When I looked at bandwidth utilization at the SMTP server end with bwmon, I saw that almost all the available bandwidth was being consumed. When I checked to see what type of traffic was involved using IPTraf and pkstat, I saw that email traffic, i.e. connections to port 25 on the server, was consuming the bandwidth. A netstat -a | grep smtp command showed a lot of connections to the SMTP port, which is port 25. When I counted them with netstat -a | grep smtp | wc -l, I found there were 51 connections, which is far more than I would normally see to the server.

To try to get more information on that traffic, I installed ngrep. The author's description of the tool is listed below:

ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

To see the "from" and "to" addresses being used in the transmissions, I used the command ngrep -i 'rcpt to|mail from' tcp port smtp, The -i option tells ngrep to ignore the case of characters when looking for pattern matches. The 'rcpt to|mail from' tells it to look for either rcpt to or mail from, which are the commands sent to an email server to specify the recipient and the sender of an email message. SMTP transmissions use the TCP, so the tcp parameter specifies that protocol and the smtp specifies that the SMTP port, port 25 is the one to monitor. Note: you will need to run the command as root or you will get the message "no suitable device found: Operation not permitted".

The command showed the followng output:

# ngrep -i 'rcpt to|mail from' tcp port smtp
interface: eth0 (66.22.186.48/255.255.255.240)
filter: (ip) and ( tcp port smtp )
match: rcpt to|mail from
###############
T 59.172.123.117:1625 -> 66.22.186.53:25 [AP]
  MAIL FROM: <kvocqcbrxzqxqs@fdvwiqrprdewt.logicbest.com>..
####
T 59.172.123.117:1625 -> 66.22.186.53:25 [AP]
  RCPT TO:<janesmith@moonpoint.com>..
###########################
T 216.188.126.165:57486 -> 66.22.186.53:25 [AP]
  MAIL FROM:<175419_VMTA12778-angel=MOONPOINT.COM@DPCTECHNOLOGIES.NET> BODY=8
  BITMIME..RCPT TO:<angelica1@MOONPOINT.COM>..DATA..
#############################
T 66.115.129.69:4852 -> 66.22.186.53:25 [AP]
  MAIL FROM:<>..
##
T 66.115.129.69:4852 -> 66.22.186.53:25 [AP]
  RCPT TO:<moonpointm@moonpoint.com>..

Most of the traffic had invalid "rcpt to" addresses, i.e. there was no such email address on the server. Many of the messages had no "mail from" address. The "mail from" and "rcpt to" addresses are for the "envelope" of the message, i.e., they aren't necessarily the same as the "from" and "to" addresses a recipient would see when viewing the message in an email client. Instead, they are part of the SMTP transmission protocol. An email server will use the "rcpt to" value to route a message to the appropriate mailbox.

While I was checking on the issue, the bandwidth utilization dropped back down to normal and I didn't take any further action.

References:

1. Bandwidth Monitoring on a Linux System
   Date: September 15, 2004
   MoonPoint Support


2. Using pktstat to Monitor Network Traffic
   Date: December 13, 2006
   MoonPoint Support


3. ngrep - network grep
   By: Jordan Ritter
   Date: November 18, 2006
   SourceForge.net


4. The MAIL, RCPT, and DATA verbs
   By D. J. Bernstein
   D.J. Bernstein - Mathematics and compuer science


5. ngrep RPM for Red Hat, CentOS, and Fedora
   By: Dag Wiiers
   DAG: Field Commander Wieers

[/network/tools/ngrep] permanent link

I'm not surprised that the Pentagon sees hundreds of attacks a day, but It is hard for me to believe that taking 1,500 systems offline had no impact on department operations. Sure employees could still deal with email via their BlackBerry's, but, even if the systems were used solely for administrative purposes, I would expect the employees would be hampered by a lack of access to spreadsheets, presenations, and other documents normally used in an office environment. Hopefully, the attackers didn't glean sensitive data from any of those systems.

I was surprised by Mr. Gates response when he was asked if his own e-mail account was affected. He responded "I don't do e-mail. I'm a very low-tech person." I understand that for his generation (he's 63 years old) email may not be as much a part of the fabric of business life as for younger Americans, but I was surprised to hear him state he doesn't use it at all, especially since his prior position was president of Texas A&M University.

