Re: [OT] Seeing increase in smtp concurrency ?
Quoting Rajkumar S [EMAIL PROTECTED]: Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? On 06.09.07 11:09, Jeff Chan wrote: Some botnets are starting to hold mail connections open for much longer after getting a 5xxx blacklist response. Reason is unknown; could be coding errors or deliberate. Many people are changing their smtpd timeouts form the RFC 300 seconds down to 45 seconds: Some people are even using 10 seconds, which seems short to me. The RFC requires 300 seconds. It requires 300 seconds this way: An SMTP server SHOULD have a timeout of at least 5 minutes while it is awaiting the next command from the sender. (rfc 2821, section 4.5.3.2). SHOULD means unless you have good reason (rfc 2119). preserving of being DoSed is good reason. I think lowering maybe to 60 seconds is not a problem. btw maybe someone could gather list of those IPS and creating a blacklist... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: [OT] Seeing increase in smtp concurrency ?
Henrik Krohns writes: On Fri, Sep 07, 2007 at 02:20:21AM -0500, Jeff Chan wrote: Quoting Henrik Krohns [EMAIL PROTECTED]: On Fri, Sep 07, 2007 at 10:09:27AM +1200, Jason Haar wrote: I knew things like this would eventually happen. Spammers basically have infinite resources, they can deliver us a LOT of hurt when they wish to. I can think of a lot worse things they could do - and probably will :-( You are mixing things up. Spammers want to send as much stuff as possible. Evil hackers/kiddies/whatever are the ones that want to shut you down. Spam gangs, virus writers, phishers, bot herders, etc., tend to be many of the same criminals. The Storm malware can send spam, do ddos, infect other machines, etc. Some of the authors of spamware were found to also be authors of viruses and malware. Ok, they may be some of the same people, but when they are operating as Spammers, I doubt they have delaying mail in mind. They don't particularly care what happens to your MTA -- they just want to push out as many messages as possible, to as many addresses as possible. If this overwhelms some smaller sites, c'est la vie, I'd guess. --j.
Re: [OT] Seeing increase in smtp concurrency ?
On Fri, 7 Sep 2007, Jason Haar wrote: | What if SMTP servers report a 5XX and then drop the connection? I know | that's not compliant, but a real mail server would have got the 5XX and | so (mainly) wouldn't retry, and a spammer would have their connection | terminated. In exim-speak this is drop instead of deny. drop: This verb behaves like deny, except that an SMTP connection is forcibly closed after the 5xx error message has been sent. -- Chris Edwards, Glasgow University Computing Service
Re: [OT] Seeing increase in smtp concurrency ?
Quoting Henrik Krohns [EMAIL PROTECTED]: On Fri, Sep 07, 2007 at 10:09:27AM +1200, Jason Haar wrote: I knew things like this would eventually happen. Spammers basically have infinite resources, they can deliver us a LOT of hurt when they wish to. I can think of a lot worse things they could do - and probably will :-( You are mixing things up. Spammers want to send as much stuff as possible. Evil hackers/kiddies/whatever are the ones that want to shut you down. Spam gangs, virus writers, phishers, bot herders, etc., tend to be many of the same criminals. The Storm malware can send spam, do ddos, infect other machines, etc. Some of the authors of spamware were found to also be authors of viruses and malware. http://www.theregister.co.uk/2007/06/11/anti-spam_ddos/ Anti-spam sites weather DDoS assault | The Register Jeff C.
Re: [OT] Seeing increase in smtp concurrency ?
Hi all probably more a sendmail Question and i googled around but may someone can give me a short input for 5xx i have $#error $@ 5.7.1 $: 550 Mail from [ ${client_addr} ] Rejected. in my sendmail.cf does anybody know how i have to change it to 421 $#error $@ 4.2.1 $: 421 Mail from [ ${client_addr} ] Rejected. ?? reducing the time out didnt help realy so i would like to give 421 a try Matthias
[OT] Seeing increase in smtp concurrency ?
Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png raj
Re: [OT] Seeing increase in smtp concurrency ?
Quoting Rajkumar S [EMAIL PROTECTED]: Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png raj Some botnets are starting to hold mail connections open for much longer after getting a 5xxx blacklist response. Reason is unknown; could be coding errors or deliberate. Many people are changing their smtpd timeouts form the RFC 300 seconds down to 45 seconds: http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx Here's the postfix for it: ## to deal with botnets not hanging up # Drop default from RFC limit of 300s to 45s # smtpd_timeout = 45s Some people are even using 10 seconds, which seems short to me. The RFC requires 300 seconds. Jeff C.
Re: [OT] Seeing increase in smtp concurrency ?
Rajkumar S wrote: Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png raj Hi, Yup, I've seen that across all the mail servers I manage. Seems the latest crop of Zombies don't disconnect correctly. For qmail I added the file timeoutsmtpd in /var/qmail/control with a value of 180 inside it (default is 7200) and it seems to have fixed the problem without causing any new problems. Mind you these are external MX servers and there are no dialup users connecting to them, if there were end users connecting I'd probably raise that 180 to 300 or maybe even 600. Regards, Rick
RE: [OT] Seeing increase in smtp concurrency ?
