On 4/13/2010 3:30 PM, Jean-Paul Natola wrote: > -- > > var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] > > refused: too many connections >
> /Jason Ideally, correct me if I'm wrong, wouldn't I want SA to drop > the connection after doing a lookup on the IP or are you saying I > should do that on the gateway Those log messages have nothing to do with SpamAssassin or DNSBLs. That is exim refusing a connection during the initial connection attempt, prior to any commands being sent. SpamAssassin can't get involved so early because it is a message content scanner, thus it needs content to scan. SA has no clue what your MTA (in this case exim) is doing with connections. SpamAssassin's only input is a whole, complete message, and it cannot be called without one. Its only outputs are a marked up message, or a numeric score (in the case of spamc -c). Here, 110.139.156.19 is trying to bombard your mailserver with a large number of simultaneous connections for delivering mail, something well behaved hosts generally won't do. Exim (which is your MTA, thus the agent accepting mail) has started refusing additional connections from this IP address, because there are already a large number open and it looks like an attack. Odds are very good that this host is doing one (or more) of the following: 1) performing a dictionary attack to scan for valid email addresses. 2) bombing you with spam 3) attempting to exploit your MTA and install a rootkit/backdoor or some other malware. Either way, it is good that it is getting slowed down. It is probably case 1), if I had to guess, but you'd have to look if there's a lot of "unknown address" errors being generated by that host in your mail logs.
