Phishing detector apparently slogged up my server

Greg Deputy greg at BLASTZONE.COM
Thu Nov 18 08:02:01 GMT 2004


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Fedora core 2, MailScanner 4.35.9, Postfix 2.1.5.  Phishing detection
turned on.  Currently acting as a gateway (no mail on server, all gets
scanned and passed on to another server for delivery) for about 500 mail
boxes on 100 hosted domains.

Today I was looking at my mailscanner-mrtg page
(http://mx.blastzone.com/mailscanner-mrtg) and noticed that at around
1:30 am the CPU pegged on the box.  I spent some time trying to figure
out why, looking at the logs for a DOS attack or some evidence that the
box had been compromised, but found nothing.  

What I eventually figured out was Mailscanner seemed to be hitting the
same mail in the postfix hold queue over and over again.  It would hit
the mail, and apparently restart.  It would seem to hit the queue,
process a few messages, hit one, and then choke, restart.  It also
caused the CPU to be a lot more active (85% +) than it normally is
(~25%).  

I believe it was dying in the phishing detector logic for 2 reasons.
One, I kept seeing the same phishing detection over and over again in
the logs.  Two, I turned off the phishing detection in MailScanner.conf,
restarted MailScanner, and the queue cleared out and CPU dropped back to
normal.  

I can provide the entire logs if needed, but they're big.  Probably
around 20 megs worth, as I have the verbosity turned up pretty high at
the moment on both mailscanner and postfix for troubleshooting.

Here's a snippet of the log where you see MailScanner quoting part of
the same Phishing email over and over again.  Note the 'Big year
expected in 2005' and some HTML about 3 times below:

Nov 17 09:01:05 mx MailScanner[32483]: Found phishing fraud attack from
http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a> 
Nov 17 09:01:05 mx MailScanner[32483]: <br><br> 
Nov 17 09:01:05 mx MailScanner[32483]: Big year expected in 2005 for
Motion DNA<br> 
Nov 17 09:01:05 mx MailScanner[32483]:   <br> 
Nov 17 09:01:05 mx MailScanner[32483]: Trading Symbol MTDN<br> 
Nov 17 09:01:05 mx MailScanner[32483]: Current Price (est.) $0.025<br> 
Nov 17 09:01:05 mx MailScanner[32483]: Valued Price (est.) $1.00<br><br>

Nov 17 09:01:07 mx postfix/smtpd[32344]: NOQUEUE: reject: RCPT from
pool-68-239-72-146.res.east.verizon.net[68.239.72.146]: 554 Service
unavailable; Client host [68.239.72.146] blocked using
sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=68.239.72.146;
from=<subplr at verizon.net> to=<marquez at northwestrocketry.com> proto=SMTP
helo=<pool-68-239-72-146.res.east.verizon.net>
Nov 17 09:01:07 mx MailScanner[32525]: Using locktype = flock 
Nov 17 09:01:07 mx MailScanner[32525]: New Batch: Scanning 4 messages,
404119 bytes 
Nov 17 09:01:07 mx MailScanner[32525]: MCP Checks completed at 404119
bytes per second 
Nov 17 09:01:07 mx MailScanner[32525]: Spam Checks: Starting 
Nov 17 09:01:07 mx MailScanner[32525]: Spam Checks completed at 404119
bytes per second 
Nov 17 09:01:08 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<bragg at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:09 mx MailScanner[32525]: Virus and Content Scanning:
Starting 
Nov 17 09:01:09 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<byrne at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:09 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<ali at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:10 mx MailScanner[32525]: Virus Scanning completed at
134706 bytes per second 
Nov 17 09:01:10 mx MailScanner[32525]: Found phishing fraud attack from
http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a> 
Nov 17 09:01:10 mx MailScanner[32525]: <br><br> 
Nov 17 09:01:10 mx MailScanner[32525]: Big year expected in 2005 for
Motion DNA<br> 
Nov 17 09:01:10 mx MailScanner[32525]:   <br> 
Nov 17 09:01:10 mx MailScanner[32525]: Trading Symbol MTDN<br> 
Nov 17 09:01:10 mx MailScanner[32525]: Current Price (est.) $0.025<br> 
Nov 17 09:01:10 mx MailScanner[32525]: Valued Price (est.) $1.00<br><br>

Nov 17 09:01:10 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<abraham at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:10 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<arrington at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:11 mx postfix/smtpd[32344]: disconnect from
pool-68-239-72-146.res.east.verizon.net[68.239.72.146]
Nov 17 09:01:11 mx MailScanner[32562]: MailScanner E-Mail Virus Scanner
version 4.35.9 starting... 
Nov 17 09:01:11 mx MailScanner[32562]: Config: calling custom init
function ByDomainSpamBlacklist 
Nov 17 09:01:11 mx MailScanner[32562]: Starting up by-domain spam
blacklist, reading from /etc/MailScanner/spam.bydomain/blacklist 
Nov 17 09:01:11 mx MailScanner[32562]: Read blacklist for 2 domains 
Nov 17 09:01:11 mx MailScanner[32562]: Config: calling custom init
function ByDomainSpamWhitelist 
Nov 17 09:01:11 mx MailScanner[32562]: Starting up by-domain spam
whitelist, reading from /etc/MailScanner/spam.bydomain/whitelist 
Nov 17 09:01:11 mx MailScanner[32562]: Read whitelist for 5 domains 
Nov 17 09:01:14 mx MailScanner[32267]: New Batch: Scanning 4 messages,
404119 bytes 
Nov 17 09:01:14 mx MailScanner[32267]: MCP Checks completed at 404119
bytes per second 
Nov 17 09:01:14 mx MailScanner[32267]: Spam Checks: Starting 
Nov 17 09:01:14 mx MailScanner[32267]: Spam Checks completed at 404119
bytes per second 
Nov 17 09:01:15 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<brantley at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:15 mx MailScanner[32562]: Using locktype = flock 
Nov 17 09:01:15 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<cassidy at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:16 mx MailScanner[32267]: Virus and Content Scanning:
Starting 
Nov 17 09:01:16 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<benoit at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:17 mx postfix/smtpd[32353]: NOQUEUE: reject: RCPT from
YahooBB219176178079.bbtec.net[219.176.178.79]: 554 Service unavailable;
Client host [219.176.178.79] blocked using sbl-xbl.spamhaus.org;
http://www.spamhaus.org/query/bl?ip=219.176.178.79;
from=<ldtxmzhlsmui at bbtec.net> to=<andrade at paratech-parachutes.com>
proto=SMTP helo=<yahoobb219176178079.bbtec.net>
Nov 17 09:01:17 mx MailScanner[32267]: Virus Scanning completed at
134706 bytes per second 
Nov 17 09:01:17 mx MailScanner[32267]: Found phishing fraud attack from
http://www.otcbb.com/asp/quote_module.asp?symbol=MTDN</a> 
Nov 17 09:01:17 mx MailScanner[32267]: <br><br> 
Nov 17 09:01:17 mx MailScanner[32267]: Big year expected in 2005 for
Motion DNA<br> 
Nov 17 09:01:17 mx MailScanner[32267]:   <br> 
Nov 17 09:01:17 mx MailScanner[32267]: Trading Symbol MTDN<br> 
Nov 17 09:01:17 mx MailScanner[32267]: Current Price (est.) $0.025<br> 
Nov 17 09:01:17 mx MailScanner[32267]: Valued Price (est.) $1.00<br><br>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list