Hi,
I've added some sendmail rules to catch mail hammering but strangely
they are not
fired :
<rule id="103107" level="7">
<if_sid>3101</if_sid>
<regex>reject=421 4.3.2 Connection rate limit exceeded|reject=421
4.3.2 Too many open connections|due to pre-greeting traffic</regex>
<description>Anti-flood warning</description>
</rule>
<rule id="103157" level="10" frequency="6" timeframe="120">
<if_matched_sid>103107</if_matched_sid>
<same_source_ip />
<description>Multiple Anti-flood warnings - Hammering ?</description>
</rule>
rule id 103107 is sometimes fired but 103157 is never fired.
For example :
these entries :
Oct 11 09:33:57 shax sm-mta[14188]: ruleset=check_relay,
arg1=[58.50.242.169], arg2=58.50.242.169, relay=[58.50.242.169],
reject=421 4.3.2 Too many open connections.
Oct 11 09:34:02 shax sm-mta[14191]: ruleset=check_relay,
arg1=[58.50.242.169], arg2=58.50.242.169, relay=[58.50.242.169],
reject=421 4.3.2 Too many open connections.
fired rule 103107 and of course it didn't fired 103157 because of too
low frequency.
Strangely this :
Oct 9 15:40:39 shax sm-mta[18848]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197],
reject=553 5.3.0 Mail from 203.114.112.197
rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197
Oct 9 15:40:59 shax sm-mta[18975]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197],
reject=553 5.3.0 Mail from 203.114.112.197
rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197
Oct 9 15:41:39 shax sm-mta[19043]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197],
reject=553 5.3.0 Mail from 203.114.112.197
rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197
Oct 9 15:41:45 shax sm-mta[19044]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=127.0.0.4, relay=[203.114.112.197],
reject=553 5.3.0 Mail from 203.114.112.197
rejected;see:http://www.spamhaus.org/query/bl?ip= 203.114.112.197
Oct 9 15:42:20 shax sm-mta[19546]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:20 shax sm-mta[19547]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:21 shax sm-mta[19548]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:22 shax sm-mta[19550]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:23 shax sm-mta[19551]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:42 shax sm-mta[19810]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:43 shax sm-mta[19811]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:44 shax sm-mta[19812]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:45 shax sm-mta[19813]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:48 shax sm-mta[19816]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Too many open connections.
Oct 9 15:42:49 shax sm-mta[19817]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Connection rate limit exceeded.
Oct 9 15:42:53 shax sm-mta[19818]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Connection rate limit exceeded.
Oct 9 15:43:22 shax sm-mta[19906]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Connection rate limit exceeded.
Oct 9 15:43:23 shax sm-mta[19907]: ruleset=check_relay,
arg1=[203.114.112.197], arg2=203.114.112.197, relay=[203.114.112.197],
reject=421 4.3.2 Connection rate limit exceeded.
Should have fired at least 3 alert :
- 3103 (reject=553 5.3.0)
- 103107 (reject=421 4.3.2)
and 103157 (multiple 103107)
Can you point me where I'm wrong ?
Thanks.
Bye
Sioban
