DOS Attack on Mail Server
Julian Field
mailscanner at ecs.soton.ac.uk
Fri Sep 20 09:23:17 IST 2002
At 05:30 20/09/2002, you wrote:
>We received about 15,000 messages in about 30 minutes today from a
>single source. It turned out to a bug in a website that sent us message
>after message after message. I was able to quickly find the source IP
>and block it at the firewall but this could have been very bad. It took
>me about 20 minutes to realize mail wasn't flowing, and by the time I
>logged into the Sendmail gateway, and checked the number of files in
>mqueue.in it was somewhere in the 25,000 range. If my cell phone
>service was off (I got a page on my cell phone because of the large
>queue) it wouldn't have stopped until the users mailbox was full and
>started bouncing message. (she was at about 10 mb's of 250. They were
>5kb messages I believe so (check my math) it would have taken, 50,000
>messages to fill her up.
>
>Anyways, my point. Could mailscanner somehow detect this and stop
>sendmail from accepting the messages. I'm not sure if it's practical.
>Maybe if it breaks a certain number of messages in 10 minutes overall,
>by from or to address, from IP, or similar messages. Any thoughts?
In your sendmail.cf, set
# minimum number of free blocks on filesystem
O MinFreeBlocks=500
--
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner
mailing list