DOS attacked :(

Mark Nienberg mark at TIPPINGMAR.COM
Thu Mar 4 00:36:29 GMT 2004 

On 4 Mar 2004 at 11:05, Pete wrote:

> Stephen Swaney wrote:
>
> >I'm top posting so this won't get lost. This was written by one of our
> >clients to handle a really severe Joe-job. His name shall be revealed if he
> >let's me, but I don't know if he wants the credit for breaking RFC 1123
> >(this certainly does). This deletes any incoming email that has a return
> >address of "<>".
> >
> >BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the
> >Left hand side from the right hand side rules and comments. The have been
> >lost in the email transmission. You' know if you've missed a tab because
> >sendmail will croak when you try and start it.
> >
> >I can't verify that this works but he insisted it saved his axx. He was so
> >upset by the attack he stayed up for 30 hours straight and learned to write
> >sendmail.cf files from scratch. No Small feat.
> >
> >Possible some sendmail guru whose not battling the bagel will be kind enough
> >to put the hack into a sendmail.mc format.
> >
> >------------------ snip -----------------------------
> >######################################################################
> >######################################################################
> >#####
> >#####   REWRITING RULES
> >#####
> >######################################################################
> >######################################################################
> >#Added by XXX to handle joe job on 020404
> >
> >HSubject: $>Check_Subject1
> >D{MPat}Returned
> >SCheck_Subject1
> >R${MPat} $* $#discard
> >
> >
> >######################################################################
> >###  check_mail -- check SMTP `MAIL FROM:' command argument
> >######################################################################
> >
> >SLocal_check_mail
> >Scheck_mail
> >R$*   $: $1 $| $>"Local_check_mail" $1
> >R$* $| $#$*  $#$2
> >R$* $| $*  $@ $>"Basic_check_mail" $1
> >
> >SBasic_check_mail
> ># check for deferred delivery mode
> >R$*   $: < $&{deliveryMode} > $1
> >R< d > $*  $@ deferred
> >R< $* > $*  $: $2
> >
> ># authenticated?
> >R$*   $: $1 $| $>"tls_client" $&{verify} $| MAIL
> >R$* $| $#$+  $#$2
> >R$* $| $*  $: $1
> >
> >#modified by XXX to handle joe job on 020404 Note: org line above
> >#R<>   $@ <OK>   we MUST accept <> (RFC 1123)
> >R<>   $@ $#discard   we MUST accept <> (RFC 1123)
> >R$+   $: <?> $1
> >R<?><$+>  $: <@> <$1>
> >R<?>$+   $: <@> <$1>
> >R$*   $: $&{daemon_flags} $| $1
> >R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
> >R$* u $* $| <@> < $* > $: <?> < $3 >
> >R$* $| $*  $: $2
> ># handle case of @localhost on address
> >------------------ snip -----------------------------
> >
> >
> >Steve
> >
> >Stephen Swaney
> >President
> >Fortress Systems Ltd.
> >Steve.Swaney at FSL.com
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >>Behalf Of Pete
> >>Sent: Wednesday, March 03, 2004 6:08 PM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: DOS attacked :(
> >>
> >>What should i do to rectify or prevent this? Nothing leave it to MS?
> >>
> >>Load avergae is stuck on 7 and almost nothing is wworking on this
> >>machine, even ssh commands have a 10sec delay.
> >>
> >>Will deleting the offending email be the entire solution?
> >>
> >>
> >>Mar  4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>,
> >>size=3477, nrcpt=1 (queue active)
> >>Mar  4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from
> >>adl0133.systems.sa.gov.au[143.216.236.20]
> >>Mar  4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27:
> >>to=<lwelch at mteliza.com.au>, relay=none, delay=0, status=deferred
> >>(deferred transport)
> >>Mar  4 10:10:20 mail01 update.virus.scanners: Found clamav installed
> >>Mar  4 10:10:20 mail01 update.virus.scanners: Running autoupdate for
> >>clamav
> >>Mar  4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and
> >>was killed, consecutive failure 12 of 20
> >>Mar  4 10:10:50 mail01 MailScanner[14171]: Commercial scanner
> >>clamavmodule timed out!
> >>Mar  4 10:10:50 mail01 MailScanner[14182]: Commercial scanner
> >>clamavmodule timed out!
> >>Mar  4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of
> >>Service attack is in message A086133CDD
> >>Mar  4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need
> >>updating
> >>Mar  4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of
> >>Service attack detected!
> >>Mar  4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and
> >>was killed, consecutive failure 13 of 20
> >>Mar  4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149:
> >>hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed:
> >>Host not found
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still
> >>being delivered
> >>Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still
> >>being delivered
> >>Mar  4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and
> >>was killed, consecutive failure 14 of 20
> >>Mar  4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and
> >>was killed, consecutive failure 15 of 20
> >>
> >>--
> >>This message has been scanned for viruses and
> >>dangerous content by MailScanner, and is
> >>believed to be clean.
> >>
> >>Fortress Systems Ltd.
> >>www.fsl.com
> >>
> >>
> >>
> >
> >
> >
> >--
> >This message has been scanned for viruses and
> >dangerous content by Fortress Secure Mail Gateway
> >and was found to be clean.
> >
> >Fortress Systems Ltd. - http://www.fsl.com
> >
> >
> >
> >
> >
> >
> Sorry, i wasnt clear enough - this is a poistfix 2.016 - working
> perfectly until this morning, even after upgrade yesterday and added DCC
> and pyzor, although pyzor never worked and i didnt get a change to look
> at it yet. I have tried changing the accellerated scanning mode to 40 (i
> assume this means when the queue is 40+ deep it will accellerate the
> scanning mode?
>
> Can some one tell me how to use postfix to display the amount of
> messages in the queue from command line, or any other usefull postfix
> commands? I did mailq -v but this disaplays nothing.
>
> The latest change i made was to clamavmodule from regular clamav, tried
> changing it back but no luck. attached is my debug, nothing seems really
> obviously broken?
>
> Attached also is a log sample, complete, from immedietly after a service
> MailScanner restart
>
> Its getting worse and all i see is 100+ messages in the queue, changed
> the batch mode to only do 10 at once but stikll all i get in the maillog is
> Mar  4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was
> killed, consecutive failure 8 of 20
>
> thanks in advance for ANY help i can get on this, its a big problem and
> its getting worse by the minute :(
>

Your problem is the SpamAssassin timeouts.  You could disable SpamAssassin in
your MailScanner.conf until your machine catches up, or you could debug the
timeouts.  Here is a suggested method from a recent posting by Julian Field:

Kill all the MailScanner processes (some of them will take several seconds
to die, let them get on with it).

Edit /etc/MailScanner/MailScanner.conf.
Set Debug = yes
Set Debug SpamAssassin = yes

Wait until you have a few messages collected in /var/spool/mqueue.in.
Then run "check_MailScanner". It should spew output about SpamAssassin,
during which it will hopefully pause, waiting for something to happen. The
output when it pauses should hopefully give you some clue about why it is
timing out.

It will run 1 batch of messages and then quit.
--
Mark W. Nienberg, SE
Tipping Mar + associates
1906 Shattuck Ave, Berkeley, CA  94704
visit our website at http://www.tippingmar.com

More information about the MailScanner mailing list