Manually submitting Spam to Symantec Response Center

http://service1.symantec.com/support/ent-gate.nsf/docid/2005012415180263

Messages which have not been blocked by the anti-spam filters and which match the definition of spam above can be submitted to Symantec for analysis and possible filter creation.

send SPAM to

mailto:eurosubmit@submit-23.brightmail.com

send HAM to

mailto:eurofeedback@feedback-23.brightmail.com

Manually check Symantec IP-OpenProxyList (OPL)

Use this URLto check ip-addresses

http://ipremoval.sms.symantec.com

brightmail checks all ip-addreses listed in Received-Lines !!!

Built-in Microsoft Outlook JunkMail rules

http://office.microsoft.com/en-us/help/HA010450051033.aspx

The Junk and Adult Content filters work by looking for key words. This file is a description of exactly which words the filter looks for and where the filter looks for them.
Junk E-mail Filter

First 8 characters of From are digits
Subject contains “advertisement”
Body contains “money back ”
Body contains “cards accepted”
Body contains “removal instructions”
Body contains “extra income”
Subject contains “!” AND Subject contains “$”
Subject contains “!” AND Subject contains “free”
Body contains “,000″ AND Body contains “!!” AND Body contains “$”
Body contains “Dear friend”
Body contains “for free?”
Body contains “for free!”
Body contains “Guarantee” AND (Body contains “satisfaction” OR Body contains “absolute”)
Body contains “more info ” AND Body contains “visit ” AND Body contains “$”
Body contains “SPECIAL PROMOTION”
Body contains “one-time mail”
Subject contains “$$”
Body contains ”
Body contains “order today”
Body contains “order now!”
Body contains “money-back guarantee”
Body contains “100% satisfied”
To contains “friend@”
To contains “public@”
To contains “success@”
From contains “sales@”
From contains “success.”
From contains “success@”
From contains “mail@”
From contains “@public”
From contains “@savvy”
From contains “profits@”
From contains “hello@”
Body contains ” mlm”
Body contains “@mlm”
Body contains “///////////////”
Body contains “check or money order”
Adult Content Filter

Subject contains ” xxx”
Subject contains “over 18″
Subject contains “over 21″
Subject contains “adult s”
Subject contains “adults only”
Subject contains “be 18″
Subject contains “18+”
Body contains “over 18″
Body contains “over 21″
Body contains “must be 18″
Body contains “adults only”
Body contains “adult web”
Body contains “must be 21″
Body contains “adult en”
Body contains “18+”
Subject contains “erotic”
Subject contains “adult en”
Subject contains ” sex”
Body contains ” xxx ”
Body contains ” xxx!”
Subject contains “free” AND Subject contains “adult”
Subject contains “free” AND Subject contains “sex”

Create new volume

First, create and assign new disks on IPstor and rescan your hpux-hardware paths (new style)

ioscan -N -fnk > io.lis

ioscan -N -fnC disk # unterschiedl. Disknr auf ClusterNodes möglich!

Remember all serial_numbers for later identification

scsimgr get_attr -D /dev/rdisk/disk??? -a serial_number

Create VG and leave space for a lun-extension (max DiskSize = 32MB*16384)

mkdir /dev/vgXXX
mknod /dev/vgXXX/group c 64 0x??0000 # must be unique in the cluster-env.
pvcreate /dev/rdisk/disk???
vgcreate -s 32 -p 64 -e 16384 vgXXX /dev/disk/disk???
vgextend vgXXX /dev/disk/disk???

manually define your PV-Groups

vi /etc/lvmpvg # there maybe differnet disk-devices on each host!
—
VG      /dev/vgXXX
PVG     ipstor1
/dev/disk/disk?01
PVG     ipstor2
/dev/disk/disk?02
VG      /dev/vgYYY
PVG     ipstor1
/dev/disk/disk?05
PVG     ipstor2
/dev/disk/disk?08
—

Create a FileSystem on an Logical Volume

lvcreate -s g -l 1 -m 1 vgXXX
lvextend -l <SIZE> /dev/vgXXX/lvol1
newfs -F vxfs /dev/vgXXX/rlvol1

