Posted on

15-Dec-2014

“This is no SPAM”

The message tells me I can win a 500 Euro price, and it tells me that ”
“This message is sent to diy@infomusica-media.com and cannot be considered SPAM as is stated clearly by the sender. The recepient change or change his data”.

Literally:

Dit bericht wordt naar diy@infomusica-media.com gestuurd en kan niet
worden beschouwd als “SPAM”,
zoals duidelijk wordt geïdentificeerd door de afzender.
De ontvanger kan op elk gewenst moment de correctie of cancellation
van zijn gegevens

Deze nieuwsbrief is een dienst van Promo News, Av. de Berna, n º 31, 2 º dt º, 1050-038 Lisboa – Portugal
Afmelden voor deze lijst, klik dan hier

I TOTALLY disagree, as does PMAS:

X-PMAS-External: x68-170.retracka.com [91.126.168.170] (EHLO
x68-170.retracka.com)
X-PMAS-Software: PreciseMail V3.2-5 [141213a] (diana.intra.grootersnet.nl)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-QP_ENCODED_SUBJECT: Subject line is quoted-printable-encoded
(0.000)
X-PMAS-HDR-FROM_INFO: Message is from a .info domain (1.500)
X-PMAS-URI-INFO_TLD1: Contains a URL in the INFO top-level domain (1.500)
X-PMAS-META-PRIORITY_NO_NAME: Message has priority setting, but no X-Mailer
(0.586)
X-PMAS-META-GET_OR_RECEIVE_02: Subject says you can get or receive something
(2.000)
X-PMAS-META-SUBJ_CLAIM_WIN: Subject suggests you can win or get something free
(4.000)
X-PMAS-META-CLICK_BELOW: Asks you to click below (2.000)
X-PMAS-Final-Score: 11.586
X-PMAS-Spam-Level: ***********
X-PMAS-Spam: Yes
X-Auto-Response-Suppress: OOF
X-PMAS-Quarantined: PreciseMail

DIY == Do It Yourself :). infomusica-media.com is a dummy domain, or is hacked. Accessing the site gives nonthing more as “coming soon”. but the address show is the same:

Infomusica Media
Av. David Mourão Ferreira, Lt 15.5C, Esc.B
1750-209 Lisboa – Portugal
diy@infomusica-media.com
Tel.: +351 21 753 07 10

but there is nothing likewise in the header:

Return-Path: Ym91bmNlZC0hLSEtd2lsbGVtPT1ncm9vdGVyc25ldC5ubC0hLSEtMzgzMTgxLSEtIS0xMjY1LSEtIS1wcm9tbz09YWxkYW5pdGkubmV0@aldaniti.net
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.7-ECO4, OpenVMS V8.4 Alpha);
Mon, 15 Dec 2014 16:09:36 +0000 (UTC)
X-PMAS-MAIL-FROM:
Ym91bmNlZC0hLSEtd2lsbGVtPT1ncm9vdGVyc25ldC5ubC0hLSEtMzgzMTgxLSEtIS0xMjY1LSEtIS1wcm9tbz09YWxkYW5pdGkubmV0@aldaniti.net
Received: from x68-170.retracka.com ([91.126.168.170] EXTERNAL) (EHLO
x68-170.retracka.com) by diana.INTRA.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.2-5); Mon, 15 Dec 2014 16:00:59 +0000
Date: Mon, 15 Dec 2014 17:00:57 +0100
DKIM-Filter: OpenDKIM Filter v2.8.4 x68-170.retracka.com 86E8DA8C1A1B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=real-dance.info;
s=smtp; t=1418659257; bh=XKN39jPtwuPrq+8MbQr6Ot142HmwDSW+/yfpgw0IFuI=;
h=List-Unsubscribe:To:From:Reply-to:Subject;
b=kZR5SL8BRzZjUUH5HTsoD3VyySSZGvwtfIFmP2d2+QyihrAFr+kqCJkAU0nS3AkKV
cepV0C0p8GEeR/1pBOp3b4myp3wx2gLcHMdxIEqC5RGoasDfQQCs551VOx/RdpsVKK
P5dSCYmnttLxByWC2eM9hD2ArMJrNx2BTYbPXqXI=
List-Unsubscribe:

To: willem@grootersnet.nl
From: Elise
Reply-to: mail@real-dance.info
Subject: =?UTF-8?Q?Win_een_waardebon_van_=E2=82=AC500?=
Sender: promo@aldaniti.net
Message-ID:

X-Priority: 3
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_50484e59db984aea18871e49f42e4233"

In Other words: BULLSHIT

Posted on

23-Oct-2013

Vigor Filter detects spam attempts
For the last few days, I’m informed by the router that an unwanted protocol is blocked:
Event Time : 2013/10/23 05:58:14
, [CSM_AE] [eDonkey] [Block]
Packet info: 192.168.0.200:2525 -> 208.75.123.194:55760, PR tcp
-AP-----------------------------------------------
and that happens once every two hours or so, give or take a few minutes. Receiving port chnaanges (obviously), but the address is always the same.

