On 8/31/07 11:24 PM, "Mark Rigby-Jones" <[EMAIL PROTECTED]> wrote:
> On 31 Aug 2007, at 13:44, Chris Edwards wrote: >> Do you find the same zombie IPs re-connecting sufficiently often to >> make this worthwhile ? Or is there an effectively infinite pool of >> zombies, each only connecting once ? > > In this particular case, they were - in fact they were even opening > multiple simultaneous connections (until I dropped > smtp_accept_max_per_host from 4 to 1 for off-net hosts) and re- > connecting quite aggressively each time a connection was timed out. > This, from numerous (dozens, certainly) different IP addresses to > multiple mail servers on our side. After I made those changes, the > number of concurrent connections began to drop down from being nailed > up to the limit as it had been since the attack started, allowing > legitimate emails to get through. > I notice that iptables is blocking and logging packets for "invalid TCP state" from the same hosts that are pushing up the connection counts. This has increased greatly over the past 5 days (up by a factor of 5 or so per the logs on one server). --John -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