It's interesting you say that I don't give a response (most of the time they're not there to receive it anyway and it clogs up my server with undeliverable email - especially in BIG spam attacks). I have not experienced this with my servers at all. Last week, a friend of mine that owns a very large spam filtering/relay company got hit hard with this issue. With all this, my graphs have not budged. I'm thinking it was deliberate. -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 11:10 AM To: Rajkumar S Cc: users@spamassassin.apache.org Subject: Re: [OT] Seeing increase in smtp concurrency ? Quoting Rajkumar S [EMAIL PROTECTED]: Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png raj Some botnets are starting to hold mail connections open for much longer after getting a 5xxx blacklist response. Reason is unknown; could be coding errors or deliberate. Many people are changing their smtpd timeouts form the RFC 300 seconds down to 45 seconds: http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx Here's the postfix for it: ## to deal with botnets not hanging up # Drop default from RFC limit of 300s to 45s # smtpd_timeout = 45s Some people are even using 10 seconds, which seems short to me. The RFC requires 300 seconds. Jeff C.
Re: [OT] Seeing increase in smtp concurrency ?
Rajkumar S wrote: Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png Yeah, two weekends ago our mail servers got absolutely slammed with connections that were left open. They'd get rejected, and then leave the connection open for a while, then try again, and so on. Our count of exim processes per server went up from our already higher-than-it-recently-used-to-be 500 to around 1,000. This continued on monday, climbing to around 1300. Restarting exim and killing off these old connections would only relieve it for ten minutes or less. When it hit 1500, we moved a few of our rbls to the connect phase, which brought it down to about 150 exim procs. Yeesh... -- Gus
Re: [OT] Seeing increase in smtp concurrency ?
Johnson, S wrote: It's interesting you say that I don't give a response (most of the time they're not there to receive it anyway and it clogs up my server with undeliverable email - especially in BIG spam attacks). I have not experienced this with my servers at all. Last week, a friend of mine that owns a very large spam filtering/relay company got hit hard with this issue. I think Jeff was talking about a 5xx response in the SMTP transaction, not generating a bounce message after the fact. When you say your friend was hit with this issue, do you mean the server was clogged with undeliverable bounces, or do you mean they saw spammers hanging onto open connections longer than reasonable in a sort of reverse-tarpit? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: [OT] Seeing increase in smtp concurrency ?
On 9/6/07, Jeff Chan [EMAIL PROTECTED] wrote: Quoting Rajkumar S [EMAIL PROTECTED]: Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png raj Some botnets are starting to hold mail connections open for much longer after getting a 5xxx blacklist response. Reason is unknown; could be coding errors or deliberate. Many people are changing their smtpd timeouts form the RFC 300 seconds down to 45 seconds: http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx Here's the postfix for it: ## to deal with botnets not hanging up # Drop default from RFC limit of 300s to 45s # smtpd_timeout = 45s Some people are even using 10 seconds, which seems short to me. The RFC requires 300 seconds. Jeff C. Same problem here on several servers. Reducing the timeout helps, but violates RFC and is simply reducing the effects rather than fixing the issue. Is there any RFC valid way for a server to hang up on a client, especially after a 5xx? -Aaron
Re: [OT] Seeing increase in smtp concurrency ?
Aaron Wolfe wrote: Same problem here on several servers. Reducing the timeout helps, but violates RFC and is simply reducing the effects rather than fixing the issue. Is there any RFC valid way for a server to hang up on a client, especially after a 5xx? What if SMTP servers report a 5XX and then drop the connection? I know that's not compliant, but a real mail server would have got the 5XX and so (mainly) wouldn't retry, and a spammer would have their connection terminated. Is there any real downside to this? (one I can think of: mailing-list broadcasts would be slowed down due to retries if invalid addresses were present...) I knew things like this would eventually happen. Spammers basically have infinite resources, they can deliver us a LOT of hurt when they wish to. I can think of a lot worse things they could do - and probably will :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [OT] Seeing increase in smtp concurrency ?
Aaron Wolfe wrote: On 9/6/07, Jeff Chan [EMAIL PROTECTED] wrote: Quoting Rajkumar S [EMAIL PROTECTED]: Hi, Does any one seeing increasing smtp concurrency for the past couple of weeks? I run couple of (qmail/simscan/spamassassin) mail servers and all experience the same problem. The spam does not increase, but this is hogging my mail servers. Probably a new crop of spamming tools? I am attaching one qmail-mtrg graph that shows the problem. http://img403.imageshack.us/img403/2224/smtpmonthyq4.png raj Some botnets are starting to hold mail connections open for much longer after getting a 5xxx blacklist response. Reason is unknown; could be coding errors or deliberate. Many people are changing their smtpd timeouts form the RFC 300 seconds down to 45 seconds: http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx Here's the postfix for it: ## to deal with botnets not hanging up # Drop default from RFC limit of 300s to 45s # smtpd_timeout = 45s Some people are even using 10 seconds, which seems short to me. The RFC requires 300 seconds. Jeff C. Same problem here on several servers. Reducing the timeout helps, but violates RFC and is simply reducing the effects rather than fixing the issue. Is there any RFC valid way for a server to hang up on a client, especially after a 5xx? If you suspect this is a zombie (pbl.spamhaus.org, generic rDNS, farway, completely broken smtp client...), then return 421 and close the connection instead of return 5xx.
Re: [OT] Seeing increase in smtp concurrency ?
On 9/6/07, Rick Macdougall [EMAIL PROTECTED] wrote: For qmail I added the file timeoutsmtpd in /var/qmail/control with a value of 180 inside it (default is 7200) and it seems to have fixed the problem without causing any new problems. Thanks, I have changed timeoutsmtpd to 60 and the server is now breathing easy :) The effect is pretty dramatic in the graph. http://img464.imageshack.us/img464/4921/smtpdaysr7.png raj