Dealing with MailScanner overloads {Scanned by HJMS}

Clas Net Newsletter ispmgr at clas.net
Mon Sep 15 18:55:20 IST 2003 

Just so we don't re-invent the wheel, you can throttle using tcp wrappers
and there is already some code out there (http://www.spamshield.org/) that
parses maillogs and can update iptables, access, etc with very little
modification. I also believe someone mentioning mailstats having some of
this type of functionality as well..

Youn Gonzales
System Administrator
Comptia A+, Network+, INET+,
Cisco CCNA/CCDA Certified Technician
Microsoft Certified Professional

I have an existential map; it has you are here written all over it.
- Steven Wright

----- Original Message -----
From: "Furnish, Trever G" <TGFurnish at HERFF-JONES.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Monday, September 15, 2003 11:32 AM
Subject: Re: Dealing with MailScanner overloads {Scanned by HJMS}


> It seems like the MTA would be a more appropriate place, but if this were
> going to be offered by MS, then I would rather be able to easily tailor
the
> action it takes to match my site - perhaps MS could have a configurable
"max
> message rate per relay" and do all the hashing, but then just call a
> user-defined function or script to make the actual changes to the system.
> In my case I'd probably update a table in a database, then periodically
> update iptables rather than the sendmail access sytem - I doubt that would
> be the approach many others would take, given that iptables is
> linux-specific and others may prefer to use the access file or a mailer
> other than sendmail.
>
> I'm definitely not a sendmail guru - are we sure this ability (refusing
> connections from a relay when the rate is too high for that specific
relay)
> isn't already present in the MTA (whether sendmail or others)?
>
> You'd also want to be able to exclude some addresses from such
restrictions
> (or set different limit levels) to be sure you don't block, for example,
> your own relay.
>
> -t.
>
>
> > -----Original Message-----
> > From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> > Sent: Sunday, September 14, 2003 3:39 AM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Fwd: RE: Dealing with MailScanner overloads {Scanned by HJMS}
> >
> >
> > What do you all think of this suggestion? Any ideas for
> > improvements or
> > useful ways to implement it?
> >
> > 'm thinking along the lines of adding entries to the sendmail
> > access db. I
> > can't remember if I need to restart sendmail after changing
> > the access db,
> > but a way of avoiding having to do that would be good.
> >
> > I would probably implement it as a Custom Function, as it's a
> > side issue
> > from the main point of scanning messages.
> >
> > > > >I've been successfully using MailScanner on a Linux server,
> > > > until this
> > > > >weekend, when it was overwhelmed with Sobig.F messages.  The
> > > > mqueue.in
> > > > >directory was growing at 90 files/minute, and contained a
> > > > backlog of over
> > > > >10,000 messages by the time I noticed the problem.  This was
> > > > on a lightly
> > > > >loaded 1.5GB, 2GHz P4 server, which never gets more than
> > > > 1000 legitimate
> > > > >emails per day.
> > > > >
> > > > >To get things back under control, I looked through the
> > > > maillog file for the
> > > > >relays that were sending the most messages, and blocked them
> > > > with iptables.
> > > > >There were a lot of them, so my plans for Sunday were
> > > > trashed.  However, it
> > > > >made me think of a way to automate it, but post-processing
> > > > the mail log is
> > > > >not the best point to tackle this problem.  Ideally, it
> > > > should be done as
> > > > >the mail arrives, possibly by simply refusing the SMTP
> > > > connection, which is
> > > > >where I'm out of my depth.  Here's what I think is required:
> > > > >
> > > > >Initialise an empty hash table, keyed by IP and containing a
> > > > timestamp, a
> > > > >usage count and a blocked flag.
> > > > >
> > > > >For each message:
> > > > >     Get the IP of its relay.
> > > > >     If not already in the hash table Then
> > > > >         Create a new entry for the IP with usage count
> > 1 and current
> > > > >timestamp.
> > > > >     Else
> > > > >         Increment the usage counter and update the timestamp.
> > > > >
> > > > >         If usage > MAX_PER_HOUR and not already blocked Then
> > > > >             Block the IP using:
> > > > >                  iptables -I INPUT -s $ip -j DROP
> > > > >                  iptables -I OUTPUT -d $ip -j DROP
> > > > >             Mark the hask table entry as blocked.
> > > > >             Append the IP and timestamp to the log file.
> > > > >         Endif
> > > > >     Endif
> > > > >EndFor
> > > > >
> > > > >Every hour, scan the table and remove any entries older
> > than 1 hour.
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> >
>

More information about the MailScanner mailing list