Mike Vanecek,
>I think I am under a DOS attack on port 25. I have received 2172 smtp packets
>from the same location yesterday. Due to this activity I have set my firewall
>to reject all incoming packets from Japan. I notified [EMAIL PROTECTED],
>[EMAIL PROTECTED], and [EMAIL PROTECTED] of the problem.
Firstly, i'm going to say that you obviously did some lookup on the IP
address to determine it was in japan. it would have been appropriate to do a
reverse lookup of the IP address and a whois on the domain to get contact
information to inform me of the problem. (certainly before informing
nic.ad.jp)
Secondly, I'd like to appologize for the inconvenience. I'm not entirely
sure what was causing it, but it looks like it was caused by connection
timeouts to your system. I've never experienced these symptoms in the past,
and haven't made any changes to my sendmail configuration in quite some
time. I've included some output from misc. commands to show you what I've
found. I can assure you that this was NOT a DOS attack, nor a malicious
attack of any sort.
i've flushed the queue so the messages won't be retried any longer.
I'd also like to appologize to everyone else on the list for having to send
this here in order to correspond with Mike, however, it's quite obvious that
I can't do it directly.
should anyone have any suggestions as to why this might have happened, i'd
be very interested in making sure it doesn't happen again.
THanks
alan
----------------------------------------------------------------------------
from ps -ef
root 27878 27773 0 23:51 ? 00:00:00 sendmail: ./h680dbR5006146
mail.mm-vanecek.cc.: user open
root 27880 27773 0 23:52 ? 00:00:00 sendmail: ./h69EjOR5026661
mail.mm-vanecek.cc.: user open
from netstat -an
tcp 0 1 61.121.253.8:53442 66.76.121.5:25 SYN_SENT
tcp 0 1 61.121.253.8:53441 66.76.121.5:25 SYN_SENT
mailq
/var/spool/mqueue (2 requests)
-----Q-ID----- --Size-- -----Q-Time-----
------------Sender/Recipient-----------
h69EjOR5026661* 4691 Wed Jul 9 23:45 <[EMAIL PROTECTED]>
(Deferred: Connection timed out with mail.mm-vanecek.cc.)
<[EMAIL PROTECTED]>
h680dbR5006146 2840 Tue Jul 8 09:39 <[EMAIL PROTECTED]>
(Deferred: Connection timed out with mail.mm-vanecek.cc.)
<[EMAIL PROTECTED]>
Total requests: 2
/var/log/maillog:
grep vanecek /var/log/maillog | more
Jul 8 08:21:02 uchuu sendmail[5349]: h67NL1R6005349:
from=<[EMAIL PROTECTED]>, size=3379, class=-60,
nrcpts=1, msgid=<[EMAIL PROTECTED]>, pro
to=ESMTP, daemon=MTA, relay=lists.sourceforge.net [66.35.250.206]
Jul 8 09:39:37 uchuu mimedefang.pl[27787]: MDLOG,h680dbR5006146,FileScan
virus scan check,,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Re:
[SAtalk] Reject based on SA score
Jul 8 09:39:38 uchuu mimedefang.pl[27787]:
MDLOG,h680dbR5006146,mail_in,2,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]
>,Re: [SAtalk] Reject based on SA score
Jul 8 09:39:41 uchuu mimedefang.pl[27787]:
MDLOG,h680dbR5006146,SA_RESULTS,hits=-106.7, required=4,
tests=USER_AGENT_ENTOURAGE(0.0),REPLY_WITH_QUOTES(0.0),IN_REP_TO(-0.4),QUOTE
D_EMAIL_TEX
T(-0.4),EMAIL_ATTRIBUTION(-0.5),BAYES_01(-5.4),USER_IN_WHITELIST(-100.0),,<a
[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>,Re: [SAtalk] Reject based on SA
score
Jul 8 09:39:41 uchuu mimedefang.pl[27787]:
MDLOG,h680dbR5006146,non_spam,,,<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]
>,Re: [SAtalk] Reject based on SA score
Jul 8 09:42:55 uchuu sendmail[6151]: h680dbR5006146:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (500/500),
delay=00:03:18, xdelay=00:03:09, mailer=esmtp, pri=60471, relay=m
ail.mm-vanecek.cc. [66.76.121.5], dsn=4.0.0, stat=Deferred: Connection timed
out with mail.mm-vanecek.cc.
Jul 8 09:46:49 uchuu sendmail[6198]: h680dbR5006146:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (500/500),
delay=00:07:12, xdelay=00:03:09, mailer=esmtp, pri=150471, relay=
mail.mm-vanecek.cc. [66.76.121.5], dsn=4.0.0, stat=Deferred: Connection
timed out with mail.mm-vanecek.cc.
Jul 8 09:50:49 uchuu sendmail[6233]: h680dbR5006146:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (500/500),
delay=00:11:12, xdelay=00:03:09, mailer=esmtp, pri=240471, relay=
mail.mm-vanecek.cc. [66.76.121.5], dsn=4.0.0, stat=Deferred: Connection
timed out with mail.mm-vanecek.cc.
Jul 8 09:54:49 uchuu sendmail[6276]: h680dbR5006146:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (500/500),
delay=00:15:12, xdelay=00:03:09, mailer=esmtp, pri=330471, relay=
mail.mm-vanecek.cc. [66.76.121.5], dsn=4.0.0, stat=Deferred: Connection
timed out with mail.mm-vanecek.cc.
Jul 8 09:58:49 uchuu sendmail[6301]: h680dbR5006146:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (500/500),
delay=00:19:12, xdelay=00:03:09, mailer=esmtp, pri=420471, relay=
mail.mm-vanecek.cc. [66.76.121.5], dsn=4.0.0, stat=Deferred: Connection
timed out with mail.mm-vanecek.cc.
Jul 8 10:02:49 uchuu sendmail[6331]: h680dbR5006146:
to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (500/500),
delay=00:23:12, xdelay=00:03:09, mailer=esmtp, pri=510471, relay=
mail.mm-vanecek.cc. [66.76.121.5], dsn=4.0.0, stat=Deferred: Connection
timed out with mail.mm-vanecek.cc.
this appears to continue at 4 minute intervals. I've NEVER seen this happen
before.
-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
