--On Friday, October 27, 2006 11:34 -0700 "An.H.Nguyen" <[EMAIL PROTECTED]> wrote:
Both of my Solaris sendmail gateways started to have some problems since Oct.14 when the "Possible SMTP attack: command=HELO/EHLO, count=3" appeared. - Sendmail stops repsonding for a short time then came back, this happens several times a day
We've had occasional load problems yesterday and today. We had the Yahoo craziness where they keep tempfailing, but I am wondering now whether it is the HELO attack. We have 55,000 a day spread over five servers. Each one of the connections takes a few minutes to handle because of sendmail's slowdown when it happens. I very briefly tried MAXHELOCOMMANDS 1 on one server (instead of 3), but that catches legit servers, so it's not useful at all. Possibly a better approach would be setting MAXHELOCOMMANDS high, so there is no slowdown. The messages themselves get rejected as recipient unknown, host in Spamhaus, and other reasons, so maybe we should just handle them as fast as we can. The 55,000 came from 29,000 different IP addresses, so slowing down the sender may not be significant in discouraging this. Note, changing MAXHELOCOMMANDS means recompiling sendmail. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
