LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-03-2009, 08:53 PM   #1
pbaumgar
Member
 
Registered: Feb 2003
Distribution: gentoo, ubuntu
Posts: 43

Rep: Reputation: 15
sendmail and spambots


I'm running 4 sendmail servers that process approximately 3 million
transactions per day. I'm running Sendmail 8.13.8-2.el5 on CentOS
5.2. I'm running powerdns-recursor on each server for DNS queries,
using RBL's from spamhaus and TrendMicro to block IP's, and ClamAV.
Using the RBL's, I'm blocking about 1.5 million SMTP connections per
day.

In recent months I've noticed a spike in the number of sendmail
processes. The spike seems to be a result of spambots slamming my
servers with connections. The IP's are getting blocked by the RBL's,
however the connections are sitting around for a short time and I
guess there are just so many. I'm using greet_pause and have it set
to 5000 (5 sec). I also have some pretty aggressive timeouts set:

define(`confTO_IDENT', `0s')
define(`confTO_CONNECT', `30s')
define(`confTO_INITIAL', `30s')
define(`confTO_ACONNECT', `1m')
define(`confTO_HELO', `30s')
define(`confTO_RCPT', `30s')
define(`confTO_RSET', `30s')
define(`confTO_QUIT', `30s')
define(`confTO_MISC', `30s')
define(`confTO_COMMAND', `30s')
define(`confTO_CONTROL', `30s')
define(`confTO_ICONNECT',`30s')
define(`confTO_MAIL',`30s')
define(`confTO_DATAINIT',`30s')
define(`confTO_DATABLOCK',`1m')
define(`confTO_DATAFINAL',`1m')
define(`confTO_STARTTLS',`1m')
define(`confTO_AUTH',`1m')
define(`confCONNECTION_RATE_THROTTLE', `30')
define(`confMAX_MESSAGE_SIZE',`12485760')
define(`confLOG_LEVEL', `12')
define(`confTO_QUEUERETURN',`2d')
define(`confREFUSE_LA',`12')
define(`confQUEUE_LA',`100')
FEATURE(`greet_pause',5000)dnl

Normally, each server is running about 20-30 sendmail processes.
Usually twice per day, for about 2 hours each time the process count
for sendmail will spike to around 200.

If I do a 'ps aux | grep sendmail' I see a lot of processes sitting
in cmd read state. Here's a sample:

root 9248 0.0 0.0 73976 4424 ? S 12:23 0:00
sendmail: server [212.57.148.218] cmd read
root 9302 0.0 0.0 73712 3464 ? S 12:23 0:00
sendmail: server 201-88-214-86.cbace700.dsl.brasiltelecom.net.br
[201.88.214.86] cmd read
root 9303 0.0 0.0 73704 3452 ? S 12:23 0:00
sendmail: server 189104163027.user.veloxzone.com.br [189.104.163.27]
(may be forged) cmd read
root 9335 0.0 0.0 73704 3464 ? S 12:23 0:00
sendmail: server 200-96-168-116.bsace705.dsl.brasiltelecom.net.br
[200.96.168.116] cmd read
root 9350 0.0 0.0 73708 3452 ? S 12:23 0:00
sendmail: server abs-static-188.8.68.58.aircel.co.in [58.68.8.188]
(may be forged) cmd read

I also see lots of entries like this in my maillog:

Oct 1 07:41:51 mailserver1 sendmail[777]: n91CfEkK000777: timeout
waiting for input from [119.152.57.66] during server cmd read

and

Oct 1 16:07:35 mailserver1 sendmail[22315]: deferring connections on
daemon MTA: 30 per second

Oct 1 07:41:51 mailserver1 sendmail[777]: n91CfEkK000777: timeout
waiting for input from [119.152.57.66] during server cmd read

Sep 9 10:22:19 mailserver1 sendmail[30162]: n89FMJNV030162: rejecting
commands from 201-40-148-66.paemt701.dsl.brasiltelecom.net.br
[201.40.148.66] due to pre-greeting traffic


Which I know is a result of having set CONNECTION_RATE_THROTTLE to 30.

I also notice that when these spikes happen, I have a lot of
connections sitting in SYN_RECV state on each server, there's usually
hundreds. Here's a few:

netstat -tn | grep SYN_RECV

tcp 0 0 10.10.1.1:25 189.105.231.63:63034
SYN_RECV
tcp 0 0 10.10.1.1:25 189.74.16.49:42481
SYN_RECV
tcp 0 0 10.10.1.1:25 201.15.66.43:27890
SYN_RECV


Can anyone offer some advice or suggestion on troubleshooting and dealing with these connectgions?

Something else I should be looking at or doing?
 
Old 10-04-2009, 06:26 AM   #2
carltm
Member
 
Registered: Jan 2007
Location: Canton, MI
Distribution: CentOS, SuSE, Red Hat, Debian, etc.
Posts: 703

Rep: Reputation: 99
Have you looked at ASSP, the Anti-Spam SMTP Proxy? It does a lot
more than what you're asking for, so I realize this may not be the
answer you're looking for.

The latest version of ASSP is very good at detecting and dealing
with spambots.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sendmail ignores aliases with sendmail daemon stopped phavn Solaris / OpenSolaris 1 12-01-2008 02:50 PM
m4 sendmail.mc > sendmail.cf generate unwanted result on OpenSolaris johncsl82 Solaris / OpenSolaris 1 09-08-2008 11:25 PM
Tweaking to prevent spambots at my site Whitestar General 5 07-19-2007 03:32 AM
sendmail is not working & on $prompt the cmd sendmail hangs Pavan mahoorker Linux - Software 1 04-04-2006 03:57 PM
Sendmail - RunAsUser=sendmail:mail/What files to i have to change ForumKid Linux - Security 45 01-18-2002 11:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration