To whom it concerns,

I'm seeing a 100+ messages spooled for middleman.

It looks like it started sometime yesterday after Dizum fixed DNS.

--
Grant. . . .

In article <ul4kj3$r0i$1@tncsrv09.home.tnetconsulting.net>
>
> To whom it concerns,
>
> I'm seeing a 100+ messages spooled for middleman.
>
> It looks like it started sometime yesterday after Dizum fixed DNS.

Yep. Dizum has gone steadily downhill ever since.

mixmaster history latency uptime
--------------------------------------------
banana ******** 21:00 100.00%
beaufusil ************ 13:00 100.00%
ipsum *****#****** 11:00 100.00%
shalo ************ 12:00 100.00%
tncmm ##*####***** 5:00 100.00%
frell --+-+-++--++ 4:38:59 99.01%
frell2 ----------++ 5:23:59 98.84%
paranoia ********+*** 33:00 96.21%
middleman ********** 9:30 85.18%
slow ________.--- 82:27:00 74.60%
dizum **++*** 36:30 39.75%

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/10/23 10:13 AM, Grant Taylor wrote:
> To whom it concerns,
>
> I'm seeing a 100+ messages spooled for middleman.
>
> It looks like it started sometime yesterday after Dizum fixed DNS.

My pfSense setup is running Suricata with a whole bunch of newly-enabled
rules, and it's set to block for 24 hours the source address of any
communication that triggers an alert. So far, the vast majority of
alerts have been classified by Suricata as miscellaneous attacks. I've
suppressed a lot of rules that triggered blocks for protocol related
errors and software that I use on a regular basis.

I have the IP addresses of remailers in a pass list:

2a01:4f8:200:60a6::2
2a03:4000:3f:24b:14a1:1eff:fe82:32d1
5.181.51.40
45.33.28.24
45.66.35.221
77.1.130.120
84.173.194.212
88.80.28.20
91.228.53.8
107.161.26.232
144.76.182.167
2600:3c00:e000:1e9::8849

This list may very well be out of date, which is probably why there is
a lot of mail queued up on your remailer for middleman, and also why
middleman is dropping in the reliability stats. I've been monitoring
the stats, and I'm continuing to adjust Suricata so that it doesn't
block the IP addresses that are sending stuff that needs to get through.

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQT1kQVuxVq5rUrWjocRLhFEVzoxhQUCZXamcAAKCRARLhFEVzox
hRb5AQCIOpXroofRjEl09njipbjqnaPaRaZ9badIS7NtdLrbGAEAzzs7Z8IKjAPv
GEMSBIIq8tbe3ySlJBc0mD3yzBBKuQY=
=tFwa
-----END PGP SIGNATURE-----

On 12/11/23 00:08, Middleman Remailer Administrator wrote:
> My pfSense setup is running Suricata with a whole bunch of newly-enabled
> rules, and it's set to block for 24 hours the source address of any
> communication that triggers an alert. So far, the vast majority of
> alerts have been classified by Suricata as miscellaneous attacks. I've
> suppressed a lot of rules that triggered blocks for protocol related
> errors and software that I use on a regular basis.

I can understand and appreciate that.

I've run into similar with my security systems.

> I have the IP addresses of remailers in a pass list:

I'm getting the impression that something may not be working as desired
/ configured.

> 45.33.28.24

I say that because tncmm (45.33.28.24) is unable to establish a
connection with middleman (108.196.79.212) on TCP port 25, nor is tncmm
able to ping (ICMP) middleman.

% tcpdump -nni eth0 host 45.33.28.24 and host 108.196.79.212 and proto
TCP and port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:46:36.859849 IP 45.33.28.24.51266 > 108.196.79.212.25: Flags [S], seq
1305365682, win 64240, options [mss 1460,sackOK,TS val 1096625498 ecr
0,nop,wscale 7], length 0
08:46:37.863288 IP 45.33.28.24.51266 > 108.196.79.212.25: Flags [S], seq
1305365682, win 64240, options [mss 1460,sackOK,TS val 1096626502 ecr
0,nop,wscale 7], length 0
08:46:39.916627 IP 45.33.28.24.51266 > 108.196.79.212.25: Flags [S], seq
1305365682, win 64240, options [mss 1460,sackOK,TS val 1096628555 ecr
0,nop,wscale 7], length 0
08:46:43.969933 IP 45.33.28.24.51266 > 108.196.79.212.25: Flags [S], seq
1305365682, win 64240, options [mss 1460,sackOK,TS val 1096632608 ecr
0,nop,wscale 7], length 0
08:46:52.076682 IP 45.33.28.24.51266 > 108.196.79.212.25: Flags [S], seq
1305365682, win 64240, options [mss 1460,sackOK,TS val 1096640715 ecr
0,nop,wscale 7], length 0

Here's a trace route:

