LinuxQuestions.org - mailscanner pounding dns server

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - mailscanner pounding dns server (https://www.linuxquestions.org/questions/linux-software-2/mailscanner-pounding-dns-server-478086/)

mailscanner pounding dns server

Hi,

I just re-installed mailscanner and mailwatch. This machine only job is to be our mail relay. Checks/scans virus and spam and then send.

I've never configured anything like this before, and the person who originaly set this up no longer works for us, so I'm on my own.

I installed with no problems. I'm pretty sure my configuration is good, but then again, I have nothing really to base this off of except my own opionion.

I don't recall setting this machine up to check dns names of mail recipiants. Obviously this machine points to our dns servers on the network card setup. I don't recall seeing my log files roll so fast with requests from this machine like it is now.

So I think I have something not setup right. The log file /var/log/messages on our dns server filled up the entire partition over the weekend. This has never before done this, and most of it all is from our new mailscanner machine.

To try to take off some load on our main dns server, I pointed our dns to our secondary dns machine. This I assume is helping some, because now both log files /var/log/messages are filling up with messages from this one machine. Also the main dns server is still getting requests and so is the secondary. And the secondary just started getting lots of requests from the mailscanner machine. Priviously it would get one request every couple of minutes.

Can someone tell me what I may have missed on this setup? Is this really normal? I figure there has to be some sort of dns cache or something that I didn't configure?

I'm also getting about 4 requests a second on both machines, from this server.

**adding some more info**

I have about 1200 messages in my mail queue. I have a hunch that this has something to do with it. For the most part, they are junk mail going out? most of them say deferred witha message attached. Here's an example:

To: elias@we-help-u.biz
Message: {Spam?} Delivery Status Notification (Failure) Deferred: Connection refused by we-help-u.biz.
Size:6.5Kb
Tried:41227
Time:00:00:27

From the above, I got this from mailwatch, it says tried 41227. Does this mean it tried to send it 42000 times? What must I do to get this to stop trying such as this?

I think what's happening is your mail server tried to send Email to server that it is no longer able to reach. Usually when your Email server is not able to reach another Email server it queues the message for later delivery. Most standard configured Email systems will keep the message for up to 4 days then discard it. Recently, on most stable systems, a lot of admins are specifying to keep the message for one day then discard it.

You need to see for how many days your server is setup to keep the messages in queue then maybe lower the timeout. Before that you need to check if it is one system that it's not able to send to or all systems. Try to run 'telnet mail.yahoo.com 25' to see if it is able to connect to another mail server first. You may have a network configuration problem.

A lot of these mails are sitting in my outbound queue are spams. Such as they have no "from:" address. I'd like to make a rule about not accepting nameless from: addresses, but I haven't had much luck with that. The MailWatch/Mailscanner software requires a from address.

I checked MailScanner.conf and conf.php and have not found anything relating to send retries. Where else can I look?

I would recommend upgrading to spamassassin and using filters for all your users. I use a combination of spamassassin and sieve and it works well for me. I also run a script that prunses SPAM messages from all mailboxes that are 3 months or older.

What mail setup are you using?

server 2003 w/ exchange that forwards to our relay that has mailscanner w/ spamassassian & clamav

Another question I have is how do all of these get in my queue? Is this a users box that's infected sending out spam? How can I find out? I have a few hundred users, in differnt locations.

Perhaps it is some sort problem with having a relay out on the internet where they can pass email thru by of messing with the email headers?

Is there a way to add a blank from: address to the blacklist folder or somehow make a rule to get rid of them as mailscanner sees them?

It could be that you have a virus on your Windows 2003.

What mail server are you running, sendmail or postfix?

On the mailscanner machine I'm running sendmail.

Okay, things are pretty much undercontrol.

What was happening is that our server was getting hit with a lot of false(forged) emails, that didn't have return addresses. Likewise, most of that mail wasn't going to anywhere either.

We finaly figured out how to stop most mails without a from sender, which just about stopped all of those types of mails.

We deleted that entire outbound directory, which at its peak was at about 1200. Today I think we have about 70 new ones. Pretty good.

Those other emails are being forged as our other relay (webmail), so we can't stop it quite yet.

The problem was all of those emails sitting in queue waiting to go out. Our server kept making requests to find out where to send this stuff, but since they didn't exist, it would be put back in the rotation and tried again later.

Multiply that by 1200 and that can lead to my dns server being bombed.

This was my first time messing and working on a mail relay/server so I was definatley overwhelmed all day yesterday as I tried to pick up my learning curve.

Thanks for all the suggestions and comments, I appreciated it.