Dealing with MailScanner overloads
Rose, Bobby
brose at MED.WAYNE.EDU
Sun Sep 14 15:13:37 IST 2003
Why not use DCCM (DCC's sendmail milter) and set a threshold. You'd
have a lot less false positives than blocking a major host. During
Sobig-F I saw DCC blocking a lot of them. Also using easynets Dynablock
RBL in sendmail to not accept mail from all those infected home users
helped also. I also hacked up Mailstats to do a so many spam (per SA)
messages per hour and block for said amount of hours. With that
Mailscanner patch to log the IP address of an infected system, I can now
do the same with viruses.
-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
Sent: Sunday, September 14, 2003 4:39 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Fwd: RE: Dealing with MailScanner overloads
What do you all think of this suggestion? Any ideas for improvements or
useful ways to implement it?
'm thinking along the lines of adding entries to the sendmail access db.
I can't remember if I need to restart sendmail after changing the access
db, but a way of avoiding having to do that would be good.
I would probably implement it as a Custom Function, as it's a side issue
from the main point of scanning messages.
> > >I've been successfully using MailScanner on a Linux server,
> > until this
> > >weekend, when it was overwhelmed with Sobig.F messages. The
> > mqueue.in
> > >directory was growing at 90 files/minute, and contained a
> > backlog of over
> > >10,000 messages by the time I noticed the problem. This was
> > on a lightly
> > >loaded 1.5GB, 2GHz P4 server, which never gets more than
> > 1000 legitimate
> > >emails per day.
> > >
> > >To get things back under control, I looked through the
> > maillog file for the
> > >relays that were sending the most messages, and blocked them
> > with iptables.
> > >There were a lot of them, so my plans for Sunday were
> > trashed. However, it
> > >made me think of a way to automate it, but post-processing
> > the mail log is
> > >not the best point to tackle this problem. Ideally, it
> > should be done as
> > >the mail arrives, possibly by simply refusing the SMTP
> > connection, which is
> > >where I'm out of my depth. Here's what I think is required:
> > >
> > >Initialise an empty hash table, keyed by IP and containing a
> > timestamp, a
> > >usage count and a blocked flag.
> > >
> > >For each message:
> > > Get the IP of its relay.
> > > If not already in the hash table Then
> > > Create a new entry for the IP with usage count 1 and
> > >current timestamp.
> > > Else
> > > Increment the usage counter and update the timestamp.
> > >
> > > If usage > MAX_PER_HOUR and not already blocked Then
> > > Block the IP using:
> > > iptables -I INPUT -s $ip -j DROP
> > > iptables -I OUTPUT -d $ip -j DROP
> > > Mark the hask table entry as blocked.
> > > Append the IP and timestamp to the log file.
> > > Endif
> > > Endif
> > >EndFor
> > >
> > >Every hour, scan the table and remove any entries older than 1
> > >hour.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support
More information about the MailScanner
mailing list