# Import your VG an all other ClusterNodes and beware of different disk-devicefiles
# btw: if u  use your custom lvol-names or different-numbering-schemes use a mapfile
# “vgexport -p -v -m <mapfile> vgXXX > vgXXX.mapfile” copy and import.

vgimport vgXXX /dev/disk/disk?02 /dev/disk/disk?07 # use mapfile if necessary

Extend FileSystem / dynamic Disk

Expand your Lun on the IPStor

vgdisplay -v vgXXX # note your pv sizes
vgmodify -E -a vgXXX # do not use “-a -E”
vgdisplay -v vgXXX # PV size should be greater now

lvextend -l <SIZE> /dev/vgXXX/lvolYYY

fsadm -b $((PE_SIZE*LV_SIZE*1024)) /mountpoint

Usefull Commands

See multipaths per Lun

scsimgr lun_map -D /dev/rdisk/disk?23

Get WWI or serial_number for a disk

scsimgr get_attr -D /dev/rdisk/disk?04 -a wwid
scsimgr get_attr -D /dev/rdisk/disk?03 -a serial_number

echo “selclass type disk;info;wait;infolog” | cstm

Lun Multipath Overview (see dead paths)

ioscan -N -fnC lunpath

Remove VG / Disks

Get all Disk serial_numbers for a alter identification on IPStor

for i in `vgdisplay -v vgXXX|grep "PV Name"|awk '{print $3}'|cut -d "/" -f 4`;do
     scsimgr get_attr -D /dev/rdisk/${i} -a serial_number
done

Remove VG

lvremove /dev/vgXXX/lvolYYY # alle lvols löschen
vgreduce vgXXX # alle Disken bis auf eine wegnehmen
vgremove vgXXX
rm /dev/vgXXX/group
rmdir /dev/vgXXX

Unassign and delete the Luns (check your serial_numbers!) and rescan the hpux-hardware path for deletion of special files.

ioscan -N -fnC disk
—
disk     24  64000/0xfa00/0×10  esdisk   CLAIMED     DEVICE       FALCON  IPSTOR DISK
/dev/disk/disk24   /dev/rdisk/disk24
disk     28  64000/0xfa00/0×11  esdisk   CLAIMED     DEVICE       FALCON  IPSTOR DISK
/dev/disk/disk28   /dev/rdisk/disk28
disk     30  64000/0xfa00/0×12 esdisk   NO_HW       DEVICE       FALCON  IPSTOR DISK
/dev/disk/disk30   /dev/rdisk/disk30
—

rmsf -H 64000/0xfa00/0×12

cisco nexus

interface Ethernet128/1/40
description APAMGM01 [eth0]
switchport access vlan 222
channel-group 305 mode active

interface port-channel305
description VPC APAMGM01
switchport access vlan 222
vpc 305

cisco ios

interface FastEthernet1/17
description APAMGM01 [eth0]
switchport access vlan 222
channel-group 305 mode active

interface FastEthernet1/18
description APAMGM01 [eth1]
switchport access vlan 222
channel-group 305 mode active

interface port-channel305
description PoC APAMGM01
switchport access vlan 222

ubuntu

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#auto eth0
#iface eth0 inet static
auto bond0
iface bond0 inet static
slaves eth0 eth2
bond-mode 4
bond-miimon 100
address 194.232.133.55
netmask 255.255.255.192
network 194.232.133.0
broadcast 194.232.133.63
gateway 194.232.133.62
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 194.232.133.2
dns-search apa.at

redhat es4

(c) http://www.datadisk.co.uk/html_docs/emc/emc_navisphere_cs.html

Raid Groups

LUN and Meta LUN configuration

Storage Groups

Cache Configuration

after installation SBG9.0.20 via OS_restore i had the problem that a ping to the default gateway only works for 5 sec.
we run two layer-3 subnets on one layer-2 net, so it could be a arp-broadcast problem.

