[Mimedefang] Strange activity

Jan Pieter Cornet johnpc at xs4all.nl
Thu Jan 5 18:05:21 EST 2006 

On Thu, Jan 05, 2006 at 02:50:09PM -0500, David F. Skoll wrote:
> All I can check is the MTU of the Ethernet interface, which is 1500.
> I doubt it's an MTU issue, because lots of normal mail (including
> large messages) is flowing through perfectly well.  Also, *all* of the
> machines (well, at least all of the ones I can tell from a PTR record)
> that are timing out are DSL, dial-up or cable modem machines.  If it
> were an MTU issue, I'd expect to see the occasional "legitimate" mail
> server having problems.

No, not necessarily. In fact, the MTU suggestion is a very good one.
Usually it's not the MTU on the mail server that's the problem. It's
the MTU on the other side.

A lot of DSL solutions use some form of tunneling, thereby limiting the
max MTU to something like 1480. Now if you somewhere have a stupid
firewall that blocks all ICMP (including the "fragmentation needed" ICMP
subtype, which is used for path MTU discovery). When the server then
sends a packet over 1480 bytes long, it will need fragmentation by the
receiving dsl modem, which will send back an ICMP fragmentation needed,
which will get discarded by the silly firewall before the mailserver,
and communication will hang.

However, this situation is kindof hard to trigger when receiving mail
on the mailserver (which will only send out short replies after each
command received), and it's easy to spot using tcpdump, because you'll
see a normal tcp-exponential-backoff-repeat-the-last-packet without
seeing a reply (repeats the last packet with intervals of 3, 6, 12, 24...
etc seconds).

The only way I can see it triggering max MTU and then hanging in cmd read
is if the sending side sent a large amount of SMTP commands in one packet.
Which would be very indicative of a spambot or scanbot.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet

More information about the MIMEDefang mailing list