DOS attacked :(
Pete
pete at eatathome.com.au
Thu Mar 4 12:32:43 GMT 2004
Rick Cooper wrote:
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Pete
>>Sent: Thursday, March 04, 2004 6:56 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: DOS attacked :(
>>
>>
>>Rick Cooper wrote:
>>
>>
>>
>>>>-----Original Message-----
>>>>From: MailScanner mailing list
>>>>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>>>Behalf Of Pete
>>>>Sent: Wednesday, March 03, 2004 11:29 PM
>>>>To: MAILSCANNER at JISCMAIL.AC.UK
>>>>Subject: Re: DOS attacked :(
>>>>
>>>>
>>>>Rick Cooper wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Sorry to top post, but
>>>>>
>>>>>Are you sure that Net::CIDR is installed ( I think that
>>>>>requirement came after your original install
>>>>>
>>>>>
>>version), and are
>>
>>
>>>>>you using a local caching name server? Slow downs in
>>>>>
>>>>>
>>>>>
>>>>>
>>>>the network
>>>>
>>>>
>>>>
>>>>
>>>>>test arena are many time caused by resolver problems.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Have not got internal DNS, all external, and net::cidr is
>>>>installed/updated with rpm mailscanner installation.
>>>>
>>>>But this got me thinking, i tried to ping all the
>>>>servers listed in
>>>>spam.lists.conf and i cannot resolve any, me think its
>>>>is not good.
>>>>Although i can ping almost any other domain name i can
>>>>think of, but not
>>>>any of the spamlist ones. I can ping the
>>>>dcc#.dcc-servers.net found when
>>>>doing cdcc info.
>>>>
>>>>CPAN shell doesnt work cos it cannot resolve the perl sites.
>>>>
>>>>I have changed nothing regarding DNS or networks. I
>>>>assume this is the
>>>>cause/symptom of my problems?
>>>>
>>>>Having spamassassin off is a nightmare and we are
>>>>getting heaps of spam.
>>>>
>>>>--
>>>>
>>>>
>>>>
>>>>
>>>Run
>>>Makes you wonder if your ISP changed name servers on
>>>
>>>
>>you, or you
>>
>>
>>>have a firewall problem.
>>>
>>>Change /etc/resolv.conf
>>>options ndots:1
>>>nameserver 127.0.0.1
>>>nameserver put current ns1 address here
>>>nameserver put current ns2 address here
>>>multi on
>>>
>>>then /etc/init.d/named start
>>>then /etc/init.d/network restart
>>>
>>>and try your test again. If your resolver isn't
>>>
>>>
>>working you will
>>
>>
>>>have *very* slow network tests as you will be waiting for each
>>>outbound to timeout.. with a caching name server
>>>
>>>
>>running you will
>>
>>
>>>see improvements in many things with your mail service.
>>>
>>>Rick
>>>
>>>
>>>
>>>
>>>
>>Thanks.
>>
>>Enabled the named and changed the resolv and restart, turned on
>>spamassassin and sent through some bagles and netskys
>>and all was good,
>>they were detected and and processed properly. (while
>>writing this i
>>noticed quite a few bagles-gen2 getting detected)
>>
>>Maybe a combination of the DOS attack message in the
>>maillog (does this
>>mean zip of death?), slow as network connection and
>>therefore big
>>hassles with RBLs, sa or ms runs MUCH slower than
>>previous versions,
>>probably due to all the extra message handling needed
>>to combat these
>>new nasties?
>>
>> Although just looking through the stats now, we dont
>>have anywhere near
>>(hundreds of times less) virus stats as when mydoom
>>was going hard, and
>>we dont anymore email volume in total than usual; and
>>we detected half
>>as spam as we did yeterdya (cos SA was off almost all
>>day?), so i guess
>>it was something to do with some of these nasties we
>>havent previously seen?
>>
>>
>
>Your welcome.. I think the DOS stuff you were seeing had to do
>with
>the network problems not ZipOfDeath problems. I assume you have
>SA
>backup and running, but I don't think I would say 100% solved as
>you still don't know why your ISP's name servers disappeared.
>Also,
>make sure you did the chkconfig things or the next reboot and
>your
>DNS goes away. Your not on a dynamic IP are you? I have seen this
>type
>of thing happen when a host on a dynamic IP (like cable) sets
>their
>IP static and the ISP does some network reconfigurations and
>suddenly
>the name servers don't work, network slows down because they are
>supposed to be on a different gateway (even though the current gw
>works),
>etc... That name server thing would make me nervous even if I
>don't use
>their name servers.
>
>Good luck.
>
>
>
>
>
>>Boss has given permission to buy a cheapo 2nd hand old
>>fashioned server,
>>so hopefully will be able to double the specs on this
>>and have some more
>>luck with that...
>>
>>
>
>Ebay... there is always Ebay :->
>
>
>
>
>
Not on dyn IP, sa ISNT working with RBLs, this appears to be the cause
of all my woes, although i am not really sure, but it seems that way. I
have posted already with my logs, but i notice i can ping spamcop.net
but NOT bl.spamcop.net as it appears in spam.lists.conf, this is the
same from XP machine, so assume its meant to be this way - but non the
less all the rbls fail every time whan run by SA.
More information about the MailScanner
mailing list