DOS attacked :(

Pete pete at eatathome.com.au
Thu Mar 4 11:05:06 GMT 2004 

Pete wrote:

> Stephen Swaney wrote:
>
>> I'm top posting so this won't get lost. This was written by one of our
>> clients to handle a really severe Joe-job. His name shall be revealed
>> if he
>> let's me, but I don't know if he wants the credit for breaking RFC 1123
>> (this certainly does). This deletes any incoming email that has a return
>> address of "<>".
>>
>> BE CAREFUL WITH THE TABS. Don't cut 'n paste this tabs must separate the
>> Left hand side from the right hand side rules and comments. The have
>> been
>> lost in the email transmission. You' know if you've missed a tab because
>> sendmail will croak when you try and start it.
>>
>> I can't verify that this works but he insisted it saved his axx. He
>> was so
>> upset by the attack he stayed up for 30 hours straight and learned to
>> write
>> sendmail.cf files from scratch. No Small feat.
>>
>> Possible some sendmail guru whose not battling the bagel will be kind
>> enough
>> to put the hack into a sendmail.mc format.
>>
>> ------------------ snip -----------------------------
>> ######################################################################
>> ######################################################################
>> #####
>> #####   REWRITING RULES
>> #####
>> ######################################################################
>> ######################################################################
>> #Added by XXX to handle joe job on 020404
>>
>> HSubject: $>Check_Subject1
>> D{MPat}Returned
>> SCheck_Subject1
>> R${MPat} $* $#discard
>>
>>
>> ######################################################################
>> ###  check_mail -- check SMTP `MAIL FROM:' command argument
>> ######################################################################
>>
>> SLocal_check_mail
>> Scheck_mail
>> R$*   $: $1 $| $>"Local_check_mail" $1
>> R$* $| $#$*  $#$2
>> R$* $| $*  $@ $>"Basic_check_mail" $1
>>
>> SBasic_check_mail
>> # check for deferred delivery mode
>> R$*   $: < $&{deliveryMode} > $1
>> R< d > $*  $@ deferred
>> R< $* > $*  $: $2
>>
>> # authenticated?
>> R$*   $: $1 $| $>"tls_client" $&{verify} $| MAIL
>> R$* $| $#$+  $#$2
>> R$* $| $*  $: $1
>>
>> #modified by XXX to handle joe job on 020404 Note: org line above
>> #R<>   $@ <OK>   we MUST accept <> (RFC 1123)
>> R<>   $@ $#discard   we MUST accept <> (RFC 1123)
>> R$+   $: <?> $1
>> R<?><$+>  $: <@> <$1>
>> R<?>$+   $: <@> <$1>
>> R$*   $: $&{daemon_flags} $| $1
>> R$* f $* $| <@> < $* @ $- > $: < ? $&{client_name} > < $3 @ $4 >
>> R$* u $* $| <@> < $* > $: <?> < $3 >
>> R$* $| $*  $: $2
>> # handle case of @localhost on address
>> ------------------ snip -----------------------------
>>
>>
>> Steve
>>
>> Stephen Swaney
>> President
>> Fortress Systems Ltd.
>> Steve.Swaney at FSL.com
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>> Behalf Of Pete
>>> Sent: Wednesday, March 03, 2004 6:08 PM
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: DOS attacked :(
>>>
>>> What should i do to rectify or prevent this? Nothing leave it to MS?
>>>
>>> Load avergae is stuck on 7 and almost nothing is wworking on this
>>> machine, even ssh commands have a 10sec delay.
>>>
>>> Will deleting the offending email be the entire solution?
>>>
>>>
>>> Mar  4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27: from=<>,
>>> size=3477, nrcpt=1 (queue active)
>>> Mar  4 10:09:56 mail01 postfix/smtpd[15859]: disconnect from
>>> adl0133.systems.sa.gov.au[143.216.236.20]
>>> Mar  4 10:09:56 mail01 postfix/qmgr[14167]: 6D35733D27:
>>> to=<lwelch at mteliza.com.au>, relay=none, delay=0, status=deferred
>>> (deferred transport)
>>> Mar  4 10:10:20 mail01 update.virus.scanners: Found clamav installed
>>> Mar  4 10:10:20 mail01 update.virus.scanners: Running autoupdate for
>>> clamav
>>> Mar  4 10:10:27 mail01 MailScanner[14186]: SpamAssassin timed out and
>>> was killed, consecutive failure 12 of 20
>>> Mar  4 10:10:50 mail01 MailScanner[14171]: Commercial scanner
>>> clamavmodule timed out!
>>> Mar  4 10:10:50 mail01 MailScanner[14182]: Commercial scanner
