That's what it seems like, and I do watch netstat, but there does not
seem to be a single attacker ip, just whenever we restart james,
within a few minutes we've got 10, 20, 30, 50, 100, 200, 300 smtp
connections coming from 50 different ips, and they're different ips
every time. And it only happens when we restart james (which on
average has been about once every two weeks)! Like right now at 12:40
AM, we just restarted james and are patiently waiting the prescribed
30-50 mins. Before we restarted james, everything was just fine and
dandy, handling about 200 legit user emails per hour (and
spam-blocking about 50 trillion), no connection problems, nice and
speedy... Then the second we restart, we get things like this:
[EMAIL PROTECTED] root]# netstat -a | grep smtp | grep dhcp-66-244-127-6
| wc -l
189
[EMAIL PROTECTED] root]# netstat -a | grep smtp | grep 210.211.172.27 | wc -l
34
etc.
We just used iptables to block all smtp. That stopped the connection
log from growing at 10mb/3 mins, but now what? So we unblocked smtp
again, and the connection log went back to its phenomenal growth. And
so we just have to wait another 20 mins for our email sever to come
back up.
If it's a DoS, how do the attackers know the exact moment we decide to
restart our server? Could they really be polling us to find out? And
why do they stop after 40 mins every time (lately)? And are they
really using a network of computers to attack us? This just doesn't
make sense to me.
What does make sense to me is that we deadletter about 10,000 spam
emails a day and they usually come from about 9,000 different ip
addresses. So it does make sense to me that at all hours of the day
we're getting flooded with email. But apparently there is something
that james does during its start-up process that makes it unable to
properly cope with this kind of "faucet on" flood of emails, but once
it completes some serindipitous series of timeouts, it finds its
groove and gets to work. But it's taking 40 minutes for it to find its
groove and that's killing us.
If there is any super james developer with magical powers who would
like to restart our email server some night and observe this
phenomenon for themselves, please let me know and I will arrange it.
Thanks,
Nathan
Stefano Bagnara wrote:
May it be you are under attack (Denial of Service)?
You should check your network statistics (netstat) and eventually filter
the attacker ip from your firewall.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
