DOS attacked :(
rcooper at DWFORD.COM
Thu Mar 4 12:18:25 GMT 2004
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Pete
> Sent: Thursday, March 04, 2004 6:56 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: DOS attacked :(
> Rick Cooper wrote:
> >>-----Original Message-----
> >>From: MailScanner mailing list
> >>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >>Behalf Of Pete
> >>Sent: Wednesday, March 03, 2004 11:29 PM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: DOS attacked :(
> >>Rick Cooper wrote:
> >>>Sorry to top post, but
> >>>Are you sure that Net::CIDR is installed ( I think that
> >>>requirement came after your original install
> version), and are
> >>>you using a local caching name server? Slow downs in
> >>the network
> >>>test arena are many time caused by resolver problems.
> >>Have not got internal DNS, all external, and net::cidr is
> >>installed/updated with rpm mailscanner installation.
> >>But this got me thinking, i tried to ping all the
> >>servers listed in
> >>spam.lists.conf and i cannot resolve any, me think its
> >>is not good.
> >>Although i can ping almost any other domain name i can
> >>think of, but not
> >>any of the spamlist ones. I can ping the
> >>dcc#.dcc-servers.net found when
> >>doing cdcc info.
> >>CPAN shell doesnt work cos it cannot resolve the perl sites.
> >>I have changed nothing regarding DNS or networks. I
> >>assume this is the
> >>cause/symptom of my problems?
> >>Having spamassassin off is a nightmare and we are
> >>getting heaps of spam.
> >Makes you wonder if your ISP changed name servers on
> you, or you
> >have a firewall problem.
> >Change /etc/resolv.conf
> >options ndots:1
> >nameserver 127.0.0.1
> >nameserver put current ns1 address here
> >nameserver put current ns2 address here
> >multi on
> >then /etc/init.d/named start
> >then /etc/init.d/network restart
> >and try your test again. If your resolver isn't
> working you will
> >have *very* slow network tests as you will be waiting for each
> >outbound to timeout.. with a caching name server
> running you will
> >see improvements in many things with your mail service.
> Enabled the named and changed the resolv and restart, turned on
> spamassassin and sent through some bagles and netskys
> and all was good,
> they were detected and and processed properly. (while
> writing this i
> noticed quite a few bagles-gen2 getting detected)
> Maybe a combination of the DOS attack message in the
> maillog (does this
> mean zip of death?), slow as network connection and
> therefore big
> hassles with RBLs, sa or ms runs MUCH slower than
> previous versions,
> probably due to all the extra message handling needed
> to combat these
> new nasties?
> Although just looking through the stats now, we dont
> have anywhere near
> (hundreds of times less) virus stats as when mydoom
> was going hard, and
> we dont anymore email volume in total than usual; and
> we detected half
> as spam as we did yeterdya (cos SA was off almost all
> day?), so i guess
> it was something to do with some of these nasties we
> havent previously seen?
Your welcome.. I think the DOS stuff you were seeing had to do
the network problems not ZipOfDeath problems. I assume you have
backup and running, but I don't think I would say 100% solved as
you still don't know why your ISP's name servers disappeared.
make sure you did the chkconfig things or the next reboot and
DNS goes away. Your not on a dynamic IP are you? I have seen this
of thing happen when a host on a dynamic IP (like cable) sets
IP static and the ISP does some network reconfigurations and
the name servers don't work, network slows down because they are
supposed to be on a different gateway (even though the current gw
etc... That name server thing would make me nervous even if I
their name servers.
> Boss has given permission to buy a cheapo 2nd hand old
> fashioned server,
> so hopefully will be able to double the specs on this
> and have some more
> luck with that...
Ebay... there is always Ebay :->
More information about the MailScanner