Archive for July, 2009

My anti-bounce filter got its first false-positives

Saturday, July 25th, 2009

I just noticed today that my anti-boucne filter is having a bit of a trouble with some false-positive. The trigger was that I received a paypal policy update email for one of my paypal accoutns (with an email hosted somewhere else) and the other one didn’t get it (email hosted on my server). So I got around digging and found that I missed about 6 valid emails and well over 30 spam messages (which would have been taken out by the anti-spam filters anyway)

Related posts

[Solved] Problem with (lartc) multiple uplinks

Saturday, July 25th, 2009

as usually, I end up answering my own (painfull, not google-able) problems.
so, I was too concentrated on DNS (that being the only service I actually needed to work right) that I did not bother testing any other services. After doing a lot of rtfm-ing on the linux routing and packet filtering and trying out all sorts of things I decided that until I find a solution, to make the DNS work. long stroy short, I configured my DNS to bind to each interface and it was than when I saw that power dsn can actually change the source address in the packet. So I got DNS working and then I figured I should try another service, http. I did the test without lartc implementation, it behaved as described, packet went out the wrong interface. however, when I implemented the lartc split, it went on the right interface.
So the actual problem was not the lartc but the powerdns. maybe I should log a bug with them.

so for whoever searches for a similar problem: make sure your service is not messing up the packets to begin with. test your setup with a nice playing apache for example and if that works, it’s definitelly your service to blaim.

Related posts

Lame attack on IRC Undernet

Tuesday, July 21st, 2009

Somebody must really love me. Just minutes ago they issued a flood-like attack on IRC by sending maybe a few hundred messages from almost as many different nicks/hosts.
This is particularly annoying since I use pidgin as my irc client also used for a bunch of other IM accounts and I had to kill it all until I figured out where the problem was. And they also targeted my egg. Guess they want to make a takeover.
What a wanker. Is that the best you can do? You don’t even worth the effort to install/write an anti-flood script for my psybnc (which stands between pidgin and irc). You are totally lame. That is so 8 year old.

As a side note, I just discovered that my stupid bullshit psybnc did not log in my undernet account for some reason so it got deleted. What some stupid idiots these undernet admins are. Seriously. I’m pretty sure it’s their hand here.

Related posts

Common, archive PM and kill user GM scripts updated

Sunday, July 19th, 2009

I updated the common and archive PMs greasemonkey scripts by adding an option to ignore failure. This option is used by the kill user script.
Additionally, I fixed the posts deletion in the the kill user script and also added more progress logging.
The modifications were only tested on Opera. Do note that the progress logging is still UNTESTED on Internet Explorer.

Related posts

Major change in my greasemonkey scripts

Thursday, July 16th, 2009

I have added progress to most of the script. This beahves like “disableing’ the current page while the script runs and displaying sccript status/progress in a DIV.
I also fixed the firefox support for those who got some of the scripts while under development.

Also, as of 16.07.2009 The scripts now depend on GreaseMonkey API functions. Opera users will want to download this aagmfunction.js library. This is only needed by engines that do not support the GreaseMonkey API (GM_* functions). FireFox supports GreaseMonkey API.

Very important: INTERNET EXPLORER support has not been tested. At all. Feel free to feedback on IE 🙂

Related posts

Stupid spam-fighters [rant]

Thursday, July 16th, 2009

I registered a little while ago on linuxforums.org to post my routing problem.
Imagine what, until I have 15 posts I cannot post any link. Not a problem, but guess what, even a simple thing like “dig domain A” which I need it in my explanation cannot be included because hell, it’s a link.
You stupid idiots, ever heard of false-positives? You’ve got a bunch of them.

Related posts

Linux: Routing for multiple uplinks/providers

Thursday, July 16th, 2009

I described my problem here: http://www.linuxquestions.org/questions/linux-networking-3/problem-with-routing-for-multiple-uplinksproviders-on-rh9-2.4.36.2-739775/
As of this writing, it’s not yet solved.
However, I wanted to post a script that does exactly what’s in the tutorial http://lartc.org/howto/lartc.rpdb.multiple-links.html
that I use since I hate keep adding them by hand:
you need to edit it and add your info, obviously.