% traceroute -4 middleman.remailer.online
traceroute to middleman.remailer.online (108.196.79.212), 30 hops max,
60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 lo0-0.gw1.rin1.us.linode.com (45.79.12.101) 0.485 ms
lo0-0.gw2.rin1.us.linode.com (45.79.12.102) 0.403 ms
lo0-0.gw1.rin1.us.linode.com (45.79.12.101) 0.389 ms
6 ae60.r11.dfw01.ien.netarch.akamai.com (23.203.147.38) 1.286 ms
ae62.r12.dfw01.ien.netarch.akamai.com (23.203.147.40) 1.260 ms
ae60.r11.dfw01.ien.netarch.akamai.com (23.203.147.38) 1.290 ms
7 12.127.60.13 (12.127.60.13) 1.967 ms 12.127.229.25 (12.127.229.25)
1.603 ms 12.244.76.17 (12.244.76.17) 1.639 ms
8 * * *
9 * * *
10 * * *
11 * 32.130.17.83 (32.130.17.83) 35.670 ms 35.123 ms
12 12.123.241.213 (12.123.241.213) 33.520 ms 32.130.17.83
(32.130.17.83) 39.654 ms 12.123.241.213 (12.123.241.213) 37.459 ms
13 12.123.241.213 (12.123.241.213) 33.509 ms * 33.444 ms
14 * * *
15 75.26.64.202 (75.26.64.202) 32.932 ms 31.424 ms 32.952 ms
16 71.151.199.75 (71.151.199.75) 32.515 ms * 32.465 ms
17 71.151.199.75 (71.151.199.75) 33.658 ms 31.877 ms *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

> This list may very well be out of date,

Possibly. I know that I have to spend a little bit of time caring for
and feeding similar filters on tncmm.

> which is probably why there is a lot of mail queued up on your remailer
> for middleman,

Given that you have a correct IP for tncmm, I don't think that's the
problem this time.

> and also why
> middleman is dropping in the reliability stats. I've been monitoring
> the stats, and I'm continuing to adjust Suricata so that it doesn't
> block the IP addresses that are sending stuff that needs to get through.

I trust that you will get it figured out.

Please let me know if you need any additional data from tncmm or if
there is something I can do to help diagnose, extra tests, etc.

--
Grant. . . .

On 12/11/23 01:08, Middleman Remailer Administrator wrote:

> I have the IP addresses of remailers in a pass list:
>
> 2a01:4f8:200:60a6::2
> 2a03:4000:3f:24b:14a1:1eff:fe82:32d1
> 5.181.51.40
> 45.33.28.24
> 45.66.35.221
> 77.1.130.120
> 84.173.194.212
> 88.80.28.20
> 91.228.53.8
> 107.161.26.232
> 144.76.182.167
> 2600:3c00:e000:1e9::8849
>
> This list may very well be out of date, which is probably why there is
> a lot of mail queued up on your remailer for middleman, and also why
> middleman is dropping in the reliability stats. I've been monitoring
> the stats, and I'm continuing to adjust Suricata so that it doesn't
> block the IP addresses that are sending stuff that needs to get through.

Please whitelist my Shalo mixmaster remailer:
2.58.15.73
2a07:efc0:1001:a213::91

And my SEC3 pinger:
168.235.85.79
2604:180:f4::12b

--
SEC3

YAMN Help Tutorial - https://www.sec3.net/yamnhelp/

On 12/12/23 11:11, SEC3 wrote:
> On 12/11/23 01:08, Middleman Remailer Administrator wrote:
>
> > I have the IP addresses of remailers in a pass list:
> >
> > 2a01:4f8:200:60a6::2
> > 2a03:4000:3f:24b:14a1:1eff:fe82:32d1
> > 5.181.51.40
> > 45.33.28.24
> > 45.66.35.221
> > 77.1.130.120
> > 84.173.194.212
> > 88.80.28.20
> > 91.228.53.8
> > 107.161.26.232
> > 144.76.182.167
> > 2600:3c00:e000:1e9::8849

Also missing from this list is Beaufusil, a fairly new mixmaster remailer:

45.86.163.116
2001:1608:1b:7b5::18

--
SEC3

YAMN Help Tutorial - https://www.sec3.net/yamnhelp/

>
> On 12/12/23 11:11, SEC3 wrote:
>> On 12/11/23 01:08, Middleman Remailer Administrator wrote:
>>
>> > I have the IP addresses of remailers in a pass list:
>> >
>> > 2a01:4f8:200:60a6::2
>> > 2a03:4000:3f:24b:14a1:1eff:fe82:32d1
>> > 5.181.51.40
>> > 45.33.28.24
>> > 45.66.35.221
>> > 77.1.130.120
>> > 84.173.194.212
>> > 88.80.28.20
>> > 91.228.53.8
>> > 107.161.26.232
>> > 144.76.182.167
>> > 2600:3c00:e000:1e9::8849
>
> Also missing from this list is Beaufusil, a fairly new mixmaster
remailer:
>
> 45.86.163.116
> 2001:1608:1b:7b5::18
>
> --
> SEC3
>
> YAMN Help Tutorial - https://www.sec3.net/yamnhelp/
>

trial 2