A client's courieresmtp service stopped accepting connections until restarted. Examination of the logs show a storm of spam email connections from an address with a pattern [EMAIL PROTECTED] where the X's are various letters and numbers. The to addresses were all sorts of names, almost none of which corresponded to actual accounts. Logs show up to 10 esmtp connections/second for about 4 minutes which spilled over to secondary and tertiary mail servers.
The email itself was typical spam of size 3KB. The unusual thing was that the connections were from about 15 different IP addresses scattered all over the place. Logs also show the usual regular "Started ./courieresmtp, pid=xxx, maxdels=40, maxhost=4, maxrcpt=100" messages after the spam storm stopped though the server refused connections port 25 connections until restarted about 36 hours later. Esmpt appears to be the only service that had problems: local mail and pop continued to function. The only abnormal thing I noticed in the sar log for the 10min period containing the spam storm was a bufpg/s=-7 which was unusually low and a plist-sz=185 which was unusually high. /etc/esmtpd contains (among other things): MAXDAEMONS=75 MAXPERC=50 MAXPERIP=10 Other than coming from many IP addresses at the same time, this looks like a typical, though more intense, spam pattern. The amount of incoming emails was probably the highest the server (dual 300Mhz, 500MB RAM RedHat 8.0 on 1/4 T1 DSL) ever had, but I don't think close to overwhelming the hardware or OS. Is there anything I can do to prevent the esmptd service from refusing connections if similar circumstances occur in the future? Why didn't the courieresmtp restart clear the problem? Thanks! P.S. Courier rocks! The feature set is immense and I love the range of authentication methods. Thanks and congratulations to the heroes who maintain and provide this great (and I think better) alternative to sendmail or exchange. Stephen S. Kelley, President VirtuState, Inc. [EMAIL PROTECTED] http://www.virtustate.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
