Chronophage's Blog

Administration

LOL SPAM!

by on Sep.23, 2013, under Administration, E-Mail, Security

I think this one wins an award for crappy spam. It hit spam filters, ON THE WAY OUT

(Top is my spam filter’s scoring breakdown)

3.807 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
3.699 MONEY_FROM_MISSP Lots of money and misspaced From
3.625 FROM_MISSP_USER From misspaced, from “User”
3.624 AXB_XMAILER_MIMEOLE_OL_024C2 (No description provided)
3.575 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
3.500 BAYES_99 Bayesian spam probability is 99 to 100%
3.286 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
3.247 MILLION_USD Talks about millions of dollars
3.191 NSL_RCVD_FROM_USER Received from User
2.584 MSOE_MID_WRONG_CASE (No description provided)
2.095 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
1.999 FROM_MISSPACED From: missing whitespace
1.995 FROM_MISSP_EH_MATCH From misspaced, matches envelope
1.974 FSL_MISSP_REPLYTO Mis-spaced from and Reply-to
1.927 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
1.861 MONEY_FROM_41 (No description provided)
1.852 FROM_MISSP_REPLYTO From misspaced, has Reply-To
1.630 FORGED_YAHOO_RCVD ‘From’ yahoo.com does not match ‘Received’ headers
1.552 REPLYTO_WITHOUT_TO_CC (No description provided)
1.449 RCVD_IN_BRBL_LASTEXT (No description provided)
1.409 MONEY_FORM_SHORT (No description provided)
1.021 MISSING_HEADERS Missing To: header
0.900 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list
0.770 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
0.334 FILL_THIS_FORM_FRAUD_PHISH (No description provided)
0.137 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
0.010 T_FROM_MISSP_DKIM (No description provided)
0.001 LOTS_OF_MONEY (No description provided)
0.001 FILL_THIS_FORM_SHORT (No description provided)
0.001 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED
-0.001 SPF_HELO_PASS SPF: HELO matches SPF record
Toggle SMTP sender

X-Greylist: delayed 00:02:48 by SQLgrey-1.8.0
Received: from mailgw3.hk2china.com (mailgw3.hk2china.com
[203.169.131.164])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by gaia.chronophage.net (Postfix) with ESMTPS id 340384562F
for <nick@chronophage.net>; Sun, 22 Sep 2013 20:32:07 -0500 (CDT)
Received: from User ([41.203.69.1])
(authenticated bits=0)
by mailgw3.hk2china.com (8.13.8/8.13.8) with ESMTP id r8MNp58w008601;
Mon, 23 Sep 2013 07:51:09 +0800
Message-Id: <201309222351.r8MNp58w008601@mailgw3.hk2china.com>
Reply-To: <chinafudiciaryclaimsdesk@yahoo.com.hk>
From: “China Shenhua Energy Company Limited”<info@yahoo.com>
Subject: = /etc/MailScanner/rules/spam.subject.rules Your Email ID!!
Date: Mon, 23 Sep 2013 00:51:44 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus: avast! (VPS 130922-0, 09/22/2013), Outbound message
X-Antivirus-Status: Clean
X-HK2CHINA-MailScanner-Information: Please contact the ISP for more
information
X-MailScanner-ID: r8MNp58w008601
X-HK2CHINA-MailScanner: Found to be clean
X-HK2CHINA-MailScanner-MCPCheck: MCP-Clean, MCP-Checker (score=0,
required 1)
X-HK2CHINA-MailScanner-SpamCheck: spam, barracudacentral.org, CBL,
spamhaus-ZEN, SpamAssassin (cached, score=-45.078, required 999,
autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.00,
AXB_XMAILER_MIMEOLE_OL_024C2 3.74, BAYES_00 -1.90,
FILL_THIS_FORM_FRAUD_PHISH 0.33, FORGED_MUA_OUTLOOK 1.93,
FORGED_YAHOO_RCVD 5.00, FREEMAIL_FORGED_REPLYTO 2.10,
FROM_MISSPACED 2.00, FROM_MISSP_EH_MATCH 0.25, FROM_MISSP_MSFT 3.10,
FROM_MISSP_USER 3.08, FSL_CTYPE_WIN1251 2.67, FSL_MISSP_REPLYTO 3.70,
LOTS_OF_MONEY 0.00, MILLION_USD 3.25, MISSING_HEADERS 5.00,
MONEY_FORM_SHORT 2.62, MONEY_FROM_MISSP 1.38,
MSOE_MID_WRONG_CASE 2.58, NSL_RCVD_FROM_USER 3.30,
REPLYTO_WITHOUT_TO_CC 10.00, TO_NO_BRKTS_FROM_MSSP 1.78,
T_FILL_THIS_FORM_SHORT 0.01, hk2china_authsmtp3 -100.00)
X-HK2CHINA-MailScanner-SpamScore: -45.08
X-MailScanner-From: info@yahoo.com
X-HK2CHINA-MailScanner-Watermark:
1380498774.31192@SEE1RhapbHdjQ7LWKIHSdQ
X-Spam-Status: Yes

