Do people still fall for WinPopUP?

Tonight I happened to be looking through one of my server’s logs for something and found my ability to do so was being seriously hampered by the amount of crap being logged by iptables logging dropped packets (even though that is rate-limited). I was mildly surprised to note that most of it was like this:

Mar 23 16:26:58 kwak kernel: world>somedom DENY: IN=eth0 OUT=v-somedom SRC=24.64.119.208 DST=192.168.194.1 LEN=512 PROTO=UDP SPT=24642 DPT=1027 LEN=492
Mar 23 16:26:58 kwak kernel: world>somedom DENY: IN=eth0 OUT=v-somedom SRC=24.64.119.208 DST=192.168.194.1 LEN=512 PROTO=UDP SPT=24642 DPT=1026 LEN=492
Mar 23 16:26:58 kwak kernel: world>somedom DENY: IN=eth0 OUT=v-somedom SRC=24.64.119.208 DST=192.168.194.1 LEN=512 PROTO=UDP SPT=24642 DPT=1028 LEN=492
Mar 23 16:26:58 kwak kernel: world>anotherdom DENY: IN=eth0 OUT=v-anotherdom SRC=24.64.124.244 DST=192.168.194.2 LEN=512 PROTO=UDP SPT=31002 DPT=1026 LEN=492
Mar 23 16:26:58 kwak kernel: world>anotherdom DENY: IN=eth0 OUT=v-anotherdom SRC=24.64.124.244 DST=192.168.194.2 LEN=512 PROTO=UDP SPT=31002 DPT=1027 LEN=492
Mar 23 16:26:58 kwak kernel: world>anotherdom DENY: IN=eth0 OUT=v-anotherdom SRC=24.64.124.244 DST=192.168.194.2 LEN=512 PROTO=UDP SPT=31002 DPT=1028 LEN=492

It’s been so long that I had even forgotten what UDP 1026-1028 was all about. It’s WinPopUP — the mechanism by which spammers (used to?) put up dialog boxes on the screens of unfirewalled Windows machines.

At first I thought “stupid spammers,” but if they’re doing it then it must still be working to some degree. This should have been dead and buried since 2002. Sad state of affairs!

Two mirrors for Ubuntu UK Podcast

BitFolk is providing additional mirrors in London and San Francisco for the Ubuntu UK Podcast.

I think my end is sorted out so hopefully the Ubuntu UK side of things will be ready in time for episode 2’s release early next week.

Obviously as it’s only on episode 2 it’s rather new so I’m not exactly expecting a deluge of requests, but it will be interesting to see actually what bandwidth is used.

(click images for more detail; if image is broken then the graph is currently updating)

Boosted up the spamd service in London

BitFolk‘s spamd service in London has been a little overloaded in recent times. A lot of the times the backend servers have been complaining that they’re full and some connections were being delayed. As a free service it is challenging to keep it performing perfectly and I only attempt to do so on a “best effort” basis, but hopefully things will be better for a while now as I have finally got around to starting up a new backend server on the most recently installed hardware. I gave it a decent amount of RAM to begin with so hopefully I won’t be facing problems trying to squeeze it in later.

I haven’t yet really considered trying to enforce any sort of “fair usage” policies although that may be an idea, since the top few users tend to use the majority of the resources. I’m pretty sure that they could avoid sending quite so many connections directly through the relatively expensive spamd stage if they were to try other antispam things first, such as insisting on greater RFC compliance, greetpausing, greylisting, stricter use of DNSBLs etc. etc.

I have also noticed that some users are going direct to the backend spamds as opposed to using the load balancer’s service IP. This is bad because the load balancer has an overview of how busy each backend is and tries to direct new connections to the least-used backend. If it then finds that backend is busier than it thought, or worse still, if it’s actually too full to take a new connection, then things get even less efficient. I may have to crack down on this by firewalling off the backends except from the load balancer. Of course I’ll need to make sure that use of the load balancer’s service IP is fully documented, and properly warn people.

I should also investigate dspam at some point.