[/security/attacks] permanent link

I also found information from Symantec at "Italy Under Attack: Mpack Gang Strikes Again!, after reading the eWeek article. There is another Symantec article titled MPack, Packed Full of Badness. I also located an ars technica article posted earlier today at " Security researchers uncover massive attack on Italian web sites, which had much more detail than the eWeek article.

According to that article the MPack software being used on compromised web servers "provides would-be malware installers with a complete package that can be installed on any web server that runs PHP with an SQL database." So that sounds like it can be used against both Apache web server software running on a variety of platforms, including Linux and Windows, as well as Microsoft's IIS web server software, since PHP along with MySQL or Microsoft's own SQL server software may be running on such systems. The article further states "The compromised web sites attempt to use exploits in unpatched versions of Internet Explorer, QuickTime, Windows 2000, Firefox, WinZip, and Opera, in order to install malware packages on end users' computers."

[/security/attacks] permanent link

[ More Info ]

[/network/email/exchange] permanent link

For instance, sometimes I use superscripts in a document to link to a reference. Normally a link will be underlined, which will look slightly odd. E.g., if I link back to the reference ¹, I used for this blog entry, the number "1" has an underline below it. If I don't want it to appear I can use the HTML code below.

<a href="http://www.pageresource.com/html/link3.htm" style="text-decoration:none"><sup>1</sup></a>

Using that code the reference ¹ superscrpt is not underlined.

If you don't want any URLs in the webpage underlined, you can add the following code to the head section of the HTML for the webpage.

<STYLE type="text/css">
<!--
A { text-decoration:none }
-->
</STYLE>

With the above code placed between your <HEAD> and </HEAD> tags, you can code your links as you normally would, but none of them will be underlined. The style sheet in the head section will make them all non-underlined.

[/network/web/html] permanent link

[ More Info ]

[/network/email/exchange] permanent link

I found that message tracking was not enabled on the Exchange server, so I needed to turn it on to try to figure out what was happening.

[ More Info ]

[/network/email/exchange] permanent link

[/network/email/mailing_list] permanent link

$ tcpdump
tcpdump: (no devices found) /dev/bpf0: Permission denied

I don't know the root password for the system, but my account has administrator privileges on the system. Without knowing the root password, though, I could not su to the root account. Fortunately, I found a solution at Ethereal "Turbo Charged", where Olivier Biot posted a solution, which I qoute below:

Do a "sudo chown Gurue /dev/bpf*" (or whatever your login name is on your Mac). Once you've done that, you can (at least until the machine is rebooted) run Ethereal or Tethereal or tcpdump or... as yourself, rather than as root. (Mac OS X's "/dev" is implemented with devfs, so the special files aren't persistent across reboots, and it's an older devfs so it can't be configured to set up particular devices with particular owners and permissions, so any ownership or permission changes you make don't survive across reboots.)

I checked the existing permissions on /dev/bpf* files first.

$ ls -l /dev/bpf*
crw-------  1 root  wheel   23,   0 12 Jun 18:32 /dev/bpf0
crw-------  1 root  wheel   23,   1 12 Jun 15:30 /dev/bpf1
crw-------  1 root  wheel   23,   2 12 Jun 15:30 /dev/bpf2
crw-------  1 root  wheel   23,   3 12 Jun 15:30 /dev/bpf3

I then used changed the permissions on just /dev/bpf0. I was prompted for a password when I used sudo chown myacct /dev/bpf0 and was able to change the permissions when I entered my password.

$ sudo chown jdoe /dev/bpf0

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:

I was then able to run tcpdump. When I disconnected and reconnected, I received the message tcpdump: (no devices found) /dev/bpf1: Permission denied when I tried running tcpdump again, so I changed the permission on /dev/bpf1 as well. I could have used sudo chown jdoe /dev/bpf* initially to change the permissions on all the /dev/bpf* files. Since I very infrequently need to run tcpdump on this system, it doesn't matter to me that I will have to reset the permissions on the files again whenever the system is rebooted.

[/os/os-x] permanent link

# ./find-recipients.pl wendyvi21@alltel.net /var/log/maillog
Found 2 messages from wendyvi21@alltel.net in /var/log/maillog

Message recipients

Time            Message ID     Status        Recipient
----------------------------------------------------------------
Jun 10 07:58:02 l5ABupmb001042 Rejected      kittycat321@moonpoint.com
Jun 10 08:05:03 l5AC3omb001081 Sent          kittycat321@moonpoint.com

When I checked the /var/log/maillog file for those two message IDs, I found that the first message had been blocked by the Spam and Open-Relay Blocking System (SORBS) blocklist. SORBS is a DNS Blacklist (DNSBL).

