DOS Attack on Mail Server

[Steve Evans]

That's the problem.  My MailScanner box is just a SMTP relay for my
iPlanet mail server.  For it to run out of disk space would take a whole
lot.  And legitimate mail is waiting in line with all the crap in the
mean time.

Steve Evans
(619) 594-0653 

-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
Sent: Friday, September 20, 2002 1:23 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: DOS Attack on Mail Server


At 05:30 20/09/2002, you wrote:
>We received about 15,000 messages in about 30 minutes today from a 
>single source.  It turned out to a bug in a website that sent us 
>message after message after message.  I was able to quickly find the 
>source IP and block it at the firewall but this could have been very 
>bad.  It took me about 20 minutes to realize mail wasn't flowing, and 
>by the time I logged into the Sendmail gateway, and checked the number 
>of files in mqueue.in it was somewhere in the 25,000 range.  If my cell

>phone service was off (I got a page on my cell phone because of the 
>large
>queue) it wouldn't have stopped until the users mailbox was full and
>started bouncing message.  (she was at about 10 mb's of 250.  They were
>5kb messages I believe so (check my math) it would have taken, 50,000
>messages to fill her up.
>
>Anyways, my point.  Could mailscanner somehow detect this and stop 
>sendmail from accepting the messages.  I'm not sure if it's practical. 
>Maybe if it breaks a certain number of messages in 10 minutes overall, 
>by from or to address, from IP, or similar messages.  Any thoughts?

In your sendmail.cf, set

# minimum number of free blocks on filesystem
O MinFreeBlocks=500
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