Archive for January 2017

Blocking bots from the Cutwail botnet

Recently I’ve seen an increase in mail spambots identifying with the EHLO string EHLO ylmf-pc. These belong to (or at least stem from) the Cutwail botnet, originally observed as early as 2007. The following table shows the number of attempts over the last two weeks. The numbers are not overwhelming for a private mail server, […]

Enabling SNMP support in Amavisd-new

If there’s a short and sweet installation document for enabling SNMP support in Amavisd-new, I seem to have failed searching for it today. Instead I made my own, partially for documenting my own setup and partially for the benefit of others. This brief installation document assumes you’re running a Ubuntu or Debian system. It will […]

Icinga/Nagios check for Sophos antivirus signature freshness

I’ve been running Amavisd-new with scanner components like ClamAV and SpamAssassin on the mail relay for my personal mail for several years. Lately I’ve been thinking that since Amavis supports multiple content scanners I should add another antivirus product. Unfortunately there’s a limited number of free (for home/individual use) antivirus products running on Linux, and […]

How to produce AfterGlow diagrams from Cowrie

I’ve been receiving a few questions on how to produce the AfterGlow diagrams from Cowrie logs, described in an earlier blog post. Instead of repeating myself through email requests, an explanation here will be better. First of all, you will need to decide what you want to visualize. Showing the different attackers targeting a Cowrie […]

Probes towards TCP/37777

Seems a new bot, possibly a strain of Mirai, is in the wild, targeting TCP port 37777. The last 24 hours I’ve seen close to 200 different IP addresses trying to connect to this port. DShield is also registering an increase. At the moment I can only guess what kind of product they’re probing for, […]