The message that was rejected was from ispmxmta05-srv.windstream.net [166.102.165.166], while the one that was accepted was from ispmxmta09-srv.windstream.net [166.102.165.170].

When I checked the SORBS list, it appeared that the 166.102.165.166 had been there for at least a week due to SORBS detecting spam orginating from the email server at that address.

But when I looked up the other IP address, 166.102.165.170, it appeared it was also in the SORBS blocklist.

When I queried the SORBS database through the SORBS Database Lookup webpage, it appeared both addresses were present in the SORBS blocklist, yet when I used blq to query the SORBS blocklist, I found only the first .166 address listed and not the .170 address, which was consistent with Sendmail's rejection of the first message, but not the second one.

# ./blq sorbs 166.102.165.166
166.102.165.166 ispmxmta05-srv.windstream.net : dnsbl.sorbs.net : BLOCKED
# ./blq sorbs 166.102.165.170
166.102.165.170 ispmxmta09-srv.windstream.net : dnsbl.sorbs.net : ok

I received another report from a Hotmail sender that she was finding email rejected as well. I went through the same process as above. Again the SORBS website database query seemed to indicate that both addresses would be blocked, but using blq showed only one was blocked, which matched the entries I found in today's maillog file with the first message from the sender being rejected and the second accepted. The first was from bay0-omc2-s36.bay0.hotmail.com [65.54.246.172] and the second from bay0-omc2-s37.bay0.hotmail.com [65.54.246.173].

When performing a database check via the website, I saw the following for the IP address from which a message was rejected:

But I also saw the following for the IP address of the server from which a message was accepted:

Again, the information returned didn't seem to be consisttent with what a blq query returned:

# ./blq sorbs 65.54.246.172
65.54.246.172 bay0-omc2-s36.bay0.hotmail.com : dnsbl.sorbs.net : BLOCKED
# ./blq sorbs 65.54.246.173
65.54.246.173 bay0-omc2-s37.bay0.hotmail.com : dnsbl.sorbs.net : ok

So the results I obtained through the website query don't seem to accurately reflect what will be blocked, if I interpret seeing "Currently active and flagged to be published in DNS" appearing in a red block as an indication the address is in the blocklist as one to be blocked.

[/network/email/spam/blocklists] permanent link

A comparison of Drupal and Mambo can also be found at Leading Open Source CMS: Mambo versus Drupal - A Comprehensive Comparison. That article references a more comprehensive comparison of Drupal and Mambo, Drupal VS. Mambo written for Xaneon Development, a company which developed Mambo extensions.

References:

1. The CMS Matrix
2. Leading Open Source CMS: Mambo versus Drupal - A Comprehensive Comparison
   By Angsuman Chakraborty
   September 13, 2005
   Simple Thoughts - Simple solutions for complex problems
3. Drupal VS. Mambo
   Originally written for Xaneon Development by Arto Bendiken
   Submitted: January 12, 2006
   Xaneon Development

[/network/web/cms] permanent link

[/os/os-x] permanent link

[/os/os-x] permanent link

To prevent the addition of a footer to messages, from the main mailman administration page for the list, I clicked on [Non-digest options] The text below appeared in the "Footer added to mail sent to regular list members" field.

_______________________________________________
%(real_name)s mailing list
%(real_name)s@%(host_name)s
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

The information listed has the following meaning.

msg_footer (nondigest): Footer added to mail sent to regular list members

Text appended to the bottom of every immediately-delivery message. This text can include Python format strings which are resolved against list attributes. The list of substitutions allowed are:

• real_name - The `pretty' name of the list; usually the list name with capitalization.
• list_name - The name by which the list is identified in URLs, where case is significant. (For backwards compability, _internal_name is equivalent.)
• host_name - The fully qualified domain name that the list server runs on.
• web_page_url - The base URL for Mailman. This can be appended with, e.g. listinfo/%(internal_name)s to yield the listinfo page for the mailing list.
• description - The brief description of the mailing list.
• info - The full description of the mailing list.
• cgiext - The extension added to CGI scripts.

Since the list owner did not want any footer being sent with messages, I removed all of the text from that field.

