Dealing with MailScanner overloads

Rose, Bobby brose at MED.WAYNE.EDU
Sun Sep 14 15:17:28 IST 2003 

Oh yeh what about my earlier question of moving the virus check routine
before the Spam checks in MessageBatch?  Wouldn't that reduce the load
because if it's virus, it goes thru the spam checks first which is a
slower process and then is checked for viruses.  If it's checked for
viruses first and is infected then it's removed from the list for Spam
checks.



-----Original Message-----
From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
Sent: Sunday, September 14, 2003 4:39 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Fwd: RE: Dealing with MailScanner overloads


What do you all think of this suggestion? Any ideas for improvements or
useful ways to implement it?

'm thinking along the lines of adding entries to the sendmail access db.
I can't remember if I need to restart sendmail after changing the access
db, but a way of avoiding having to do that would be good.

I would probably implement it as a Custom Function, as it's a side issue
from the main point of scanning messages.

> > >I've been successfully using MailScanner on a Linux server,
> > until this
> > >weekend, when it was overwhelmed with Sobig.F messages.  The
> > mqueue.in
> > >directory was growing at 90 files/minute, and contained a
> > backlog of over
> > >10,000 messages by the time I noticed the problem.  This was
> > on a lightly
> > >loaded 1.5GB, 2GHz P4 server, which never gets more than
> > 1000 legitimate
> > >emails per day.
> > >
> > >To get things back under control, I looked through the
> > maillog file for the
> > >relays that were sending the most messages, and blocked them
> > with iptables.
> > >There were a lot of them, so my plans for Sunday were
> > trashed.  However, it
> > >made me think of a way to automate it, but post-processing
> > the mail log is
> > >not the best point to tackle this problem.  Ideally, it
> > should be done as
> > >the mail arrives, possibly by simply refusing the SMTP
> > connection, which is
> > >where I'm out of my depth.  Here's what I think is required:
> > >
> > >Initialise an empty hash table, keyed by IP and containing a
> > timestamp, a
> > >usage count and a blocked flag.
> > >
> > >For each message:
> > >     Get the IP of its relay.
> > >     If not already in the hash table Then
> > >         Create a new entry for the IP with usage count 1 and 
> > >current timestamp.
> > >     Else
> > >         Increment the usage counter and update the timestamp.
> > >
> > >         If usage > MAX_PER_HOUR and not already blocked Then
> > >             Block the IP using:
> > >                  iptables -I INPUT -s $ip -j DROP
> > >                  iptables -I OUTPUT -d $ip -j DROP
> > >             Mark the hask table entry as blocked.
> > >             Append the IP and timestamp to the log file.
> > >         Endif
> > >     Endif
> > >EndFor
> > >
> > >Every hour, scan the table and remove any entries older than 1 
> > >hour.

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz MailScanner thanks
transtec Computers for their support

More information about the MailScanner mailing list