Dealing with MailScanner overloads

David While David.While at UCE.AC.UK
Sun Sep 14 09:44:22 IST 2003 

My stats script does this and I add the IPs to the access table. No you don't need to restart sendmail you just need to rebuild the access db using makemap.
 
David While

	-----Original Message----- 
	From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
	Sent: Sun 14/09/2003 09:38 
	To: MAILSCANNER at JISCMAIL.AC.UK 
	Cc: 
	Subject: Fwd: RE: Dealing with MailScanner overloads
	
	

	What do you all think of this suggestion? Any ideas for improvements or
	useful ways to implement it?
	
	'm thinking along the lines of adding entries to the sendmail access db. I
	can't remember if I need to restart sendmail after changing the access db,
	but a way of avoiding having to do that would be good.
	
	I would probably implement it as a Custom Function, as it's a side issue
	from the main point of scanning messages.
	
	> > >I've been successfully using MailScanner on a Linux server,
	> > until this
	> > >weekend, when it was overwhelmed with Sobig.F messages.  The
	> > mqueue.in
	> > >directory was growing at 90 files/minute, and contained a
	> > backlog of over
	> > >10,000 messages by the time I noticed the problem.  This was
	> > on a lightly
	> > >loaded 1.5GB, 2GHz P4 server, which never gets more than
	> > 1000 legitimate
	> > >emails per day.
	> > >
	> > >To get things back under control, I looked through the
	> > maillog file for the
	> > >relays that were sending the most messages, and blocked them
	> > with iptables.
	> > >There were a lot of them, so my plans for Sunday were
	> > trashed.  However, it
	> > >made me think of a way to automate it, but post-processing
	> > the mail log is
	> > >not the best point to tackle this problem.  Ideally, it
	> > should be done as
	> > >the mail arrives, possibly by simply refusing the SMTP
	> > connection, which is
	> > >where I'm out of my depth.  Here's what I think is required:
	> > >
	> > >Initialise an empty hash table, keyed by IP and containing a
	> > timestamp, a
	> > >usage count and a blocked flag.
	> > >
	> > >For each message:
	> > >     Get the IP of its relay.
	> > >     If not already in the hash table Then
	> > >         Create a new entry for the IP with usage count 1 and current
	> > >timestamp.
	> > >     Else
	> > >         Increment the usage counter and update the timestamp.
	> > >
	> > >         If usage > MAX_PER_HOUR and not already blocked Then
	> > >             Block the IP using:
	> > >                  iptables -I INPUT -s $ip -j DROP
	> > >                  iptables -I OUTPUT -d $ip -j DROP
	> > >             Mark the hask table entry as blocked.
	> > >             Append the IP and timestamp to the log file.
	> > >         Endif
	> > >     Endif
	> > >EndFor
	> > >
	> > >Every hour, scan the table and remove any entries older than 1 hour.
	
	--
	Julian Field
	www.MailScanner.info
	Professional Support Services at www.MailScanner.biz
	MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list