(so it was time to get root-access to the sbg-instance -> see other article)

after playing around with kernel.arp values i found out that this settings would fix our problem

vi /etc/sysctl.conf
# Enable configuration of arp_ignore option
net.ipv4.conf.all.arp_ignore = 1

# When an arp request is received on eth0, only respond if that address is
# configured on eth0. In particular, do not respond if the address is
# configured on lo
net.ipv4.conf.eth0.arp_ignore = 1

=;) but this did not work,..it was set again to a value of “2″, … after some searches i found that someone had a similar problem an symantec patched these already und a file was made /data/os/etc/eth_arp_ignore.conf.readme

echo 1 > /data/os/etc/eth_arp_ignore.conf

(c) http://kbase.redhat.com/faq/docs/DOC-19446

Problem

When a system is connected to multiple SANs of the same type it is hard to tell what disk is on what SAN, or what disk is on what storage processor port it’s connected to.

Resolution

On Red Hat Enterprise Linux 5 all the data is stored in /sys and can be found independently of the Fibre Channel driver in use.

1) To find the Fibre Channel addresses of the HBAs on the machine, run the following:

# systool -c fc_host -v

(output trimmed for clarity)

  Class Device path = "/sys/class/fc_host/host8"
    port_name           = "0x10000000c9802436"
    node_name           = "0x20000000c9802436"

  Class Device path = "/sys/class/fc_host/host9"
    port_name           = "0x10000000c9802437"
    node_name           = "0x20000000c9802437"

On this particular machine, we have two HBAs acting currently as host8 and host9 (please notice that these numbers can change, they change every time the fibre channel driver is unloaded, reloaded, and can change across reboots). This host number is the H-value on HBTL SCSI addressing.

2) With the following command we can determine the fibre channel target WWN for the triplet HBT from HBTL SCSI addressing.

# systool -c fc_transport -v

(output trimmed for clarity)

Class = "fc_transport"

  Class Device path = "/sys/class/fc_transport/target8:0:0"
    node_name           = "0x50060160ba601693"
    port_name           = "0x500601683a601693"

  Class Device path = "/sys/class/fc_transport/target9:0:0"
    node_name           = "0x50060160ba601693"
    port_name           = "0x500601683a601693"

  Class Device path = "/sys/class/fc_transport/target8:0:1"
    node_name           = "0x50060160ba601693"
    port_name           = "0x500601603a601693"

  Class Device path = "/sys/class/fc_transport/target9:0:1"
    node_name           = "0x50060160ba601693"
    port_name           = "0x500601603a601693"

Where node_name, is the FC WWN of the Storage System, and port_name is the FC WWID of the Storage Processor Port.

3) With the following command, we can determine the mapping between SCSI HBTL addresses and the disks:

(sg_map is part of sg3_utils, and before running sg_map, it is necessary to have the sg module loaded on the system)

# sg_map -x

(output trimmed for clarity)

/dev/sg4  8 0 0 0  0  /dev/sdd
/dev/sg5  8 0 0 1  0  /dev/sde
/dev/sg6  8 0 0 2  0  /dev/sdf
/dev/sg7  8 0 1 0  0  /dev/sdg
/dev/sg8  8 0 1 1  0  /dev/sdh
/dev/sg9  8 0 1 2  0  /dev/sdi
/dev/sg10  9 0 0 0  0  /dev/sdj
/dev/sg11  9 0 0 1  0  /dev/sdk
/dev/sg12  9 0 0 2  0  /dev/sdl
/dev/sg13  9 0 1 0  0  /dev/sdm
/dev/sg14  9 0 1 1  0  /dev/sdn
/dev/sg15  9 0 1 2  0  /dev/sdo

4) From commands on (1), (2) and (3) we have the mapping from disk to HBTL SCSI addresses, and the mapping of SCSI address to fibre channel address. If, for instance, we want to see where the following multipath device is hosted, we do:

disc01 (3600601608e661a01486cd3c7f53ede11) dm-1 DGC,RAID 5
[size=10G][features=0][hwhandler=1 emc][rw]
\_ round-robin 0 [prio=2][active]
 \_ 8:0:1:0 sdg 8:96  [active][ready]
 \_ 9:0:1:0 sdm 8:192 [active][ready]
\_ round-robin 0 [prio=0][enabled]
 \_ 8:0:0:0 sdd 8:48  [active][ready]
 \_ 9:0:0:0 sdj 8:144 [active][ready]