I also went to the digest options page and for the "Header added to every digest" field, I removed all of the text in that field.

References:

1. [Mailman-Users] Why are footers sent as attachments?
   Posted: January 29, 2006
   The Mailman-Users Archives
2. 4.39. HELP! Mailman is munging HTML & MIME-formatted messages before they are sent out? (problems with Mailman 2.1.x footers)
   Mailman FAQ Wizard

[/network/email/mailing_list/mailman] permanent link

By default, most email clients don't display the message headers, but if you view the message headers for a message, you will see the "sender" header that Mailman adds. Viewing Message Headers in Outlook 2002 explains how to view those headers in Outlook

References:

1. Why do posts appear to be from listname-bounces@mailman.u.washington.edu?
   Author: R. Skiver Thompson
   August 2004
   Frequently Asked Questions About Mailman
2. Viewing Message Headers in Outlook 2002
   December 16, 2004
   MoonPoint Support

[/network/email/mailing_list/mailman] permanent link

I've been using SORBS as a blocklist for quite awhile, but I have encountered problems many times due to the fact that AOL, Hotmail, EarthLink, and email servers from some other large Internet Service Providers (ISPs) tend to get on the SORBS list frequently and stay there for a long time. I've contacted AOL and EarthLink support previously when I found one or more of their email servers were on the SORBS blocklist. I've found that, though the support personnel with which I communicated understand that their company employs blocklists or other means of blocking spam, they never seem to understand that other email providers may employ similar means. I've never been successful in getting the support personnel I've communicated with at AOL or EarthLink to take any action and usually it doesn't appear that they even understand the problem; I usually just get canned responses about how to stop their service from blocking email rather than any response indicating that they understand the problem is with email going from their systems to other systems (See SORBS Blocking AOL and EarthLink Servers and Report of SORBS listing to EarthLink).

I've found reports by others using SORBS of similar problems with email from Hotmail addresses (see Hotmail on sorbs?!?).

I understand that SORBS policy charging server owners to remove systems does drastically lessen the chances that systems will be removed quickly. I've considered removing the SORBS list from the blocklists I employ to reduce the deluge of spam in users' mailboxes, but it does block thousands of spam messages daily on my server, so I haven't taken that step yet. Usually, I add the sender's email address to the /etc/mail/access list used by Sendmail to keep email from particular senders being checked against the blocklists I employ.

In this case, though, I don't want any email addressed to the mailing list to be checked against a blocklist to preclude this problem. The Mailman mailing list software won't allow any email to the mailing list unless the "from" address is for a member of the mailing list, so I don't need the additional blocklist check.

Fortunately Sendmail, which is the software that handles email on the server, does allow you to specify that email to particular "to" addresses will always be accepted and won't be checked against DNSBL's. You can allow email to a particular address to bypass the blocklist checks by editing /etc/mail/access. Place a line similar to the following in that file:

To:jsmith@example.com         OK

The line above would ensure that email addressed to jsmith@example.com would not be checked against any blocklists employed on the email server.

After editing /etc/mail/access, you need to recreate the access database with a command similar to the following:

makemap hash /etc/mail/access </etc/mail/access

Once I added the mailing list address, I was able to send email to that address from the Hotmail account without worrying that the Hotmail email server used to transmit the messages might be on the SORBS blocklist or another blocklist I'm employing to limit spam.

References:

1. Spam and Open-Relay Blocking System
2. DNSBL
   Wikipedia, the free encyclopedia
3. SORBS Blocking AOL and EarthLink Servers
   April 23, 2006
   MoonPoint Support
4. Report of SORBS listing to EarthLink
   April 23, 2006
   MoonPoint Support
5. Hotmail on sorbs?!?
   Posted: September 21, 2005
   ReadList.com - Threaded Mailing List Reader
6. Sendmail cf/README - Anti-Spam Configuration Control
   sendmail.org

[/network/email/mailing_list] permanent link

# rpm -qa | grep -i yum

The Yum Download webpage listed the requirements for the latest version of Yum, version 3.2.0, as python 2.4+ and rpm 4.3 and above. I checked the version of the python and rpm packages on the system, but found they were not at the required versions.

