At 11:05 -0500 11-01-2006, George Chrisbacher wrote:
Salvatore,
Thanks for the suggestion - I've considered blocking the IP in case
it's an attack, but that would only be a temporary fix. I checked
the IP and it looks pretty clean, and belongs to an attorney, so I'm
pretty sure that if this is an attack, the attacking server is a
zombie, the attacker could switch to another zombie if I block the
IP.
What about limiting the amount of time that qmail-scanner can run?
Could I use something like timelimit?
(http://devel.ringlet.net/sysutils/timelimit/)
Well, I don't think that is qmail-scanner who has to quit the
connection, the connection is managed by qmail-smtpd, so that remote
server opens the connection but doesn't send anything after the DATA
comand.
Check the man of qmail-smtpd, I think you can change somehow the
timeout but it won't be a definitive solution for the issue...
ST
Salvatore Toribio wrote:
At 10:34 -0500 10-01-2006, George Chrisbacher wrote:
Hi,
I'm using qmail-scanner version "1.25 - st - patch" quite
successfully for a few months now, but suddenly running into
problems with working_copy hanging. With debugging, these are the
log entries just prior to process hanging:
Sat, 07 Jan 2006 12:25:54 EST:17266/17265: w_c: mkdir
/var/spool/qmailscan/tmp/sv1113665475472217266
Sat, 07 Jan 2006 12:25:54 EST:17266/17265: w_c: start
dumping incoming msg into
/var/spool/qmailscan/working/tmp/sv1113665475472217266 [0.000995]
The working copy files get created with zero length.
I haven't verified 100%, but these problem mails that hang the
process seem to come from one particular server. Everybody else's
incomings are processed successfully. Eventually all 20 of my
allowable tcpserver listeners are hung, and all email comes to a
halt.
I haven't dug into the code yet, but I was hoping that perhaps a
more experienced scanner could point me in the right direction.
Hi George
That looks like a DoS attack... if all the 20 connections came from
the same IP. Check it with netstat, in the case you can blacklist
the IP in the tcp.smtp rules, before the rule for qmail-scanner.
ST
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