#!/bin/sh

# config stuff
P1_NET=
IF1=
P1=
IP1=
T1=T1

P2_NET=
IF2=
P2=
IP2=
T2=T2

P0_NET=
IF0=
P0=
IP0=
# actual script

if [ "$1" == "del" ]
then
CMD=del
else
CMD=add
fi

/sbin/ip route $CMD $P1_NET dev $IF1 src $IP1 table $T1
/sbin/ip route $CMD default via $P1 table $T1
/sbin/ip route $CMD $P2_NET dev $IF2 src $IP2 table $T2
/sbin/ip route $CMD default via $P2 table $T2

/sbin/ip route $CMD $P1_NET dev $IF1 src $IP1
/sbin/ip route $CMD $P2_NET dev $IF2 src $IP2

/sbin/ip route $CMD default via $P1

/sbin/ip rule $CMD from $IP1 table $T1
/sbin/ip rule $CMD from $IP2 table $T2

uselocal=true
if [ $uselocal == true ]
then
/sbin/ip route $CMD $P0_NET dev $IF0 table $T1
/sbin/ip route $CMD $P2_NET dev $IF2 table $T1
/sbin/ip route $CMD 127.0.0.0/8 dev lo table $T1
/sbin/ip route $CMD $P0_NET dev $IF0 table $T2
/sbin/ip route $CMD $P1_NET dev $IF1 table $T2
/sbin/ip route $CMD 127.0.0.0/8 dev lo table $T2
fi

Related posts

One way spammers send “legitimate” spam

Wednesday, July 15th, 2009

I wrote a full-blown smtp server for one of my clients, with some anti-spam and anti-abuse systems and I was contacted today by him because for some reason the server is sending a lot of spam out.
After some investigation we learned that:
– the spammers are using stolen credit cards to sign up to the paid server and get a user/pass used to authenticat
– since we deemed all paid customers as “good”, spam was getting out
– they quicly learned about the anti-abuse and stopped abusing the system in the obvious way, but still sending spam at the peak level so that the sytem would not pick up the abuse.

Basically, they stop wasting time to buy a domain and hosting and set it up for emailing, they buy directly a nice email account they can use. Cheaper, no time wasted to set it up and easy to ditch.

So, it seems we will be applying spam filters to all messages.

Related posts

I am being attacked with email spam

Saturday, July 11th, 2009

As I wrote the other day, some idiots figured they would attack my server by using bounces from otehr flawed email servers which have incompetent sysadmins.
I have a bunch of scripts fighting spam at various levels. The script I wrote the day before yesterday is targeting exactly these bounces that are not picked up by the spam filter.
Since I wrote the script, it has rejected almost 150 bounces that passed the spam filter and less than 20 have made it through in my inbox (and obviously I have tweaked the script into dropping most of those too).

But this is nothing. About 2 days ago when this attack has begun I added some rules in my spam filter and since then my spam filter has blocked 6015 spam messages out of which most are from this attack. 6000.

The next step will probably be to block the originating servers. With iptables. But first I have to make sure I’m not bloking 1000 email servers but only a a very few, like 3-5.

Sayonara idiots.

Related posts

Anti Spam-Bounce

Friday, July 10th, 2009

I have written a small script as an XMail filter that rejects bounces I get due to spam, rejecting them with a descriptive message basically telling those sysadmins to setup their email servers properly.
In the past 12 hours my server has successfully rejected 57 such bounces.
And this is only the beginning. This filter I wrote basically makes sure, where possible (!!!), that the bounce is actually in a reply to an email sent by my server. Most bounces contain the headers of the original email and spammers forge a lot of data there but some of them just cannot be forged. Like for example wher ethe email is actually comming from.
So, any email bounce that contains those headers are being validated as being generated by an email from my server.

The second step will be to reject ALL bounces that do not contain these headers. If those sysadmins are so idiot to bounce everything, they could at least send us the headers as well. A bounce without headers is of no use to a sysadmin. Sure, it helps a user in case of a valid bounce but that’s about it. I need the headers, otherwise I don’t need your bounce.

Related posts