[Dovecot] Fishing attempt locking up dovecot

Tue, 11 Dec 2007 14:59:16 -0800

I've mentioned this before but only heard from one other person who has experienced this, but it's becoming a pretty serious issue. 

The situation:
A spammer sets a bot on a fishing attempt to gain email addresses, causing numerous login processes to spawn and suck up all available resources. 

The problem:

Obviously this can act like a dos attack, but the real issue is after  
the spammer stops (by virtue of being added to our firewall blacklist,  
being caught and shut down by their isp, or otherwise), dovecot  
doesn't seem to relinquish the resources, causing "too many files  
open" errors for normal usage.



The master process usually hangs around 40-50 files open at any given  
time, with about 10,000 logins a day (I use: lsof -p `cat /var/run/ 
dovecot/master.pid ` | wc -l), after the attempt is over I always see  
the files open shoot up to near 3,000 without it able to go down until  
a dovecot restart.



This usually happens about once a month, though we can get unlucky and  
have it happen a few days apart. I have some log excerpts below.



Wondering if this is happening through my own fault or at least within  
my ability to alleviate the issue. Is there a way to limit the number  
of connections from an ip address? Has anyone used login_executable to  
first hit their own solution to keep track of, and implement  
connection restrictions similar to what I'm aiming for?


Thanks for any insight
Patrick

dovecot -n
# 1.0.8: /usr/local/mail/dovecot/etc/dovecot.conf
base_dir: /var/run/dovecot/
log_path: /var/log/dovecot
protocols: imap imaps pop3 pop3s
ssl_cert_file: /usr/local/mail/ssl/certs/dovecot.pem
ssl_key_file: /usr/local/mail/ssl/private/dovecot.pem
ssl_cipher_list: ALL:!LOW
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login

login_executable(default): /usr/local/mail/dovecot/libexec/dovecot/ 
imap-login
login_executable(imap): /usr/local/mail/dovecot/libexec/dovecot/imap- 
login
login_executable(pop3): /usr/local/mail/dovecot/libexec/dovecot/pop3- 
login

first_valid_uid: 500
mail_location: maildir:/Volumes/data/mail/%Ld/%Ln

mail_executable(default): /usr/local/mail/dovecot/libexec/dovecot/imap- 
before
mail_executable(imap): /usr/local/mail/dovecot/libexec/dovecot/imap- 
before
mail_executable(pop3): /usr/local/mail/dovecot/libexec/dovecot/pop3- 
before

mail_plugin_dir(default): /usr/local/mail/dovecot/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/mail/dovecot/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/mail/dovecot/lib/dovecot/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %08Xu%08Xv
auth default:
  mechanisms: plain digest-md5 login
  passdb:
    driver: sql
    args: /usr/local/mail/dovecot/etc/dovecot-sql.conf
  userdb:
    driver: static
    args: uid=exim gid=exim
plugin:
  quota: maildir


From the logs, first entries showing the problem:

dovecot: Dec 10 16:17:02 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:02 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:03 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:03 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:03 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>


A little later on:

dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<pwitest>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<tsinternetuser>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<bill>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<web>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<barbara>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<www>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<user>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<nathan>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<webmaster>, method=PLAIN, rip=207.245.39.90, lip=<lip>


etc. etc.






















					Reply via email to