DOS attacked :(

Rick Cooper rcooper at DWFORD.COM
Thu Mar 4 12:18:25 GMT 2004 

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Pete
> Sent: Thursday, March 04, 2004 6:56 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: DOS attacked :(
>
>
> Rick Cooper wrote:
>
> >>-----Original Message-----
> >>From: MailScanner mailing list
> >>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>Behalf Of Pete
> >>Sent: Wednesday, March 03, 2004 11:29 PM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: DOS attacked :(
> >>
> >>
> >>Rick Cooper wrote:
> >>
> >>
> >>
> >>>Sorry to top post, but
> >>>
> >>>Are you sure that Net::CIDR is installed ( I think that
> >>>requirement came after your original install
> version), and are
> >>>you using a local caching name server? Slow downs in
> >>>
> >>>
> >>the network
> >>
> >>
> >>>test arena are many time caused by resolver problems.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>Have not got internal DNS, all external, and net::cidr is
> >>installed/updated with rpm mailscanner installation.
> >>
> >>But this got me thinking, i tried to ping all the
> >>servers listed in
> >>spam.lists.conf and i cannot resolve any, me think its
> >>is not good.
> >>Although i can ping almost any other domain name i can
> >>think of, but not
> >>any of the spamlist ones. I can ping the
> >>dcc#.dcc-servers.net found when
> >>doing cdcc info.
> >>
> >>CPAN shell doesnt work cos it cannot resolve the perl sites.
> >>
> >>I have changed nothing regarding DNS or networks. I
> >>assume this is the
> >>cause/symptom of my problems?
> >>
> >>Having spamassassin off is a nightmare and we are
> >>getting heaps of spam.
> >>
> >>--
> >>
> >>
> >
> >Run
> >Makes you wonder if your ISP changed name servers on
> you, or you
> >have a firewall problem.
> >
> >Change /etc/resolv.conf
> >options ndots:1
> >nameserver 127.0.0.1
> >nameserver put current ns1 address here
> >nameserver put current ns2 address here
> >multi on
> >
> >then /etc/init.d/named start
> >then /etc/init.d/network restart
> >
> >and try your test again. If your resolver isn't
> working you will
> >have *very* slow network tests as you will be waiting for each
> >outbound to timeout.. with a caching name server
> running you will
> >see improvements in many things with your mail service.
> >
> >Rick
> >
> >
> >
> Thanks.
>
> Enabled the named and changed the resolv and restart, turned on
> spamassassin and sent through some bagles and netskys
> and all was good,
> they were detected and and processed properly. (while
> writing this i
> noticed quite a few bagles-gen2 getting detected)
>
> Maybe a combination of the DOS attack message in the
> maillog (does this
> mean zip of death?), slow as network connection and
> therefore big
> hassles with RBLs, sa or ms runs MUCH slower than
> previous versions,
> probably due to all the extra message handling needed
> to combat these
> new nasties?
>
>  Although just looking through the stats now, we dont
> have anywhere near
> (hundreds of times less) virus stats as when mydoom
> was going hard, and
> we dont anymore email volume in total than usual; and
> we detected half
> as spam as we did yeterdya (cos SA was off almost all
> day?), so i guess
> it was something to do with some of these nasties we
> havent previously seen?

Your welcome.. I think the DOS stuff you were seeing had to do
with
the network problems not ZipOfDeath problems. I assume you have
SA
backup and running, but I don't think I would say 100% solved as
you still don't know why your ISP's name servers disappeared.
Also,
make sure you did the chkconfig things or the next reboot and
your
DNS goes away. Your not on a dynamic IP are you? I have seen this
type
of thing happen when a host on a dynamic IP (like cable) sets
their
IP static and the ISP does some network reconfigurations and
suddenly
the name servers don't work, network slows down because they are
supposed to be on a different gateway (even though the current gw
works),
etc... That name server thing would make me nervous even if I
don't use
their name servers.

Good luck.



>
> Boss has given permission to buy a cheapo 2nd hand old
> fashioned server,
> so hopefully will be able to double the specs on this
> and have some more
> luck with that...

Ebay... there is always Ebay :->

More information about the MailScanner mailing list