Salvatore,
Thanks for the suggestion - I've considered blocking the IP in case it's
an attack, but that would only be a temporary fix. I checked the IP and
it looks pretty clean, and belongs to an attorney, so I'm pretty sure
that if this is an attack, the attacking server is a zombie, the
attacker could switch to another zombie if I block the IP.
What about limiting the amount of time that qmail-scanner can run? Could
I use something like timelimit?
(http://devel.ringlet.net/sysutils/timelimit/)
Salvatore Toribio wrote:
At 10:34 -0500 10-01-2006, George Chrisbacher wrote:
Hi,
I'm using qmail-scanner version "1.25 - st - patch" quite successfully
for a few months now, but suddenly running into problems with
working_copy hanging. With debugging, these are the log entries just
prior to process hanging:
Sat, 07 Jan 2006 12:25:54 EST:17266/17265: w_c: mkdir
/var/spool/qmailscan/tmp/sv1113665475472217266
Sat, 07 Jan 2006 12:25:54 EST:17266/17265: w_c: start
dumping incoming msg into
/var/spool/qmailscan/working/tmp/sv1113665475472217266 [0.000995]
The working copy files get created with zero length.
I haven't verified 100%, but these problem mails that hang the process
seem to come from one particular server. Everybody else's incomings
are processed successfully. Eventually all 20 of my allowable
tcpserver listeners are hung, and all email comes to a halt.
I haven't dug into the code yet, but I was hoping that perhaps a more
experienced scanner could point me in the right direction.
Hi George
That looks like a DoS attack... if all the 20 connections came from the
same IP. Check it with netstat, in the case you can blacklist the IP in
the tcp.smtp rules, before the rule for qmail-scanner.
ST
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Qmail-scanner-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Qmail-scanner-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