5) We know already that it’s an EMC Clariion because the vendor is DGC, but I could have LUNs from more than one Clariion on this system, so let’s pick /dev/sdj as an example:

/dev/sg10  9 0 0 0  0  /dev/sdj

/dev/sdj = H:B:T:L = 9:0:0:0

Therefore for sdj we have, H=9 and HBT=9:0:0. From (1) and (2) we have:

Host HBA WWN:           0x20000000c9802437
Host HBA WWP:           0x10000000c9802437
Storage System WWN:     0x50060160ba601693
Storage Processor WWP:  0x500601683a601693

6) Doing for all disks:

               Local Port          Remote port          STORAGE
8:0:1:0 sdg    0x10000000c9802436  0x500601603a601693   0x50060160ba601693
9:0:1:0 sdm    0x10000000c9802437  0x500601603a601693   0x50060160ba601693
8:0:0:0 sdd    0x10000000c9802436  0x500601683a601693   0x50060160ba601693
9:0:0:0 sdj    0x10000000c9802437  0x500601683a601693   0x50060160ba601693

ATTENTION: look carefully at the ‘Remote port’ values, they normally differ only in a few bits.

In this particular case, we see that both sdd and sdj are on the same remote port, and sdg and sdm are on the same ports as well.

7) A storage system can have many ports. In most cases 2 or 4, but the Storage ID should remain the same. In sysfs we have 0x50060160ba601693, which maps perfectly to the storage WWN from the storage admin interface.

Current Storage System Name:      AX150
Storage System World Wide Name:      50:06:01:60:BA:60:16:93

Enable SSH on VMware ESXi4

alt-f1
unsupported
root pw
vi /etc/inetd.conf
delete the “#” from ssh
services.sh restart

aktive MultiPath-Config einer ESX anschauen

ssh $esx “esxcfg-mpath -l”

Wenn der outbound-daemon eine weitergeleitet mail bekommt, welche das header-field “x-auditid” beinhaltet bekommt, wird diese falsch geparsed und beim internen senden an den delivery kommt es beim “MAIL FROM:<> XAUDITID=xauditid 34533ab74..” Fehler (es sollt “MAIL FROM: <> XAUDITID=23478abe763..” sein )

Der Workaround filtert nun im outbound-postfix die headerzeile “x-auditid” heraus.

Details

geprüft kann mit ngrep -td lo port 41012 | grep “MAIL FROM:” werden

Good

MAIL FROM: <aansmeet1999@example.com> XAUDITID=c2e885dc-a1e6aba00000708f-2d-4ae01dae6a6c..

Bad

MAIL FROM: <Sachbearbeiter@example.com> XAUDITID=x-auditid: c2e885d5-a8bf1bb000001505-8a-4ae00d4bd8a2….

folgendes TestMail am outbound gesendet reicht ausum den Fehler zu produzieren:

HELO o
MAIL FROM:<_e_f_@apa.at>
RCPT TO: <Sachbearbeiter@example.com>
DATA
From: Test Test <a11708@example.com>
To: E F <ef@example.com>
Subject: apatest
x-auditid: c2e885db-a5d9dba00000525f-80-4adefa87f71b

TEST

.
QUIT

Workaround, auf jedem Scanner durchführen:

da es unter umständen vorkommt, daß bei einer ändernung im SAN sich dier instance-numbers neu unter HPUX ordnen dann hilft nur eines,…neues manuelles verdahten der HardwarePathes (/etc/ioinit)

Liste der aktuellen HW-Pfade erstellen und korrigieren wo notwendig

ioscan -kfn | grep -e INTERFACE -e DEVICE | grep -v target | awk '{printf "%-40s %-20s %5s\n", $3, $1, $2}' > /stand/infile

ändern der Mappings von ext_bus instances (nur diese ändern!)

vi /stand/infile

Bsp.
8/0  ext_bus  0
8/4  ext_bus  3

==> Modify as :

8/0  ext_bus  3
8/4  ext_bus  0

Save ioconfig files :

mv /stand/ioconfig /stand/ioconfig.sav
mv /etc/ioconfig /etc/ioconfig.sav
shutdown -ry 0

5. From the console, stop boot process and boot in single mode :

Loading.: HP-UX Primary Boot: 0/2/1/0.0.0.0.0
Starting: HP-UX Primary Boot: 0/2/1/0.0.0.0.0

(C) Copyright 1999-2006 Hewlett-Packard Development Company, L.P.
All rights reserved

HP-UX Boot Loader for IPF  --  Revision 2.029

Press Any Key to interrupt Autoboot
\EFI\HPUX\AUTO ==> boot -is vmunix
Seconds left till autoboot -   1

hpux -is (under PA-RISC)
boot vmunix -is (under Itanium)

war bei uns nicht notwendig da die ioconfig fehlte und hpux dadurch stehen blieb zum recovern.

