Fwd: RE: Dealing with MailScanner overloads
Julian Field
mailscanner at ecs.soton.ac.uk
Sun Sep 14 09:38:31 IST 2003
What do you all think of this suggestion? Any ideas for improvements or
useful ways to implement it?
'm thinking along the lines of adding entries to the sendmail access db. I
can't remember if I need to restart sendmail after changing the access db,
but a way of avoiding having to do that would be good.
I would probably implement it as a Custom Function, as it's a side issue
from the main point of scanning messages.
> > >I've been successfully using MailScanner on a Linux server,
> > until this
> > >weekend, when it was overwhelmed with Sobig.F messages. The
> > mqueue.in
> > >directory was growing at 90 files/minute, and contained a
> > backlog of over
> > >10,000 messages by the time I noticed the problem. This was
> > on a lightly
> > >loaded 1.5GB, 2GHz P4 server, which never gets more than
> > 1000 legitimate
> > >emails per day.
> > >
> > >To get things back under control, I looked through the
> > maillog file for the
> > >relays that were sending the most messages, and blocked them
> > with iptables.
> > >There were a lot of them, so my plans for Sunday were
> > trashed. However, it
> > >made me think of a way to automate it, but post-processing
> > the mail log is
> > >not the best point to tackle this problem. Ideally, it
> > should be done as
> > >the mail arrives, possibly by simply refusing the SMTP
> > connection, which is
> > >where I'm out of my depth. Here's what I think is required:
> > >
> > >Initialise an empty hash table, keyed by IP and containing a
> > timestamp, a
> > >usage count and a blocked flag.
> > >
> > >For each message:
> > > Get the IP of its relay.
> > > If not already in the hash table Then
> > > Create a new entry for the IP with usage count 1 and current
> > >timestamp.
> > > Else
> > > Increment the usage counter and update the timestamp.
> > >
> > > If usage > MAX_PER_HOUR and not already blocked Then
> > > Block the IP using:
> > > iptables -I INPUT -s $ip -j DROP
> > > iptables -I OUTPUT -d $ip -j DROP
> > > Mark the hask table entry as blocked.
> > > Append the IP and timestamp to the log file.
> > > Endif
> > > Endif
> > >EndFor
> > >
> > >Every hour, scan the table and remove any entries older than 1 hour.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list