About Jeroen
Contact
FAQ
Status
Todo in my life
His Blog
Articles
Photo Gallery
Outdoor:
  Recumbing
  Running
Software:
  jnitodo
  squidefender
  Wormwarner
Latest books read:
  • Lincoln Child - Deep Storm
  • Lee Child - The Hard Way
  • Mike Lawson - Dead on Arrival
  • Preston & Child - Still Life with Crows
Latest movies seen:
  • Death Race
  • The Objective
  • Deception
  • Hellboy - The Golden Army


23 September 2008

yellowbullet 20:55: Today it is 5 years ago that I registered the jeroen.se domain.
more

25 August 2008

yellowbullet 17:46: Since a few weeks I use the jnitodo todo list manager for managing my todo list. jnitodo was written by myself, so it matches my requirements quite well and it might match yours!
more

13 August 2008

yellowbullet 12:51: Yesterday I ran into a bug in my Samsung S1060 digital camera. If you press the view photos button while the red-eye flash pictogram is flashing white and red it hangs and becomes unresponsive.
more

11 August 2008

yellowbullet 12:59: While migrating my account to another machine which uses openldap authentication I ran into the problem that cron were not working on the new machine. A quick look in the logs revealed the following error:
more

29 July 2008

yellowbullet 17:50: I often get the question how I manage to survive my long commute time during the week. This question is often raised when in a conversation it becomes clear that I travel over 4 hours per day by train. In this blog post I will try to give a small insight in how I manage this.
more

09 July 2008

yellowbullet 13:23: Just a quick blog post about how to run a command like uptime in more than one screen window. Just do crtl-a then
:at "#" stuff "uptime\015"
more

28 June 2008

yellowbullet 21:58: I just reached the 1000 kilometer mark with my recumbent bike. It took me 46 hours and 24 minutes, averaging a 21.55 km/h speed. The last month however my average cycling speed is increasing, so I should do the next 1000 kilometer in less time.
more

How an online payment company handles a virus infection

By Jeroen van Nieuwenhuizen

The company

The company in this story belongs to the select group of certificated Payment service providers for MasterCard and Visa in the Netherlands. To quote their website: "Security is a key priority".

29 November

18:30 - The detection
I see a rise in the incoming Sober.I messages on one of my domains from the mailserver of $company. This host is quickly added to blacklist.jeroen.se. But that does not help much as this same host is also sending the viruses to the backup MXs of the domain in question (I can not filter on those).

30 November

4:00
The amount of incoming viruses reaches 20 viruses pro minute.

8:30 - Warning them
I make a phone call, to $company about the problem and ask for the person responsible for their mailserver. This person is not present, so I ask to pass the message to him. They ensure me that I will be called back about the problem. Trusting that they probably will take action soon I go to work.

15:15 - No solution
They are still to be sending high volumes of mail to my mailserver. So I send an abuse message to the hosting provider of $company. $hostingprovider does not respond.

20:15 - Disabling my backup MX
Around 20:15 on the evening of 30 November the incoming mail reaches 40 viruses pro minute, effectively DoSing my ADSL line. I contact my provider to remove the backup MXs from the DNS to stop the flooding. At this time neither $company nor $hostingprovider of $company in question have taken any noticeable action.

1 December

9:30 - They call back
Unfortunately I am in a business meeting at the time. After the meeting I call them back and am able to reach someone who is more or less responsible for the server. The phone call went more or less like this:
Me: You called me, probably because of my phone call of yesterday.
$person: Yes
Me: Your mail server is spreading viruses at a fast rate.
$person: What?
Me: Your mail server is spreading viruses. Sober.I. x.x.x.x is your mail server is it not?
$person: Yes, x.x.x.x is our mailserver. What is the problem with it?
Me: It is sending viruses to my mailserver. Virus infected emails.
$person: What is in the mail?
Me: Viruses!
$person: Yes, I understand. But what is standing in the mail?
Me: I do not care at all, I do not open virus mail.
$person: Oh, of course.
Me: I also tried to warn you by sending email to abuse@
$person: abuse@?
Me: Yes, that address is required so that people can report this kind of things.
$person: Why did you not mail to info@?
Me: As I already told you, you are required to have an abuse address.
$person: Ah, ok. But we do not manage x.x.x.x our self. We have outsourced the system management. But I will contact them.
Me: Thanks.
$person: Sorry, for the annoyance.

16:00 - Solved?
Still rejecting incoming virus mail from them, so the problem seems still unsolved.

4 December - Some action

On 4 December the virus delivering is still continuing. Therefor I send an email to them and CC it to their provider. Their provider responds this time and claims IP spoofing because they do not see anything in the traffic of their customer.

6 December - $company responds

On 6 December $company responds that they are working very hard to resolve the problem. And they also claim IP spoofing. Which is not impossible, but IMHO unlikely because of the issues involved for spoofing a large number of TCP/IP sessions.

7 December - firewall

On the 7th of December the viruses are still coming in. Tired of trying to convince $company to solve the issue I block them in the firewall of mx1.jeroen.se.

11 December - Just checking

At least they seemed to have fixed one thing. They are accepting mail on abuse. 
[jnieuwen]$ telnet smtp.buckaroo.nl 25
Trying 62.212.70.136...
Connected to smtp.buckaroo.nl.
Escape character is '^]'.
220 220 Welcome to ESMTP server at Sat, 11 Dec 2004 14:53:57 +0100.
HELO vanaheim.demon.nl
250 smtp.buckaroo.nl. Hello vanaheim.demon.nl (82.161.130.45)
MAIL FROM: <postmaster [at] jeroen.se>
250 Command MAIL OK
RCPT TO: <abuse [at] buckaroo.nl>
250 Command RCPT User found OK
RSET
250 Command RSET OK
QUIT

Picture of me

...Stunning...

Everything I say on these pages are opinions, they are not necessarily the truth.
Commercial use of the data on this site without permission is strictly prohibited.
Unique number: fc38fc2c1347a9824cef263d20748ced
7:00AM up 40 days, 21:29, 4 users, load averages: 0.06, 0.02, 0.00 		XML
Powered by FreeBSD Generated by a bunch of M4 macros on Wed Oct 1 03:09:02 CEST 2008
$Id: online_pay_abuse.m4 2194 2008-06-27 20:09:03Z jnieuwen $
© 2002 - 2008 Ir. Jeroen van Nieuwenhuizen
I know I'm not perfect but I can smile.