Heavy increase in spam influx this week?

Fri Aug 31 09:34:24 IST 2007

For me the number of spams received has dropped a little this week. Last
week zen was rejecting about 7000 per day and this week it is just over
6000.

However last night our postfix mta did reach the maximum concurrent
connections (50) from one particular IP address and  we hit the maximum
process count (100) once for a very brief time.

It wasn't a DOS attack but seemed to be a spam bot having problems as
the connection rate was not that high.

I have dropped the maximum concurrent connections significantly which
should stop the process count going so high again in future.

On Fri, 2007-08-31 at 09:18, Kai Schaetzl wrote:
> Matt Kettler wrote on Thu, 30 Aug 2007 16:48:46 -0400:
> 
> > My guess is this is the botnet resulting from the storm worm variants going into 
> > action.
> 
> Ah, that's it. I figured as well it might be some new botnet, but I'm not well 
> informed about what's currently du jour in that world. I didn't barely see any of 
> that postcard spam, but now they come back at me from a different angle.
> 
> > I've been noticing a lot of activity too. For the first time ever my sendmail 
> > actually hit my confMAX_DAEMON_CHILDREN limit.
> 
> Same here. I get SMS when my servers reach certain thresholds and the night before 
> last night I got one almost every hour before I took measures to up the processes 
> and reduce the backlog of hanging bots. It's the worst onslaught of spam I have 
> seen yet, with the exception of backscatter on some single servers.
> 
> > A lot of them seem to be "hanging around" in the command read state, so I added 
> > a confTO_COMMAND limit of 10 minutes (default is 1 hour). Yes, I know you have 
> > to be careful shortening this, but 10 minutes between SMTP commands is still 
> > pretty reasonable, and hopefully will help my server shed these dead connections.
> 
> I think that's still very reasonable. I'm running with 1m on some newer servers, 
> (also for most other TO_ values) and haven't seen any problems with this for 
> months. After all, if commands or data send take that long there's something wrong 
> with the connection, anyway. After I changed those values on the most hit older 
> servers the figures of steadily connected bots plunged. It makes a huge difference. 
> My Postfix machines still suffer from the backlog of bots, as I haven't checked yet 
> if Postfix provides similar time-out options. Anyone knows?
> 
> These bots send about 5 or ten mails to the same single address, but all with a 
> different sender. And they keep coming back quickly even when they were rejected. 
> It looks as if they want to brute-force the mail delivery by overwhelming the spam 
> protection.
> 
> Kai
> 
> -- 
> Kai Schätzl, Berlin, Germany
> Get your web at Conactive Internet Services: http://www.conactive.com