Hi, I read in the mailing list archive that users of previous major version (3) of spamdyke had experienced this behavior.
I sometimes find zombie processes (qmail-smtpd) whose parent process is spamdyke. Lately the frequency I'm experiencing this is increasing and now I have at least 2-3 zombie processes per day. Normally this happens during night, but today happened between 12-13 pm. Checking the logs I found that there were a huge amount of connections, which saturated all the channels. Most of the logs are of this kind: CHKUSER accepted sender: from <[email protected]::All> remote <do.not.use.this.dns.server.anymore.123.in-addr.arpa:unknown:123.22.59.216> rcpt <> : sender accepted with an empty or unexistant recipient, and the signature "do.not.use.this.dns.server.anymore.XXX.in-addr.arpa" in what should be (if I'm not wrong) the HELO parameter. (BTW, which DNS could reply with that signature? OpenDNS?) I read in the changelog that HELO filtering is planned for the next release. I suppose nothing can be done at the moment with version 4.0.10, right? Do you think that the frequency of zombie processes could be related to the amount of connections per second? in that case, terminating connections which have blacklisted keywords in the HELO parameter, could cure the problem? I do not have FULL logs. Guess I could keep it monitored and enable full logging for a short period of time (cause this happens on a production machine which is normally moderatedly-to-heavily loaded) during these attacks, if it can be useful. Open to all suggestions. regards, Mirko _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
