Spam flood

Yesterday (April 23rd), just after 18:00 Finnish time, I noticed a few reports on IRC channels regarding a large increase in the amout of spam. I then checked the statistics of our customer spamfilter (I work for an ISP, remember?), and sure enough, a flood of spam was coming in. In a matter of minutes, the amout of spam had increased by a factor of 4 with spikes going twice as high. To give you an idea of the figures, the number of emails blocked on average was about 2,5 times as much as it was just before McColo was blocked from the internet. Five hours later the flood came to a sudden halt. It stopped just as abruptly as it begun.

We didn't look that closely on what was the content of these messages, but apparently most of them were faked Western Union recruitment emails. They were aimed at Europe, so that might explain why SpamCop didn't see any increase in spam volume. I haven't found as detailed realtime statistics on other sources, so I can't really say how widespread this incident was outside Finland. Also, I haven't seen any reports of it on the NANOG mailinglist, so quite likely it's been a usual day on the other side of the Atlantic.

The day before yesterday, Marshal8e6 released a report on their botnet analysis, including some numbers on spambot capabilities. So just a day after a botnet research lab reports on their spambot findings, we see a sudden shitstorm hitting our filters. Coincidence? I don't think so.

  • Data communications, Security

SSH hammering

It's nothing new that there are several botnets scouring the Internet for poorly protected SSH servers. Their members are mostly compromized hosts, such as home computers hijacked with trojans and worms. Some "real" servers end up on these botnets as well. Sometimes hired for the purpose, sometimes cracked by the same backdoors as the home computers, or simply compromized via the services they run, usually vulnerable dynamic websites.

These botnets scan vast IP-address ranges trying to find hosts which are running SSH server software on the default port (tcp 22). When they find one, they start trying to log in using brute force. Usually the method of choice is to login as root and use a dictionary for guessing the password. Sometimes they try to login as other users, such as test, staff or use someones first name as the login.

Full story »


Interesting 24 hours

I'm currently working as a network engineer for a medium-sized Internet service provider Nebula in Finland. The interesting 24 hours I'm referring to, started yesterday at 16:10 Finnish time when one of the core routers on our network started acting up. Due to confidentiality issues I can't go into technical details on what happened, but this is the official announcement we gave out to customers during the incident. It was updated this morning and we might provide some further details later on. The translation from Finnish to English is my own.

Problems with network connectivity

Due to a software related issue on a core router, some network connections have experienced problems and interruptions since 16:10 local time. The issue is still under repair.

Update: the fault has been limited and connectivity restored at 20:30. The fault had been resolved already before 17:00, but the effects of it resulted in new issues in connectivity after 18:00.

The overload caused by the fault resulted in connectivity issues between the routers of the internal core network at Nebula. When the original issue had been located and resolved, the level of service started to normalize in stages. Latency in certain connections may have been higher than usual during recovery.

We are sorry for the inconvenience and will be peforming upgrades to minimize similar incidents in the future.

Full story »


Keeping in sync, part 2

Keeping in sync, part 2

Some changes have occured since I wrote the first part of Keeping in sync. Some of these changes have been dictated by glitches in the technologies, and others by the increase in number of devices involved. I needed to buy a second smartphone as I now have two mobile subscriptions, which made things a bit more complicated than before. Not much really, just a bit.

In the end, the mobile version of OggSync didn't work for some reason. The support people couldn't replicate the error, so it still remains a mystery. The version I was using is still beta, so the issue might be resoved in future releases. This is why I opted to install the desktop version off OggSync on the server running Kerio MailServer and perform the sync between Google Calendar and Kerio there. So far it's been working like a charm.

As for Facebook, I found out that it's possible to use the Export Events -functionality directly from Google Calendar, so I left the FBCal out of the equation. This way the events seem to appear in Google Calendar faster than with FBCal, but I never really timed this, so it's just a hunch.

I gave up using Remember The Milk, as synchronizing it with the rest didn't quite work like I wanted it to work. As said, pushing tasks through Google Calendar resulted in just calendar events. Instead, I opted to use the Tasks-functionality of Outlook. This way the tasks are synchronized natively via Kerio and ActiveSync, while still being accessable with a browser via Kerio Webmail.


Server naming schemes

Always an interesting topic among nerds :)


I myself use the names of the islands in Tonga.

1 2 4 ...6 7

September 2017
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
 << <   > >>
Random musings on even more random subjects.
You might also like to take a look at my Twitter feed.


  XML Feeds

powered by b2evolution