RE: heavy traffic on port 25

Wed, 21 Mar 2001 15:26:45 -0800 

Check the logging from your tcpserver on port 25, if
you see a lot of status 256's over and over, like one
to ten per second, then it could be a broken Microsoft
SMTP Service server trying to deliver mail to you.  MS's
SMTP Service tries to send emails without the
qmail-required carriage return line feed (\r\n) on the
end of the lines so the connection is rejected with a
442 (number may be wrong) error, a code to tell the
server to retry again later.  Sometimes these stupid
servers will instead start retrying as often as they
can make connections given the available bandwidth.  One
of my qmail servers is on an OC3 and I was seeing about
10 connections per second from one of these machines
which took up quite a bit of bandwidth.

Here's the MS article:

http://support.microsoft.com/support/kb/articles/Q224/9/83.ASP

Dave

> -----Original Message-----
> From: Jack Thomas [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 21, 2001 6:24 PM
> To: Krzysztof Wychowalek
> Cc: [EMAIL PROTECTED]
> Subject: Re: heavy traffic on port 25
> Importance: High
> 
> 
> ----- Original Message -----
> From: Krzysztof Wychowalek <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, March 21, 2001 2:30 PM
> Subject: heavy traffic on port 25
> 
> 
> > Dear friends,
> > I have a server running Qmail as as MTA and about 300 mail
> > accounts. I realized that I'm experiencing huge amount of incoming
> > traffic to the port 25, it's like 1 MB per minute, so it 
> slows down my
> > Internet connection dramatically. This is only incoming 
> traffic, both
> > outgoing SMTP and POP3 is not more than 10-20 kB per minute.
> > But this big amount of data doesn't go to the users' mailboxes. It
> > goes... nowhere? I have no idea what it is actually. Even is
> > someone would use my server as an open relay, the amount of
> > incoming and outgoing SMTP packages would be more or less the
> > same.
> > If someone has any idea, I would be very grateful for sending them
> > to me (priv). Thanks in advance.
> 
> > Krzysztof Wychowalek
> 
> 
> Is the incoming traffic from a specific IP address? Or Block of IP's?
> Are you "sure" it's incoming only?
> What do the server logs say?
> It could mean a number of things.
> Possible DOS attack, someone trying to relay, etc... etc... etc...
> 
> Please post the relevant sections of your logs to the list so that the
> community can take a look at whats going on for you.
> 
> Thanks
> 
> Jack Thomas
> [EMAIL PROTECTED]
> http://www.portlandmedia.com
> 
>

Reply via email to