6. The system starts witn an “ioinitrc” prompt.  Create ioconfig file :

cd /stand
/sbin/ioinit -c

7. update it with infile (This command will also reboot the system) :

/sbin/ioinit -f infile -r

ioconfig files will be cleaned.

Mini-HOW-TO der letzten Störung:

# status sichern

ioscan -fnk > /stand/io.lis

powermt display paths > /stand/pp_paths.lis

powermt display dev=all > /stand/pp_dev.lis

mv /etc/powermt.custom /etc/powermt.custom.sav

cp /etc/powermt.custom.sav /etc/powermt.custom

# hwpath-source erstellen

ioscan -kfn | grep -e INTERFACE -e DEVICE | grep -v target | awk '{printf "%-40s %-20s %5s\n", $3, $1, $2}' > /stand/infile

# im kernel neue hw initialisieren und dev-files machen

ioscan -fn >/stand/io1.lis

insf -e

powermt config

# Daten für infile änderungen vorbereiten

grep ext_bus /stand/io.lis|grep 239 # <- 239 war neue Bus Nummer

# mit "powermt display paths" hardware pfad vgl. und ctrl ersetzen im infile

grep ext_bus /stand/io.lis|grep NO_HW

# alle diese löschen inkl sub-nr.

vi /stand/infile

# nr löschen

# 239er ctrl ersetzen

# ioconfig sichern und "löschen"
mv /etc/ioconfig /etc/ioconfig.sav

mv /stand/ioconfig /stand/ioconfig.sav

# rebooten und nicht in den SingleUserMode gehen, es kommt autom. die io-init shell

shutdown -ry 0

# neue ioconfig erstellen,...kann etwas dauern und rebootet dann nach ~2-5min

cd /stand

/sbin/ioinit -c

/sbin/ioinit -f infile -r

# nachdem reboot , powerpath neu configgen lassen

powermt display paths

powermt config

powermt save

da wir oft fehler mit defekten harddisken in den phion-heavengates boxen hatten, überprüft das folgende script die mounts des kernel auf das read_only attribute (welches auf eine defekt werdende harddisk hindeutet)

für die überwachung der hp-dl360 firewalls ist das cciss_vol_status tool erforderlich

#!/bin/sh
#
# check_disk.sh
# ===
# executed via Box-Scheduler-Service
# install via copy/paste in localbox 10.1.1.100 /opt/check_disk.sh
#
mail_rcpt="user1@example.com admin@example.com"
mail_from=fw-check@example.com
#
for server in `/opt/phion/bin/boxtool list`;do
    ip=`/opt/phion/bin/boxtool get ${server} ip`
    echo -e "${server} ${ip}\t\t\c"
    ping -c1 -w1 ${ip} >/dev/null 2>&1
    retval=$?
    if [ "${retval}" == "0" ]; then
        echo -e "mount_rw=\c"
        if [ "`ssh ${ip} cat /proc/mounts|grep " ro "`" ]; then
            echo "ERROR: FS read only (HD failure)"
            for email in ${mail_rcpt};do
                /opt/phion/bin/mailclt -f ${mail_from} -r ${email} -s "phionFW/DiskFailure ${server}" "Filesystem / read_only (/proc/mounts) on \n \n${server} ${ip}"
            done
        else
            echo -e "ok   \c"
        fi
        if [ "`ssh ${ip} /sbin/lsmod|grep cciss `" ]; then
            echo -e "cciss=\c"
            if [ ! "`ssh ${ip} [ -f /root/cciss_vol_status ] && echo OK`" == "OK" ]; then
                echo -e "\ntransfer cciss begin\n"
                scp /opt/fw/cciss_vol_status ${ip}:/root/cciss_vol_status
                echo -e "\ntransfer cciss done\n"
                echo -e "${server} ${ip}\t\t cciss=\c"
            fi
            if [ "`ssh ${ip} /root/cciss_vol_status /dev/cciss/c*d0| awk '{print $10}'`" != "OK." ]; then
                echo "ERROR: CCISS Status problem"
                info="`ssh ${ip} /root/cciss_vol_status /dev/cciss/c*d0`"
                for email in ${mail_rcpt};do
                    /opt/phion/bin/mailclt -f ${mail_from} -r ${email} -s "phionFW/DiskFailure ${server}" "Bitte Disken auf Firewall überprüfen\n===\n$info\n===\n${server} ${ip}"
                done
            else
                echo -e "ok\c"
            fi
        fi
        echo
    else
        echo "timed out (icmp_unreachable)"
    fi
done

