Stephen S. Kelley writes:
A client's courieresmtp service stopped accepting connections until restarted. Examination of the logs show a storm of spam email connections from an address with a pattern [EMAIL PROTECTED] where
The email itself was typical spam of size 3KB. The unusual thing was
that the connections were from about 15 different IP addresses scattered
all over the place.
Logs also show the usual regular "Started ./courieresmtp, pid=xxx,
That's outgoing esmtp, has nothing to do with incoming esmtp.
esmtpd is designed to refuse additional connections when any upper limit is reached. The way you've set up your parameters is that an attacker needs only eight different IP addresses, or two different /24s, to completely use up all available incoming connections.maxdels=40, maxhost=4, maxrcpt=100" messages after the spam storm stopped though the server refused connections port 25 connections until restarted about 36 hours later. Esmpt appears to be the only service that had problems: local mail and pop continued to function. The only abnormal thing I noticed in the sar log for the 10min period containing the spam storm was a bufpg/s=-7 which was unusually low and a plist-sz=185 which was unusually high. /etc/esmtpd contains (among other things): MAXDAEMONS=75 MAXPERC=50 MAXPERIP=10 Other than coming from many IP addresses at the same time, this looks like a typical, though more intense, spam pattern. The amount of incoming emails was probably the highest the server (dual 300Mhz, 500MB RAM RedHat 8.0 on 1/4 T1 DSL) ever had, but I don't think close to overwhelming the hardware or OS. Is there anything I can do to prevent the esmptd service from refusing connections if similar circumstances occur in the future? Why didn't the courieresmtp restart clear the problem?
You accept a maximum of 75 incoming ESMTP connections, but allow up to ten connections from the same IP address, or 50 connections from the same /24. The math just doesn't add up.
There's no reason to accept more than four concurrent ESMTP connections from the same IP address. Reduce MAXPERC to 10, and MAXPERIP to 4.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