Your Email ID has won a cash prize of 1.5million USD and a BMW X6
MODEL in
China Shenhua Energy Company. Send your details for claims. Full Name,
Add, Age, Occupation, Telephone Number: to Name: Mr. Li Jun Chan
E-mail: chinafudiciaryclaimsdesk@yahoo.com.hk

Signed,
Mrs. Li Haicang
(China Shenhua Secretary)

Leave a Comment more...

CVEs and YOU!

by on Jun.04, 2013, under Administration, Security, UNIX 101

I recently had a client who has a client that does arbitrary PCI scans. Unfortunately, the service that does the PCI scans does not understand Ubuntu version numbers. So I had the joy of wrangling all of the CVE data from Ubuntu and compare it to their actual releases.

Being of a lazy temperament, I obviously didn’t want to do this by hand. Being of a curious temperament, I wondered if I could do this all from the command line.

First thing I had to do was to take their PDF and convert it to a format where I could extract the CVE strings. I’ve previously used pdftohtml, it works well enough. Now I needed to grab the actual CVE strings themselves without grabbing the rest of the line. The strings are in the format of CVE-{year}-{4 digit number}

SED to the rescue:

# cat report_pdf.html | sed -n 's/.*\(CVE-[0-9]...-[0-9]...\).*/\1/p' > cve_strings.txt

Now I needed to grab all of the CVE reports from Ubuntu and save them locally:

Enter Awk:

# awk -F\- '{system(curl" " "http://people.canonical.com/~ubuntu-security/cve""/"$2"/"$1"-"$2"-"$3".html") }' cve_strings.txt

Next, I converted all of .html files to text. Again, another tool I’ve used in the past html2text. However, one thing that gave me fits was the weird text format it outputs to facilitate underlines and bold caracters all using ascii characters.

Underline text looked like this: _U_n_d_e_r_l_i_n_e_d T_e_x_t_
Bold text looked like this: BBoolldd TTeexxtt

less and cat interpreted properly, but now grep (grrr…) So I had to use the -nobs option.

Here’s a little for loop to create the text files from the HTML files:

# for i in `ls`; do cat $i | html2text -nobs > `echo $i | sed 's/.html/.txt/g'`; done

Finally, I had to parse the CVE text files. Now, each vulnerability could effect one or more packages. So I wanted to generate a report that had the CVE number, and then the status of 10.04 under each package.

There are easy was to do this, but nested for loops on the command line is much, much more fun:

# for i in `ls CVE-20*.txt`; do echo \\n`echo $i | sed 's/.txt//g'`; IFS=$(echo -en "\n\b"); for k in `cat -s $i | grep Source:\ `;do echo $k; cat $i | grep -a4 $k | sed "s/_/\ /g" | grep 10.04 ; echo \\n; done; done > report.txt

As you can see, the version string for Ubuntu was inconsistent, it was either Ubuntu_10.04_LTS and Ubuntu 10.04 LTS. Hence the extra sed command.

Was this the most efficient way? Well, probably not. But it took me a lot less time than scripting the process outright.

Wee!

Leave a Comment more...

Webcluster Active Statistics

by on Nov.23, 2011, under Administration, Software, UNIX 101

So, I decided I needed a bit of a landing page for web.chronophage.net. I wanted to show certain active statistics, but I didn’t like the format, or information leakage that mod_status showed.

So I did some googling, and found this: http://www.phpclasses.org/package/3613-PHP-Retrieve-and-parse-Apache-server-status.html

Unfortunately, the examples were set to just show the stats of one server, and I had four.

Well, an array, for loop and some php rejiggering, and viola! Active server stats!

Now I can see all the worms attempting to XSS my websites.

Wee!

Leave a Comment more...

New Chronophage Mail Settings

by on Nov.11, 2011, under Administration, E-Mail, Software, UNIX 101

So, I changed mail, splitting mail.chronophage.net into a 3 host mail cluster, and a shell server.

Unfortunately, I have shell users who were using mail.chronophage.net as their moniker for pop/imap. This also broke their ability to log in to the antispam area and change their spam settings. I have fixed both of these issues.