Port 2525 means PMAS…
Actually, there is nothing wrong. PMAS will contact the sending mailserver to see if that server accepts mail for the user specified in the message beging the sender. Only, as I found out earlier, this will cause a problem if this user has a very long name that seems to resemble the signature of this eDonkey protocol.
Hence the message.
The sending address has been identified as a server at constantcontact.com, a company offering the ability to send bulk email; at least, their home page states:

Be Where Your Customers
are Every Day: Their Inbox

With Email Marketing, you’re right there. Try it free for 60 days.

At the look of the site URL, it uses a Java program to send out mail. That explains the long usernames.

It seems someone tried this site. And since I’m not interested (I think) I blocked it where it should be blocked: at the gate.

Posted on

19-Jun-2012

A day without Spam
Hard to believe but it happened: Yesterday there was one (1) SPAM message. If it was sent just 10 minutes later, there would have been no discareded or quarantained message at all.
Didn’t look into rejected messaqges – there have been a few, about 20. Not that much as have been handled daily in the past weeks.

Retried PHP update
Mark Berryman’s commented on the previous attempt that I reversed the next day. I made some mistakes….
Today I retried and took his advise: Do a clean install and use the supplied version of the interfacing program – because there are some differences that are incompatible with the version supplied by Mark Daniel – and the right version of PHP.INI that comes with the package.
Thougfh I still got the ‘depricated’ messages, these can be suppressed in the web-interface by canging the value to one of the configuration items, but still the blogs don’t show up. No error message using IE – but WATCH output showed a 500-error: Something is definitely wrong – but no clue on what.
So I used the PHP image on the same PHP-source:
$ php :== $php_root:[bin]php.exe
$ set def sysblog:[000000]
$ php index.php
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-settings.php on line 472
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-settings.php on line 487
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-settings.php on line 494
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-settings.php on line 530
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-includes/cache.php on line 103
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-includes/query.php on line 21
PHP Deprecated: Assigning the return value of new by reference is deprecated in
/sysblog/000000/wp-includes/theme.php on line 623
PHP Parse error: syntax error, unexpected $end in /sysblog/000000/wp-includes/post.php on line
3439
$

Again, the ‘depricated’ messages show up (although it has been suppressed in PHP.INI) but also another failure: Unexpected $end on the first included file. Weird, since the file hasn’t been changed in the update: It starts with tag <?php, but there is no corresponding endtag ?>. The PHP documentation on the tags clearly recommends omission of these end-tags if the code is pure PHP – as is in this case:

When PHP parses a file, it looks for opening and closing tags, which are < ?php and ?> which
tell PHP to start and stop interpreting the code between them. Parsing in this manner allows
PHP to be embedded in all sorts of different documents, as everything outside of a pair of
opening and closing tags is ignored by the PHP parser.

If a file is pure PHP code, it is preferable to omit the PHP closing tag at the end of the
file. This prevents accidental whitespace or new lines being added after the PHP closing tag,
which may cause unwanted effects because PHP will start output buffering when there is no
intention from the programmer to send any output at that point in the script.

Nevertheless: adding it to the file seems to solve the issue for that file – but then the same problem arised on the next file, and the next….
Changing all 300+ files in that matter is not feasable. Even more: since it’s a recommendation to OMIT the end-tag, there should not be a need for it.
To be sure, I also dowloaded the latest WP version (3.4) and ran the INDEX.PHP file using the PHP command. I would expect an error message because wp-config.php isn’t there – but here again the parser complains on a missing end-tag:
$ set def wp34:[000000]
$ php index.php
PHP Parse error: syntax error, unexpected '>' in /wp34/000000/wp-blog-header.php on line 19
$
Depending on the file, it unexpectedly encounters “>” of “$end” on end-of-file – where the end-tag “?>” should be implied. At least, it looks that way.

But no more depricated interfaces, which is good.

So, again I had to revert the update.