# rpm -q --last rpm python
rpm-4.2-0.69                                  Sat 08 Nov 2003 02:37:24 PM EST
python-2.2.2-26                               Sat 08 Nov 2003 02:37:22 PM EST

Instead I needed to get a much earlier version, 2.0.8, which only required python 2.1+ and rpm 4.1.1-4.3.1. After downloading the rpm file, I installed it with rpm --install yum-2.0.8-1.noarch.rpm. I then checked for updates for the system with yum check-update.

An update was available for tcpdump among other utilities. An rpm -q --last tcpdump command showed the following information for the version already installed on the system:

tcpdump-3.7.2-1.9.1                           Sat 08 Nov 2003 08:39:55 PM EST

# yum install tcpdump
Gathering header information file(s) from server(s)
Server: Red Hat Linux 9 - i386 - Base
Server: Red Hat Linux 9 - Updates
Finding updated packages
Downloading needed headers
Resolving dependencies
Dependencies resolved
I will do the following:
[update: tcpdump 14:3.7.2-7.9.1.i386]
Is this ok [y/N]: y
Downloading Packages
Getting tcpdump-3.7.2-7.9.1.i386.rpm
retrygrab() failed for:
  http://mirror.dulug.duke.edu/pub/yum-repository/redhat/updates/9//x86/i386/tcpdump-3.7.2-7.9.1.i386.rpm
  Executing failover method
failover: out of servers to try
Error getting file http://mirror.dulug.duke.edu/pub/yum-repository/redhat/updates/9//x86/i386/tcpdump-3.7.2-7.9.1.i386.rpm
[Errno 4] IOError: HTTP Error 404: Not Found

When I checked the Duke University wepage at http://mirror.dulug.duke.edu/pub/yum-repository/redhat/updates/9/x86/, I found it had only one file in that directory. So I needed to add another repository for updates to software for RedHat 9 systems. I found a list of such sites at http://fedoralegacy.org/download/fedoralegacy-mirrors.php. Many of those I checked in the US also no longer had the files available for download. But the DataPipe one at http://mirror.datapipe.net/fedoralegacy/ did still have files available.

I added the following line to the updates section of /etc/yum.conf

baseurl=http://mirror.datapipe.net/fedoralegacy/redhat/9/updates/i386/

The yum.conf file now has the following information in it:

[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
distroverpkg=redhat-release
tolerant=1
exactarch=1

[base]
name=Red Hat Linux $releasever - $basearch - Base
baseurl=http://mirror.dulug.duke.edu/pub/yum-repository/redhat/$releasever/$basearch/


[updates]
name=Red Hat Linux $releasever - Updates
baseurl=http://mirror.dulug.duke.edu/pub/yum-repository/redhat/updates/$releasever/
baseurl=http://mirror.datapipe.net/fedoralegacy/redhat/9/updates/i386/

I then ran yum install tcpdump again and this time was able to update tcpdump. Checking the version of the rpm installed afterwards, I saw the following:

# rpm -q --last tcpdump
tcpdump-3.7.2-7.9.4.legacy                    Sat 09 Jun 2007 05:08:22 PM EDT

References:

1. Yellow Dog Updater (YUM)
   Linux@DUKE
2. RPM Package Manager
   Wikipedia, the free encyclopedia
3. RedHat 9 Updates - Using Fedora Legacy
4. Mirror sites by country
   The Fedora Legacy Project

[/os/unix/linux/sysmgmt] permanent link

On an Apple system running the OS-X operating system, you can configure the Mail program to prompt before downloading messages that are above a specified size. To do so, take the following steps:

1. Open the Mail program.
2. Click on Mail on the program's menubar.
3. Select Preferences.
4. Click on the Advanced tab.
5. Place a value in the "Prompt me to skip messages over [   ] KB" field. E.g. to skip messages over 50 MB in size you could put 51200 in the field (50 megabytes x 1024 kilobytes/megabyte = 51,200 KB).
6. You can then close the Preferences window choosing Save when prompted as to whether you wish to save the changes you have made.

[/os/os-x] permanent link

tar -cvf example.tar $(find . -name "*.php")

The find command will find all of the PHP files and pass them to the tar command. You can see that all of the PHP files are in the tar backup file, example.tar with the command below:

tar -tvf example.tar

You can add HTML files to the backup using the -u option for tar to update the archive file as below:

tar -uvf example.tar $(find . -name "*.html")

References:

1. tar find ssh
   May 2004
   Computing.Net

[/os/unix/commands] permanent link