.
Similar sequences are found in these files, some using a sequence of IP addresses (in the same (sub)net, of running just for just an hour or so.
Of course, access to the server have been denied – either in WASD in WASD_GLOBAL_CONFIG under [reject] , or in the firewall of the router so there is no LAN access anyway – but the situation keeps happening from time to time. Of course there is throttle facility of WASD that I could use for this, but what I really need is something that allows me to tell te router to add that address (or that network…) to the firewall so ANY access to the LAN is blocked. This is a requirement since anyone behind the addresses is not just messing with the webserver, I found them to try to relay mail (that won’t succeed anyway but takes resources from the spam-filter…) or try to deliver spam directly (which is rejected as well – same issue: Taking resources from the email-frontend).
Another resource-hog is the continuous access to “/HyperReader/download/” that I explicitly set to fail – that returns status 403, but they keep coming, from one address, a request per second at time, for minutes; change address and continue? It might be TOR exit nodes since in time, the sequence is not interrupted, it goes on within the same minute….
Nor WASD, nor the router have a facility to block addresses (or networks) based on a DNS blacklist of TOR exit nodes, that I could use to drop connections from these sites immediately (as if the site does not exist…). I’ve noted that quite a lot of these addresses are listed in a number of DNSL blacklists for email or web-access but sadly, I cannot integrate these in either the router firewall, or in WASD. So I have to create something that scans the logs and takes appropriate action – in either the firewall or WASD. If possible….