Dealing with MailScanner overloads {Scanned by HJMS}

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Mon Sep 15 17:32:35 IST 2003


It seems like the MTA would be a more appropriate place, but if this were
going to be offered by MS, then I would rather be able to easily tailor the
action it takes to match my site - perhaps MS could have a configurable "max
message rate per relay" and do all the hashing, but then just call a
user-defined function or script to make the actual changes to the system.
In my case I'd probably update a table in a database, then periodically
update iptables rather than the sendmail access sytem - I doubt that would
be the approach many others would take, given that iptables is
linux-specific and others may prefer to use the access file or a mailer
other than sendmail.

I'm definitely not a sendmail guru - are we sure this ability (refusing
connections from a relay when the rate is too high for that specific relay)
isn't already present in the MTA (whether sendmail or others)?

You'd also want to be able to exclude some addresses from such restrictions
(or set different limit levels) to be sure you don't block, for example,
your own relay.

-t.


> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Sent: Sunday, September 14, 2003 3:39 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Fwd: RE: Dealing with MailScanner overloads {Scanned by HJMS}
>
>
> What do you all think of this suggestion? Any ideas for
> improvements or
> useful ways to implement it?
>
> 'm thinking along the lines of adding entries to the sendmail
> access db. I
> can't remember if I need to restart sendmail after changing
> the access db,
> but a way of avoiding having to do that would be good.
>
> I would probably implement it as a Custom Function, as it's a
> side issue
> from the main point of scanning messages.
>
> > > >I've been successfully using MailScanner on a Linux server,
> > > until this
> > > >weekend, when it was overwhelmed with Sobig.F messages.  The
> > > mqueue.in
> > > >directory was growing at 90 files/minute, and contained a
> > > backlog of over
> > > >10,000 messages by the time I noticed the problem.  This was
> > > on a lightly
> > > >loaded 1.5GB, 2GHz P4 server, which never gets more than
> > > 1000 legitimate
> > > >emails per day.
> > > >
> > > >To get things back under control, I looked through the
> > > maillog file for the
> > > >relays that were sending the most messages, and blocked them
> > > with iptables.
> > > >There were a lot of them, so my plans for Sunday were
> > > trashed.  However, it
> > > >made me think of a way to automate it, but post-processing
> > > the mail log is
> > > >not the best point to tackle this problem.  Ideally, it
> > > should be done as
> > > >the mail arrives, possibly by simply refusing the SMTP
> > > connection, which is
> > > >where I'm out of my depth.  Here's what I think is required:
> > > >
> > > >Initialise an empty hash table, keyed by IP and containing a
> > > timestamp, a
> > > >usage count and a blocked flag.
> > > >
> > > >For each message:
> > > >     Get the IP of its relay.
> > > >     If not already in the hash table Then
> > > >         Create a new entry for the IP with usage count
> 1 and current
> > > >timestamp.
> > > >     Else
> > > >         Increment the usage counter and update the timestamp.
> > > >
> > > >         If usage > MAX_PER_HOUR and not already blocked Then
> > > >             Block the IP using:
> > > >                  iptables -I INPUT -s $ip -j DROP
> > > >                  iptables -I OUTPUT -d $ip -j DROP
> > > >             Mark the hask table entry as blocked.
> > > >             Append the IP and timestamp to the log file.
> > > >         Endif
> > > >     Endif
> > > >EndFor
> > > >
> > > >Every hour, scan the table and remove any entries older
> than 1 hour.
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>



More information about the MailScanner mailing list