Has anyone noticed some strange activity lately? Specifically, one of our customers has been hit by hundreds or thousands of machines that open SMTP connections to his boxes and then just sit there, leaving the connection idle. This wreaks havoc by creating tons and tons of Sendmail processes.
We fixed it by setting confTO_COMMAND to 3 minutes instead of the default one hour; we're seeing about one connection every few seconds timing out (and new ones coming into the start of the pipe, of course.) This is for a smallish ISP. I'm wondering if it's an attack specifically on our customer, or if there's a DDoS botnet (or a buggy spam-sending botnet) around? Typical Sendmail log excerpt (trimmed somewhat): 15:27:32 k04KOVAD016073: timeout waiting for input from [200.193.225.54] during server cmd read 15:27:35 k04KOXAD016096: timeout waiting for input from adsl-153-140-231.cha.bellsouth.net during server cmd read 15:27:36 k04KOWAD016072: timeout waiting for input from 80.178.87.220.adsl.012.net.il during server cmd read 15:27:38 k04KOEAD015968: timeout waiting for input from abfh249.neoplus.adsl.tpnet.pl during server cmd read 15:28:00 k04KOoAD016164: timeout waiting for input from [200.55.54.94] during server cmd read 15:28:09 k04KP7AD016293: timeout waiting for input from 12-208-169-86.client.insightBB.com during server cmd read 15:28:13 k04KP5AD016263: timeout waiting for input from 213-238-114-168.adsl.inetia.pl during server cmd read 15:28:19 k04KPHAD016353: timeout waiting for input from f151173.upc-f.chello.nl during server cmd read 15:28:31 k04KPSAD016412: timeout waiting for input from 82-46-163-134.stb.ubr02.chwo.blueyonder.co.uk during server cmd read 15:28:31 k04KPUAD016422: timeout waiting for input from djz211.neoplus.adsl.tpnet.pl during server cmd read 15:28:35 k04KP1AD016270: timeout waiting for input from 200164210160.user.veloxzone.com.br during server cmd read 15:28:42 k04KPeAD016473: timeout waiting for input from xdsl-2217.elblag.dialog.net.pl during server cmd read 15:28:57 k04KPnAD016543: timeout waiting for input from 80.178.139.180.adsl.012.net.il during server cmd read 15:29:24 k04KQHAD016773: timeout waiting for input from 80.178.139.180.adsl.012.net.il during server cmd read 15:29:45 k04KQiAD016923: timeout waiting for input from 20150212040.user.veloxzone.com.br during server cmd read 15:29:51 k04KQoAD016953: timeout waiting for input from 82-170-159-208.dsl.ip.tiscali.nl during server cmd read Regards, David. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
