DOS attacked :(

Thu Mar 4 11:56:20 GMT 2004

Rick Cooper wrote:

>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Pete
>>Sent: Wednesday, March 03, 2004 11:29 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: DOS attacked :(
>>
>>
>>Rick Cooper wrote:
>>
>>
>>
>>>Sorry to top post, but
>>>
>>>Are you sure that Net::CIDR is installed ( I think that
>>>requirement came after your original install version), and are
>>>you using a local caching name server? Slow downs in
>>>
>>>
>>the network
>>
>>
>>>test arena are many time caused by resolver problems.
>>>
>>>
>>>
>>>
>>>
>>>
>>Have not got internal DNS, all external, and net::cidr is
>>installed/updated with rpm mailscanner installation.
>>
>>But this got me thinking, i tried to ping all the
>>servers listed in
>>spam.lists.conf and i cannot resolve any, me think its
>>is not good.
>>Although i can ping almost any other domain name i can
>>think of, but not
>>any of the spamlist ones. I can ping the
>>dcc#.dcc-servers.net found when
>>doing cdcc info.
>>
>>CPAN shell doesnt work cos it cannot resolve the perl sites.
>>
>>I have changed nothing regarding DNS or networks. I
>>assume this is the
>>cause/symptom of my problems?
>>
>>Having spamassassin off is a nightmare and we are
>>getting heaps of spam.
>>
>>--
>>
>>
>
>Run
>Makes you wonder if your ISP changed name servers on you, or you
>have a firewall problem.
>
>Change /etc/resolv.conf
>options ndots:1
>nameserver 127.0.0.1
>nameserver put current ns1 address here
>nameserver put current ns2 address here
>multi on
>
>then /etc/init.d/named start
>then /etc/init.d/network restart
>
>and try your test again. If your resolver isn't working you will
>have *very* slow network tests as you will be waiting for each
>outbound to timeout.. with a caching name server running you will
>see improvements in many things with your mail service.
>
>Rick
>
>
>
Thanks.

Enabled the named and changed the resolv and restart, turned on
spamassassin and sent through some bagles and netskys and all was good,
they were detected and and processed properly. (while writing this i
noticed quite a few bagles-gen2 getting detected)

Maybe a combination of the DOS attack message in the maillog (does this
mean zip of death?), slow as network connection and therefore big
hassles with RBLs, sa or ms runs MUCH slower than previous versions,
probably due to all the extra message handling needed to combat these
new nasties?

 Although just looking through the stats now, we dont have anywhere near
(hundreds of times less) virus stats as when mydoom was going hard, and
we dont anymore email volume in total than usual; and we detected half
as spam as we did yeterdya (cos SA was off almost all day?), so i guess
it was something to do with some of these nasties we havent previously seen?

Boss has given permission to buy a cheapo 2nd hand old fashioned server,
so hopefully will be able to double the specs on this and have some more
luck with that...