>>> clamavmodule timed out!
>>> Mar  4 10:10:52 mail01 MailScanner[14171]: Virus Scanning: Denial Of
>>> Service attack is in message A086133CDD
>>> Mar  4 10:10:52 mail01 ClamAV-autoupdate[16032]: ClamAV did not need
>>> updating
>>> Mar  4 10:10:53 mail01 MailScanner[14182]: Virus Scanning: Denial Of
>>> Service attack detected!
>>> Mar  4 10:11:12 mail01 MailScanner[14186]: SpamAssassin timed out and
>>> was killed, consecutive failure 13 of 20
>>> Mar  4 10:11:35 mail01 postfix/smtpd[15859]: warning: 144.134.105.149:
>>> hostname glpp-p-144-134-105-149.prem.tmns.net.au verification failed:
>>> Host not found
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 802E233CF1: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 81A6B33CF8: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 319FC33CF6: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7AB0F33CE7: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7144633CEF: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 7BB5933CF5: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: B023533CFB: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: A086133CDD: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: A101F33CF9: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 632A833CE0: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 67E9533CE2: skipped, still
>>> being delivered
>>> Mar  4 10:11:46 mail01 postfix/qmgr[14167]: 593BD33984: skipped, still
>>> being delivered
>>> Mar  4 10:11:53 mail01 MailScanner[14186]: SpamAssassin timed out and
>>> was killed, consecutive failure 14 of 20
>>> Mar  4 10:12:37 mail01 MailScanner[14186]: SpamAssassin timed out and
>>> was killed, consecutive failure 15 of 20
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>> Fortress Systems Ltd.
>>> www.fsl.com
>>>
>>>
>>>
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by Fortress Secure Mail Gateway
>> and was found to be clean.
>>
>> Fortress Systems Ltd. - http://www.fsl.com
>>
>>
>>
>>
>>
>>
> Sorry, i wasnt clear enough - this is a poistfix 2.016 - working
> perfectly until this morning, even after upgrade yesterday and added DCC
> and pyzor, although pyzor never worked and i didnt get a change to look
> at it yet. I have tried changing the accellerated scanning mode to 40 (i
> assume this means when the queue is 40+ deep it will accellerate the
> scanning mode?
>
> Can some one tell me how to use postfix to display the amount of
> messages in the queue from command line, or any other usefull postfix
> commands? I did mailq -v but this disaplays nothing.
>
> The latest change i made was to clamavmodule from regular clamav, tried
> changing it back but no luck. attached is my debug, nothing seems really
> obviously broken?
>
> Attached also is a log sample, complete, from immedietly after a service
> MailScanner restart
>
> Its getting worse and all i see is 100+ messages in the queue, changed
> the batch mode to only do 10 at once but stikll all i get in the
> maillog is
> Mar  4 11:00:32 mail01 MailScanner[3461]: SpamAssassin timed out and was
> killed, consecutive failure 8 of 20
>
> thanks in advance for ANY help i can get on this, its a big problem and
> its getting worse by the minute :(
>
I am convinced this isnt entirely a spamassassin problem,. have had SA
switched off for 6+ hours now and still see messages having to be
requeued (this happens when they are too old i believe?) an the queue
building up to 10, at least its not 100, but its a slow time of day here
(evening).

Anyone got any suggestions on this problem, it doesnt appear as though
its going away by itself as i absolutely cannot have spamassassin
running or no messages are ever scanned. Is it possible/necessary to
uninstall the SA source install and install from cpan, would this help?
If not, how do i downgrade? I would like to go back to my original
versions that worked, its a long weekend end here after tomorrow and i
cant leave it for 3 days not scanning any spam. :(

Appreciate any suggestions or pointers to get this resolved, am really
getting desperate.

More information about the MailScanner mailing list