The issue has been sent to the WASD mailing list. Hopefully there will be an answer soon…

Posted on

27-Oct-2011

Wiki abuse
The number of fake users – those with undoubably fake e-mail addresses – that create an account on the VMS wiki, just to add text with inappropiate content, linking to obscure sites and so on, has suddenly increased. Every few days, there is yet another account that abuses the wiki. Luckiliy, the system has been configured to notify me for new users, and so it’s easy to track them down, de-spam the wiki from their posts and disable the accounts. But it would be nice if the software creating users would check the address to exist: send a confirmation mail to that address and finishing the registration after the address has been verified; next, no posts but their personal page can be done, and only aftre that is finished, they can contribute….
Of course, since MoinMoin is an open-source application, it’s possible to create such a method. But it requires knowledge of Python, and insight in the code. I don’t know Python, though I could learnm to use it; but it requires time, and there are other, more important actions to be taken. And this is not occurring that much that I have to spend a lot of time removing these abusive users and their posts. Just annoying, at this moment…
Spam statistics
I took a look to PMAS’s reports tonight, scanning the statistics for the years I’ve been using this product for filtering incoming mail. These reports clearly show the increase of spam until 2009, in 2010 there was less, and it looks as the amount of spam decreases even more this year. But I need to do a more thorough investigation using all logs – splitting it up in domain, address, if possible, and many other things, store the results in a database and run statistics on that. That would also include rejected messages (that seem to be excluded from the reports) and relay attempts (not shown either). Again, this takes time, and should be part of a larger project for forensics. Again, a project to be started….
Projects
Speaking of projects:
* Remove MySQL and use another database. This requires a drastic change to the WordPress code, and I don’t think such a change would make it into the community. I’m looking around for an alternative: Mimer or Ingress, or even Caché might do.
* Remove PHP alltogether and move to a native program that I can use. Mark Daniel – the creator of the WASD server – has created a content management system that I could use – either as-is, or as a base for own development.
* Remove Python – and the wiki – for the mentioned reasons. Here this native CMS coiuld be used as well. But here as well, I could opt for yet another solution.
* Redo the home page. I could use this product as well, or write my own, fully from scratch or based of the CMS….
Main reason is that MySQL, PHP and Python are resource-hungry. PHP is anyway, it’s an interpreter; Python does some compilation and so it’s faster once started. I could also change the configuration for the sake of speed but there I would suffer decreation of performance elsewhere. The systems holds 512 Mb of memory, and adding more is – due to it’s age – very expensive. I think it a bit odd that older types of memory are far more expensive than state-of-the-art chips…
Second, since Oracle bought the company that is responsible of MySQL, and the way the Oracle company works, it’s my idea that the devlopment of MySQL is now under full control of Oracle. That;s the reason why there will be no MySQL-6 on Itanium. The community is pushed aside, it’s Larry Ellerson – or any subordinate – that dictates the way the database is developed. To me, that’s enough to abandon MySQL as soon as I can. Luckily, there are alternatives: Ingres, as an open source (though I may have to build it from source, the openVMS version is not freely available, alas); caché and Mimer can also be considered, and, once the product has been re-ported to OpenVMS, Postgress is as well (Knowing that Ingres was first (and still is) developed on OpenVMS and Postgres has been derived from Ingres – and once ran op openVMS as well, it might be not too much of a problem. Rumours are that the Postgress libaries are available)

Posted on

26-Oct-2010

WAN problems
Once more, incoming mail and FTP traffic were gone last Friday, but this time I could solve the problem by phone – got my son to reset the router. And last week, it happened again but since I was at home, I ran into it quickly and could reboot the router – and look for a reason.
I found it in the log:

Oct 24 01:20:02 Unknown Vigor: 128:41:57.600 wan->lan @S:R=13:1 p 67.195.111.16
Oct 24 01:20:07 Unknown Vigor: 128:42:03.490 wan->lan @S:R=13:1 p 67.195.111.16
Oct 24 01:22:03 Unknown Vigor: WAN 1 is down.
Oct 24 01:22:03 Unknown Vigor: WAN 1 is UP.
Oct 24 01:28:11 Unknown Vigor: --SendMailAlert--
Oct 24 02:14:32 Unknown Vigor: 129:36:36.140 lan->wan @S:R=13:1 p 192.168.0.2,6

and after that, the only incoming traffic passing the router is domain traffic (port 53) and mail (port 2525 in my case). No problem at all for outgoing traffic, just incoming fails time after time. It doesn’t even show up in the log, so the block is basicly on the front end. That also shows by the fact that accessing the secured webs on port 443, all browsers complain that the site’s certificate doesn’t match the one of the site. No wonder: the connection presents the router’s certificate!
Accessing the router from the inside works – but dead slow. Telnet however is fast as ever, so reboot is simple.

This shouldn’t happen in the first place. So I asked the dealer – and he passed information to Draytek – for a solution. Not in, yet…

Spam filter
The spam filter does some checks and the SMTP configuration doesn’t like it:

%%%%%%%%%%% OPCOM 25-OCT-2010 11:38:17.82 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNRSLVMF, MAIL FROM:< > has unresolvable domain

although this address is set to be acceptable in the SMTP.CONFIG file….Well, not much of a problem, it seems.. I only have to find out why this happens, and what is the consequence.

Another way to be a spammer
Spamfiltering, the Microsoft way – bitten, by itself.