Dovecot has a passwd-file facility, which uses passwd formatted files to do authentication. I simply added such a file to my mail cluster, with the shell username and {CRYPT} hashes (out of master.passwd) and added a proxy=y statement and a host=(shell server’s ip)

So now, when they log in, it’ll authenticate them, and then pass the authentication over to the shell server’s POP3 or IMAP server. Since they authenticate locally first, SASL works for sending mail.

This gives them one point for external clients, and still lets them log in via the shell server, or use procmail (via a .forward) if they so choose.

Unfortunately, this means that I have to manually keep password in sync in two places. But my users don’t change their passwords often, and there aren’t too many of them

So, for posterity

mail.chronophage.net (POP3, IMAP, SMTP)
https://mail.chronophage.net (webmail via roundcube)
https://mail.chronophage.net/squirrelmail (webmail via squirrelmail)
https://mail.chronophage.net/antispam (for antispam services)
gaia.chronophage.net (shell server)

Leave a Comment more...

Work Blogging

by on Nov.10, 2011, under Administration, Cloud, Software, UNIX 101, Virtualization

Working on a post for work. Part 1 is pending edits and approval. Here’s a chart I’ve made for Part 2:

Made with LucidChart, because I'm cheap.

*UPDATE* Post approved: http://blogs.iphouse.net/2011/11/10/infrastructure-and-other-games/

Leave a Comment :, , , , more...

Clusterin’ clusterin’ Yeah!

by on Oct.21, 2011, under Administration, Cloud, E-Mail, News, Software, Virtualization

So I did a little bit of load testing on my new web cluster.

Not bad for not having a real load balancer…

(continue reading…)

Leave a Comment more...

Cloudy With a Chance of Productivity…

by on Oct.11, 2011, under Administration, Cloud, E-Mail, Hardware, News, Software, UNIX 101, Virtualization

I’ve been waiting, and working.

I’ve been waiting for my work to release a its new product. I’ve been waiting, politely, for my boss to blog about it. I’ve been waiting to show off this new product.

I’ve been working on provisioning, and working with customers on beta testing the new product. I’ve been working on templates, and auto install media, to make everyone’s life easier. I’ve been working on documentation for customers.

I’ve been waiting for, and working on, a VMware vCloud Director based product known as vmForge VDC.

This is cool stuff!

(continue reading…)

Leave a Comment :, , , , , , , , , , , , more...

IPv6 Day Silliness :)

by on Jun.03, 2011, under Administration, Frivolous, News

Well, in honor of IPv6 day, I decided to spurn people along. I created an IPv6 validation badge of my own, and a few other things to prod people to get their providers to switch.

I’ve also updated http://ipv6.chronophage.net with a new look. It also shows you a video that warns you of the real and present dangers of not switching to IPv6, or celebrates your IPv6 achievement with an INTERNET classic ;)

Making the pages was fun, especially using php to spit out the various dynamic graphics. In one spot I use a validator lifted from here On the main page i simply have this SetEnvIfNoCase REMOTE_ADDR "^[0-9a-f:]+$" IPV6_USER=1 in my apache config, and check for that variable in my shtml index. I use a php filter elsewhere. This is to test various ways of IPv6 validation. If you see an error, please comment.

Making dynamic graphics was straight out of the php documentation. That language has a function for everything!

No one will accuse me of being a website designer, I hope it’s ugly enough for you.

Anyways, have fun! Happy (pending) IPv6 day!

Leave a Comment :, , , , , , , , , more...

IPv6

by on Mar.30, 2011, under Administration, E-Mail, Hardware, Security, Software, UNIX 101, Virtualization

So…

It’s been awhile.

Recently, I’ve decided to make sure that all of my servers were IPv6 addressable. This was made infinitely easier by working at a forward thinking ISP. So a quick email to our network admin and bam! IPv6 routed to my vlan!
Now, what to do with it?

(continue reading…)

Leave a Comment :, , , , , , , , , , , , , , more...

RHEL

by on Jan.18, 2011, under Administration, E-Mail, Software, UNIX 101

(..sigh) There’s a lot I like about RedHat. I like the fact that they’re worth more than a billion dollars as an OpenSource company. I like how they’ve been in the Linux game for a long time, and keep finding new ways to innovate and expand. I like how they have a competitive, yet accessible application stack, that runs on a wide variety of hardware. Their partner program, and resources are outstanding, especially when compared to other software vendors. I like a lot about RedHat. I just don’t like their operating system.

(continue reading…)

Leave a Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!