[Mimedefang] Strange activity
David F. Skoll
dfs at roaringpenguin.com
Wed Jan 4 15:31:53 EST 2006
Has anyone noticed some strange activity lately? Specifically, one of our
customers has been hit by hundreds or thousands of machines that open SMTP
connections to his boxes and then just sit there, leaving the connection
idle. This wreaks havoc by creating tons and tons of Sendmail processes.
We fixed it by setting confTO_COMMAND to 3 minutes instead of the default one
hour; we're seeing about one connection every few seconds timing out (and
new ones coming into the start of the pipe, of course.) This is for a
smallish ISP.
I'm wondering if it's an attack specifically on our customer, or if there's
a DDoS botnet (or a buggy spam-sending botnet) around?
Typical Sendmail log excerpt (trimmed somewhat):
15:27:32 k04KOVAD016073: timeout waiting for input from [200.193.225.54] during server cmd read
15:27:35 k04KOXAD016096: timeout waiting for input from adsl-153-140-231.cha.bellsouth.net during server cmd read
15:27:36 k04KOWAD016072: timeout waiting for input from 80.178.87.220.adsl.012.net.il during server cmd read
15:27:38 k04KOEAD015968: timeout waiting for input from abfh249.neoplus.adsl.tpnet.pl during server cmd read
15:28:00 k04KOoAD016164: timeout waiting for input from [200.55.54.94] during server cmd read
15:28:09 k04KP7AD016293: timeout waiting for input from 12-208-169-86.client.insightBB.com during server cmd read
15:28:13 k04KP5AD016263: timeout waiting for input from 213-238-114-168.adsl.inetia.pl during server cmd read
15:28:19 k04KPHAD016353: timeout waiting for input from f151173.upc-f.chello.nl during server cmd read
15:28:31 k04KPSAD016412: timeout waiting for input from 82-46-163-134.stb.ubr02.chwo.blueyonder.co.uk during server cmd read
15:28:31 k04KPUAD016422: timeout waiting for input from djz211.neoplus.adsl.tpnet.pl during server cmd read
15:28:35 k04KP1AD016270: timeout waiting for input from 200164210160.user.veloxzone.com.br during server cmd read
15:28:42 k04KPeAD016473: timeout waiting for input from xdsl-2217.elblag.dialog.net.pl during server cmd read
15:28:57 k04KPnAD016543: timeout waiting for input from 80.178.139.180.adsl.012.net.il during server cmd read
15:29:24 k04KQHAD016773: timeout waiting for input from 80.178.139.180.adsl.012.net.il during server cmd read
15:29:45 k04KQiAD016923: timeout waiting for input from 20150212040.user.veloxzone.com.br during server cmd read
15:29:51 k04KQoAD016953: timeout waiting for input from 82-170-159-208.dsl.ip.tiscali.nl during server cmd read
Regards,
David.
More information about the MIMEDefang
mailing list