Hello all,
Wondering if any of you have experience with this.
I have two domains, wiggly.org (A) and alertferret.com (B).
A has been registered since 1994.
B was registered very recently, within 6 months.
I run email for both of these domains on the same server,
otter.wiggly.org using Exim.
I have the exact same MX and SPF records for both domains;
@ 3600 IN MX 10 mail.wiggly.org.
@ 3600 IN SPF "v=spf1 mx -all"
@ 3600 IN TXT "v=spf1 mx -all"
Sending email from domain A to gmail/hotmail appears in the main inbox.
Sending email from domain B end up in the spam folder for both.
Now, I am wondering why this would be seeing as there has been
practically no email from domain B and therefore I find it unlikely that
the domain itself has been flagged.
All I can see is that domain A is a lot older but I have only recently
added SPF and have never really had problems with my emails from domain
A being consumed by spam folders.
Checking a couple of blacklist checkers I cannot find my domain or my MX
on any of them.
Does anyone have an idea as to why domain B would be getting caught in
spam traps whilst A does not?
I have had someone suggest using mandrill or other external hosted
solution but quite frankly if the mail is being blocked because it is
being sent from domain B then that surely wouldn't give me any improvement?
Any help, ideas, thoughts or further resources would be greatly appreciated.
Regards,
Nigel
Hi all,
Have a strange attack happening to one of my domains, on the web
server. It is a small privatish phpBB forum with nothing exciting,
interesting or valuable going on at all. And it is the only one
attacked out of a handful web sites on the server.
The site has had a lot of incorrect requests to the server since
before Christmas. I get POST requests in the region of two per second.
There's noting in the post request and it is to the root of the
domain. Like this:
184.57.181.141 - - [30/Dec/2013:23:32:24 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
108.205.136.80 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
68.118.233.245 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
173.51.226.12 - - [30/Dec/2013:23:32:25 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
71.10.0.254 - - [30/Dec/2013:23:32:27 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
75.91.250.137 - - [30/Dec/2013:23:32:29 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
108.200.239.239 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.40.129.122 - - [30/Dec/2013:23:32:31 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
128.210.19.134 - - [30/Dec/2013:23:32:32 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
12.51.89.194 - - [30/Dec/2013:23:32:33 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
184.57.181.141 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
208.96.191.152 - - [30/Dec/2013:23:32:35 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
70.190.134.120 - - [30/Dec/2013:23:32:37 +0000] "POST / HTTP/1.1" 301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The 301 response is something I set up when I discovered this. There
should be no POST requests to /, so I do a 301 permanent redirect back
to the client's own IP address. But that seems to have had no effect
at all. The requests are still constantly coming in.
I have set up a filter in fail2ban for anyone POSTing to '/' so they
should be completely banned (using action 'iptables-allports'). But
due to the sheer amount of different addresses attacking it seems to
have little effect. Plus the fact I quite often see this in the
fail2ban log:
2013-12-30 23:38:33,080 fail2ban.actions: WARNING [http-ddos] 37.142.202.18 already banned
So it seems that despite being banned they can still send a request to
the Apache server? Not sure why, the iptables -L seems to list an
awful lot of IP addresses and domain names. So the fail2ban filter is
working as it should with setting up rules in iptables.
At the same time, postfix is getting a large amount of requests on
port 25 too:
Dec 30 23:54:45 bitfolk postfix/smtpd[14601]: connect from unknown[180.67.178.14]
Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: lost connection after UNKNOWN from unknown[76.2.133.225]
Dec 30 23:54:45 bitfolk postfix/smtpd[14071]: disconnect from unknown[76.2.133.225]
Dec 30 23:54:48 bitfolk postfix/smtpd[27968]: connect from unknown[24.151.82.226]
Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: lost connection after UNKNOWN from unknown[173.220.57.214]
Dec 30 23:54:49 bitfolk postfix/smtpd[14107]: disconnect from unknown[173.220.57.214]
Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: lost connection after UNKNOWN from unknown[72.135.3.145]
Dec 30 23:54:50 bitfolk postfix/smtpd[10196]: disconnect from unknown[72.135.3.145]
Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: lost connection after UNKNOWN from unknown[173.246.215.147]
Dec 30 23:54:50 bitfolk postfix/smtpd[10354]: disconnect from unknown[173.246.215.147]
Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: lost connection after UNKNOWN from unknown[180.67.178.14]
Dec 30 23:54:51 bitfolk postfix/smtpd[14601]: disconnect from unknown[180.67.178.14]
And in the mail.warn log:
Dec 30 23:10:15 bitfolk postfix/smtpd[19391]: warning: non-SMTP command from unknown[96.38.26.186]: UY:l??????????z??????\?
