Heavy increase in spam influx this week?

Fri Aug 31 14:32:04 IST 2007

I've seen this as well on a quite a large scale.  It would appear that one of the bots is slightly broken and is hanging around in cmd_read as you have observed.

I'm am now running with the following set...

define(`confQUEUE_LA',`15')dnl
define(`confREFUSE_LA',`10')dnl
define(`confMAX_DAEMON_CHILDREN',`500')dnl
define(`confDELIVERY_MODE',`background')dnl
define(`confMCI_CACHE_SIZE',`8')dnl
undefine(`confTO_QUEUEWARN')dnl
define(`confTO_QUEUERETURN',`8d')dnl
define(`confMIN_FREE_BLOCKS',`40000')dnl
define(`confTO_INITIAL',`2m')dnl
define(`confTO_CONNECT',`2m')dnl
define(`confTO_ICONNECT',`10s')dnl
define(`confTO_HELO',`5m')dnl
define(`confTO_MAIL',`10m')dnl
define(`confTO_RCPT',`10m')dnl
define(`confTO_DATAINIT',`5m')dnl
define(`confTO_DATABLOCK',`1h')dnl
define(`confTO_DATAFINAL',`1h')dnl
define(`confTO_RSET',`2m')dnl
define(`confTO_QUIT',`2m')dnl
define(`confTO_MISC',`2m')dnl
define(`confTO_COMMAND',`10m')dnl
define(`confTO_IDENT',`0')dnl
define(`confTO_FILEOPEN',`60s')dnl
define(`confTO_CONTROL',`2m')dnl
define(`confTO_AUTH',`10m')dnl
define(`confTO_STARTTLS',`10m')dnl

And we seem to be dealing with it nicely...

14:26:22 up 2 days,  2:22,  1 user,  load average: 3.46, 2.75, 2.33
children of current sendmail listener 178

This is on a dual xeon 3GHz, 4Gb ram.

It is almost certainly related to the rapid spread of the virus "Troj/Agent-GBX", that went round the other day.

Hope that helps,

Gary

Kai Schaetzl wrote:
> Matt Kettler wrote on Thu, 30 Aug 2007 16:48:46 -0400:
>
>> My guess is this is the botnet resulting from the storm worm
>> variants going into action.
>
> Ah, that's it. I figured as well it might be some new botnet, but I'm
> not well informed about what's currently du jour in that world. I
> didn't barely see any of that postcard spam, but now they come back
> at me from a different angle.
>
>> I've been noticing a lot of activity too. For the first time ever my
>> sendmail actually hit my confMAX_DAEMON_CHILDREN limit.
>
> Same here. I get SMS when my servers reach certain thresholds and the
> night before last night I got one almost every hour before I took
> measures to up the processes and reduce the backlog of hanging bots.
> It's the worst onslaught of spam I have seen yet, with the exception
> of backscatter on some single servers.
>
>> A lot of them seem to be "hanging around" in the command read state,
>> so I added a confTO_COMMAND limit of 10 minutes (default is 1 hour).
>> Yes, I know you have to be careful shortening this, but 10 minutes
>> between SMTP commands is still pretty reasonable, and hopefully will
>> help my server shed these dead connections.
>
> I think that's still very reasonable. I'm running with 1m on some
> newer servers, (also for most other TO_ values) and haven't seen any
> problems with this for months. After all, if commands or data send
> take that long there's something wrong with the connection, anyway.
> After I changed those values on the most hit older servers the
> figures of steadily connected bots plunged. It makes a huge
> difference. My Postfix machines still suffer from the backlog of
> bots, as I haven't checked yet if Postfix provides similar time-out
> options. Anyone knows?
>
> These bots send about 5 or ten mails to the same single address, but
> all with a different sender. And they keep coming back quickly even
> when they were rejected. It looks as if they want to brute-force the
> mail delivery by overwhelming the spam protection.
>
> Kai
>
> --
> Kai Schätzl, Berlin, Germany
> Get your web at Conactive Internet Services: http://www.conactive.com