Bob,
The CPU was spiking to 100% 1-2 times/per second at about a 50%-70% duty
cycle rate (real rough estimate) and completely shut down SMTP to my users.
Multiple instances of smtp(d) were running, each adding to this spiking. I
actually saw the CPU flatline at 100% when I tried to duplicate this and
sent 10 messages in a row to a mail list I had set up.
It's real fun to remotely administer a server in which your response time is
click, wait, wait, wait, wait, get a soda, wait, OK. :-)
Roger
----- Original Message -----
From: Robert Stull <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 08, 1999 4:34 AM
Subject: Re: [IMail Forum] iMail DOS attack
> IMailSrv was running 100%?
>
> Bob
>
> ---------- Original Message ----------------------------------
> From: "Roger Weiss" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 8 Oct 1999 00:53:25 -0700
>
> >Found that iMail was running 100% duty cycles today, the first time for a
> >long time!
> >
> >After shutting down iMail and killing smpt32d.exe I think I finally
figured
> >this out. If anyone has seen this before please let me know. The only way
I
> >found to stop this was to deny access to smtp32d.exe for execution by the
> >system.
> >
> >1. Add a user called john
> >2. Create a mail list called john
> >3. Make [EMAIL PROTECTED] the list administrator
> >4. Add john as the only member of the list
> >5. Set up the list so that it requires that posts to the list be approved
by
> >the list administrator, who happens to be [EMAIL PROTECTED]
> >6. Now send email to [EMAIL PROTECTED] with large (1 MB + ) binary
> >attachments.
> >Goto 6
> >
> > Watch the CPU grind to a halt as it sends this message to john
numerous
> >times, copying around this large binary file. The queue file shows that
john
> >sent the message numerous times.
> >Also watch your disk space wither away as the log file grows.
> >
> >Here is what one of the files that was being sent looks like. Note the
> >X-Sender is [EMAIL PROTECTED]
> >which is repeated 1100+ times.
> >
> ><< REGULAR MAIL HEADER APPEARS HERE>>
> >From: "[EMAIL PROTECTED]"
> >Subject: This will make you laugh your ass off ...
> >To: [EMAIL PROTECTED]
> >MIME-Version: 1.0
> >Content-Type: multipart/mixed; boundary="0-846930886-939256781=:17526"
> >X-Sender: [EMAIL PROTECTED]
> >
> > <<< AN ADDITIONAL 1100+ lines exactly like above go here >>>
> >
> >X-Sender: [EMAIL PROTECTED]
> >Precedence: bulk
> >Sender: [EMAIL PROTECTED]
> >
> >--0-846930886-939256781=:17526
> >Content-Type: text/plain; charset=us-ascii
> >Content-Disposition: inline
> >
> >=====
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Bid and sell for free at http://auctions.yahoo.com
> >--0-846930886-939256781=:17526
> >Content-Type: audio/wav; name="Delta.wav"
> >Content-Transfer-Encoding: base64
> >Content-Description: Delta.wav
> >Content-Disposition: attachment; filename="Delta.wav"
> >
> >UklGRvDQDABXQVZFZm10IBAAAAABAAEAESsAABErAAABAAgAZGF0YXnQDACC
> ><<< REST OF BINARY DATA GOES HERE, all 1MB of it >>>
> >34OEhYOAgYKAfn+ChIODg4GCg4OCgX+AgoGBgoSHhYSFh4iHiY2LiYiGiIiF
> >
> >
> >
> >
> >
> >
> >
> >
> >Please visit http://www.ipswitch.com/support/mailing-lists.html
> >to be removed from this list.
> >
>
> --
> R. Stull
> Programmer and
> C++ code demolitions expert
> Ipswitch, Inc.
> http://www.ipswitch.com/
> --
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
