[Mimedefang] Intermitten Problems
Joseph Brennan
brennan at columbia.edu
Fri Oct 27 15:11:00 EDT 2006
--On Friday, October 27, 2006 11:34 -0700 "An.H.Nguyen"
<annguyen251 at hotmail.com> wrote:
> Both of my Solaris sendmail gateways started to have some problems since
> Oct.14 when the "Possible SMTP attack: command=HELO/EHLO, count=3"
> appeared.
>
> - Sendmail stops repsonding for a short time then came back, this happens
> several times a day
We've had occasional load problems yesterday and today. We had the
Yahoo craziness where they keep tempfailing, but I am wondering now
whether it is the HELO attack. We have 55,000 a day spread over five
servers. Each one of the connections takes a few minutes to handle
because of sendmail's slowdown when it happens.
I very briefly tried MAXHELOCOMMANDS 1 on one server (instead of 3),
but that catches legit servers, so it's not useful at all.
Possibly a better approach would be setting MAXHELOCOMMANDS high, so
there is no slowdown. The messages themselves get rejected as
recipient unknown, host in Spamhaus, and other reasons, so maybe we
should just handle them as fast as we can. The 55,000 came from
29,000 different IP addresses, so slowing down the sender may not
be significant in discouraging this.
Note, changing MAXHELOCOMMANDS means recompiling sendmail.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
More information about the MIMEDefang
mailing list