Dec 30 23:11:22 bitfolk postfix/smtpd[17880]: warning: non-SMTP command from unknown[181.67.172.79]: U:??[6?
Dec 30 23:14:46 bitfolk postfix/smtpd[19522]: warning: non-SMTP command from unknown[24.39.251.34]: @:??>T^R^?d???&U?V<??;W?p4?Gf#???t????,???E?
Dec 30 23:16:57 bitfolk postfix/smtpd[24688]: warning: non-SMTP command from unknown[72.181.54.101]: gu:?R?M????
I can only conclude this is sent to the same domain name as is
attacked on port 80...
Now I am worried all this will consume up my bandwidth allowance (as
well as eating into system resources of course), and I have run out of ideas how
to stop this. Any suggestions are most welcome!
Thanks,
__
/ony
Hi,
I'd like to revisit a topic that has never really been resolved -
what to do when someone goes past the limit of their backup space.
When I say backups I'm talking about the backups service as
described here:
https://bitfolk.com/customer_information.html#toc_2_Local_backups
It's by no means an awesome service - I recognise that everyone has
their own preferred methods of doing backups and there's no way to
please everyone - but it is taken advantage of by 38 people at
present.
The way it works currently with regard to disk usage is:
- A backup job runs
- Disk usage is calculated and the usage is recorded in a database
- Nagios sends warnings when that usage goes above 95%, sends
critical alerts if it goes above 100%
- Backups keep on running anyway
- Both I and the customer see those Nagios alerts
So, let's say someone goes above 100% usage. Here's what I tend to
do:
- Leave it for a bit to see if the usage starts going down. If it
does then it will probably go below 100% again as the customer
fixed whatever got backed up that shouldn't
- If it keeps going upwards or is so far beyond 100% that it would
take ages to drop, then I open a ticket with the customer asking
them what they want to do.
- Most of the time I get no reply, so assuming the overage is only
small I wait a week or two before asking them to respond.
- Eventually I do get a response and it will usually be a request
for one of two things:
a. Buy more disk space for backups, or
b. Go into the backups and delete every instance of some directory
that should never have been backed up
I really, really dislike doing (b) because I don't want to mess
about in customer files, I might make a mistake, I might see things
I don't want to see, etc. But I will do it if the customer insists.
As you can probably see, all of this is quite a hassle to resolve.
Basically I don't want to be sending emails and deleting files by
hand.
I can think of a couple of ways to reduce the hassle, and I was
wondering if any of you who currently take advantage of the backups
have any thoughts on this:
1. I could stop providing the local backups service.
38 people isn't a huge amount, and it probably won't be a big
hardship to find other backup strategies. Most other solutions
are quite complex and in these days of "unlimited backup space"
that many services offer, maybe I should just not bother?
2. When the customer goes over 100% I could automatically add disk
space to cover the usage, and invoice them.
2a. Like (2) but just leave it a couple of weeks before doing that,
to give them chance to fix it first.
3. Something else?
What are your thoughts on (2)? Or any further suggestions?
Would you need any modification to the alerting settings before this
would be acceptable?
Note that although "just suspend the customer's backups as soon as
they go past 100%" initially sounds like a good idea, it may not be
as it prevents the customer from removing whatever it was they
backed up that they didn't mean to, i.e. fixing it themselves.
Would (2) be more workable if there was some mechanism for the
customer to go in and delete stuff from the backups in the space of
time they have before they will actually get invoiced?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"I am the permanent milk monitor of all hobbies!" — Simon Quinlank
Hi,
Our colo provider had scheduled some routine maintenance for this
evening which was supposed to be non-disruptive, but it appears that
something went wrong and so as of about 2331 there have been
intermittent network issues.
They are aware of it and are busy working on it. I will follow up
again when there is more info and/or resolution.
Apologies for the disruption.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hi,
As is now customary, we should do Christmas drinks in London in
December. If you'd be up for that please help pick a date:
http://doodle.com/pikxiyyyknydnaay
Everyone welcome, partners too.
I'll give it about a week and then I'll try to book a table on the
most popular date at The Phoenix:
http://www.phoenixcavendishsquare.co.uk/
If that doesn't work out then I'll try places we've tried before
(The Cask, De Hems, The Horse).
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
For all those slackers who were waiting for the option, there is an
updated document in the wiki.
https://tools.bitfolk.com/wiki/Installing_Slackware_14.1
It shows how to install slackware 14.1 (32bit) onto a bitfolk vps. It
uses a simplified partition format (ext3) and hopefully a greatly
simplified procedure (originally based on
https://tools.bitfolk.com/wiki/Installing_Slackware - many thanks for
the good work there.)
It isn't supported by bitfolk, but at least it works (tested on my own vps).
regards, Tim
