[Mimedefang] Strange activity

Jan Pieter Cornet johnpc at xs4all.nl
Thu Jan 5 10:04:29 EST 2006


On Wed, Jan 04, 2006 at 03:31:53PM -0500, David F. Skoll wrote:
> Has anyone noticed some strange activity lately?  Specifically, one of our
> customers has been hit by hundreds or thousands of machines that open SMTP
> connections to his boxes and then just sit there, leaving the connection
> idle.  This wreaks havoc by creating tons and tons of Sendmail processes.

Are you sure they just sit there after the initial connect? If so, you should
also see the "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"
message logged at the same time as the timeout.
 
> We fixed it by setting confTO_COMMAND to 3 minutes instead of the default one
> hour; we're seeing about one connection every few seconds timing out (and
> new ones coming into the start of the pipe, of course.)  This is for a
> smallish ISP.

Our logs don't go back very far, but I haven't seen a recent huge increase,
at least not since december 30th. I see in our logs about 1000 - 2000
per hour of these, which I consider background noise on our mail volume.
Most of these seem to be "lost input channel from ... to MTA after rcpt",
so that seems more like (dictionary) scanning.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet



More information about the MIMEDefang mailing list