Hi Tobias,

I don't think that quitting qmail-smtpd is the best action.

When you enable these thresholds settings and enable delay, chkuser simply aborts further "rcpt to:" with the message you see, and for each new rcpt waits for CHKUSER_ERROR_DELAY (default 1000) milliseconds, increased, for each aborted rcpt, of a value of CHKUSER_ERROR_DELAY_INCREASE (default 100) milliseconds. So, based on standard settings, if you have 100 aborted recipients,  you have a delay of 11 seconds for the 101th rcpt (N.B.: all that happens only if you have defined the variables needed to enable this check).

So, you can decrease these values, or define CHKUSER_ERROR_DELAY_INCREASE to zero, or disable these controls.

As conseguence, chkuser cannot waste any resource, as the most used instruction in such conditions is "delay".

I feel this is the most suitable way to fight intruders, making them lose time and/or resources without giving them valuable informations.

If you just quit the process after the initial threshold, they will start a qmail-smtpd process and gain real information for the initial rcpts of the new process.

I've been attacked a lot of times. First times intruders did not note the "you are violating..." message, and wasted some days. After that, they made the same job, with a unique rcpt to for each session. So, when I saw a lot of "CHKUSER rejected" messages from the same IP, and watched the strange sequence of rcpt looked for, I denied that IP in my tcp.smtp.

I was asked also to keep trace automatically of these intruders between sessions, but I feel this is out of chkuser scopes and very dangerous to perform. I've controlled my logs, and sometimes I see remote senders (i.e. mailing lists or systems answering back to viruses) that look hundreds of  times for the same broken addresses, and I feel I cannot automatically create a black list for those remote IP.

You can make a simple script checking for CHKUSER logs, alerting you when "numbers" are strange (see http://www.interazioni.it/opensource/chkuser/documentation/logging_summary.html for a very simple example).

Ciao,

Tonino

At 17.53 29/03/2005, you wrote:
Am Dienstag, 29. März 2005 18:37 schrieb Jeremy Kitchen:
> On Tuesday 29 March 2005 10:31 am, Tobias Orlamuende wrote:
> > After intensive logging I found out, that chkuser sends something like
> > "You are violating my security policy" when CHKUSERRCPTLIMIT and / or
> > CHKUSER_WRONGRCPTLIMIT is reached.
> > That's fine so far, but the other side is still sending masses of "rcpt
> > to". This causes qmail-smtpd to stay open for a very long time until the
> > sender finishes sending his spam.
>
> so?  the resources consumed by a single copy of qmail-smtpd hanging around
> for some spammer to give up are minimal.

IMHO not :-(
qmail-smtpd is running for 40 minutes and counts up (until now) to 105
processes where the oldest one dates from one minute after startup of
qmail-smtpd. Load of this Dueal-Opteron (240) is about 100.
Timeoutsmtpd is set in control...
Most of the started qmail-smtpd's are closed correctly, but some stay open
which gives this amount...

I am not 100% sure if this problem is caused by chkuser, but for me it looks
like. The strange thing is, that most of these open sessions are using
STARTTLS.
Btw: Anybody made bad experiences with this patch ?
http://www.arda.homeunix.net/store/qmail/starttls-2way-auth-20050307.patch

I started with Bill Shupp's tls-auth-patch but the loead was even going much
higher than now.

>
> > Wouldn't it make sense to let chkuser terminatie this specific
> > qmail-smtpd instance if one of the above limits is reached?
>
> perhaps, but why?

See above.

>
> > If yes, how could it be implemented?
>
> just edit the code.  Find the place where it flips on the "ok, we're not
> accepting anymore" limit... and have it exit.

Nice. But for me as somebody who has nearly no knowledge of C it is quite
difficult.

Maybe you, Jeremy, or somebody else on this list has any hints for the above
situation...

Greetings
Tobias

Reply via email to