Wenn das phion-MC nicht geclustert ist, sollte man alle PAR-Files auslagern. das script erstellt für alle firewalls ein “.par” file und kopiert dieses auf einen backup-host.

#!/bin/sh
#
# make_par.sh
# ===
# executed via Box-Scheduler-Service
# install via copy/paste in Box (phion-MC) /opt/make_par.sh
#
mail_rcpt="email@exmaple.com"
mail_from=fw-check@example.com
#
[ ! -d /opt/fw/backup-par ] && mkdir /opt/fw/backup-par
#
# MC backupen
#
echo -e "MC-Archive     make_par=\c"
cd /opt/phion/rangetree/configroot/
/opt/phion/bin/phionar cdl /opt/fw/backup-par/archive.par *
if [ "$?" != "0" ]; then
        echo "failure"
        for email in ${mail_rcpt};do
                /opt/phion/bin/mailclt -f ${mail_from} -r ${email} -s "phionFW/BackupPAR MC(local)" "Backup PAR-File failed."
        done
else
        echo "ok"
fi
#
# alle server durchgehen
#
for server in `/opt/phion/bin/boxtool list`;do
    ip=`/opt/phion/bin/boxtool get ${server} ip`
    echo -e "${server} ${ip}\t\t\c"
    ping -c1 -w1 ${ip} >/dev/null 2>&1
    retval=$?
    if [ "${retval}" == "0" ]; then
        echo -e "make par=\c"
        ssh ${ip} "cd /opt/phion/config/configroot/;/opt/phion/bin/phionar cdl /tmp/${server}.par *"
        if [ ! "`ssh ${ip} test -f /tmp/${server}.par && echo MISSING`" ]; then
            echo "error"
            for email in ${mail_rcpt};do
                /opt/phion/bin/mailclt -f ${mail_from} -r ${email} -s "phionFW/BackupPAR ${server}" "Backup PAR-File failed on \n \n${server} ${ip}"
            done
        else
            echo "ok    transfering..."
            scp ${ip}:/tmp/${server}.par /opt/fw/backup-par/
            if [ "$?" != "0" ]; then
                echo "failure"
                    for email in ${mail_rcpt};do
                        /opt/phion/bin/mailclt -f ${mail_from} -r ${email} -s "phionFW/BackupPAR ${server} scp-error" "scp-Transfer PAR-File failed on \n \n${server} ${ip}"
                    done
            fi
        fi
    else
        echo "timed out (icmp_unreachable)"
    fi
done

echo -e "\nBackup PAR-Archive /opt/fw/backup-par/*     tgz-scp="
partgz=backup-par-`date +"%Y%m%d"`.tgz
cd /opt/fw
tar cvfz ${partgz} backup-par/* && scp ${partgz} backup-host.example.com:/opt/fw
if [ "$?" != "0" ]; then
        echo "failure"
        for email in ${mail_rcpt};do
                /opt/phion/bin/mailclt -f ${mail_from} -r ${email} -s "phionFW/Backup PAR backup-host scp-error" "scp-Transfer PAR-File ${partgz} to backup-host.example.com:/opt/fw failed."
        done
else
        echo "ok"
fi
echo "ready."

ready.