This blog is a place used for notes and writing about various technical problems and projects worked on. Quite often the posts will be incomplete and some are likely to remain incomplete forever.

Hopefully some of it may be of passing interest, or maybe provide some assistance.

Please leave a comment. Or if you feel generous, click on an ad or two

Oct 18

One of my clients started having their emails to certain know recipients bounce with

"550 Recipient unknown"

After a bit of digging, it turned out that all recipients were with 3 organisations who were using the same mail server and anitspam system from a local ISP.

My client use an in-house mail server with a fixed IP and proper host name.

We contacted the local ISP and they finally informed us that the IP was listed with DroneBL.org.

DroneBL had us listed for the following reason:

Automatically determined botnet IPs (experimental)

I have no idea who, when or why this happened, or more importantly what happened. There was no facility to drill down for more details. But it was simple enough to de-list it. In fact it looks like it would be simple enough to sign up and blacklist anyone we had a grudge against.

But getting back to the original bounce message. What is the point in sending incorrect bounce error messages. Spammers do not give a s*** about error messages, they are more concerned about sending out the remaining 500,000 mails they have before dawn.

My Spam Policy

  • Do not bounce spam, only bounce proper errors.
  • Anything you do bounce, you must provide a proper meaningful reason or message. If you don’t, it makes absolutely no sense to bounce.
  • Let spam through but filter it into a separate folder. Preferably on the intended users desktop so they can search it easily.
  • If messages are getting put into spam erroneously then the recipient can search for it and bring it to the attention of some techie who can the examine the headers to determine exactly why it was marked as Spam.

 

 

Posted in Uncategorized | No Comments »
Oct 16

I was given a client’s laptop which, although it could get connected to the internet, and I could even remote access it, it could not browse or collect emails. I could not find anything wrong, I ran multiple scans with Norton, MS Security Essentials and MalWareBytes but found nothing. The only thing I noticed was that when trying to run putty, it gave some kind of out of buffers or quota error.

This laptop was running Windows XP and it was time to upgrade to Windows 7 anyway, so I just wiped it and reinstalled.

A few weeks later my own desktop started showing the same problem. After running for a while, I could not browse or collect email, and putty was showing this quota/buffer thingy error again.  (shoulda wrote the damn thing down.)

I suspected that Firefox was causing the problem, so I disabled all add-ons etc., and even stopped using Firefox.

Later, I installed a new version of MalWareBytes to run it’s scan, I selected to install a trial of the pro version. The scan found nothing, but the resident MalWareBytes started picking up attempts to connect to a suspect IP address: 199.80.55.13.

I googled malwarebytes 199.80.55.13, and found this:

http://forums.malwarebytes.org/index.php?showtopic=92872

In this discussion, TDSSKiller seemed to find the rootkit, but not clean it. TDSSKiller did not find anything wrong on my computer. At the end of that discussion, after running an ESET scan, a Java update and Adobe Reader are removed and all’s well again.

So I went straight to Add/Remove Programs, removed any Java updates and Adobe Reader. My computer seems to be behaving better now. No more pop ups from MWB about dodgy IP addresses.

I am now running the ESET Scan. I’ll post back here when it’s done.

 

Some helpful cleanup tools:

http://download.bleepingcomputer.com/sUBs/dds.scr

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Posted in Uncategorized | No Comments »
Oct 14

I just did my first CentOS 6 minimum install.

First thing is the usual network config tools are not available, so you need to temporarily do it by hand, until you can yum in the tools you want.

ifconfig eth0 192.168.1.2
echo "nameserver 192.168.1.254" >> /etc/resolv.conf
route add default gw 192.168.1.254 eth0

These 3 commands will get you going.
If you are on a DHCP network, there’s an even quicker way

dhclient eth0

After getting connected, you can then install the text based network configurator.

yum install system-config-network-tui

The minimal install only includes vi as a text editor, so I installed nano.

yum install nano

Now you will need to edit the configuration file to make it active on boot.

nano /etc/sysconfig/network-scripts/ifcfg-eth0

and set ONBOOT=”YES”

 

 

I’ve tried this on a VirtualBox VM with the network interface in bridge mode, and on a bare metal installation.

Posted in Uncategorized | No Comments »

Recent Posts

Categories

Archives