On 2026-06-01 at 12:37:40 UTC-0400 (Mon, 01 Jun 2026 09:37:40 -0700)
Ricardo Anguiano <[email protected]> said:
Hello Spam Assassin Sysadmins,
I noticed that your sa-vm host was unresponsive this morning.
I rebooted it,
Thank you.
but the console immediately shows a lot of errors of the
form:
"[TIMESTAMP] Out of memory: Killed process PID (ruleqa.cgi)..."
This may be an active DDoS similar to what was described here:
https://lists.apache.org/thread/5nfj8xmb86lcjqbn34y1x38jc44b5yr4
Yes, it is an ongoing problem which has been variable but unceasing for
over a year. As that message notes, we have been addressing the issue by
blocking the worst sources of trouble.
The DDoS has been coming from the networks of VPS providers and
residential/mobile providers, largely in Asia and Latin America. As I
can see in the iptables rules from the "Blocky" tool, these are the same
source networks hitting everything ASF. The traffic we get mostly is web
requests for deep historical data without any "Referer" header, which
I've made httpd stop trying to answer with a rewrite rule. This week,
that tactic started to weaken because many sources of the DDoS have
started to add various bogus Referer values, so I have added more
matches and am going to examine the practicality of requiring
specifically valid values.
Please let me know if you are aware of another possible cause for what
is going on with this host.
I'm not sure that it is having any effect, but the fact that the version
of Ubuntu is over a year past upstream support makes me uneasy. It may
not mean the machine is actually vulnerable but as it is possible for
miscreants to sniff out an old version, we may be getting more attack
traffic than a system which didn't look so old and unmaintained.
I did eventually manage to login to sa-vm over ssh but I expect the
problem to come back if no changes are made.
I've been logged in for the past hour adding back many of the iptables
blocked networks blown out by the reboot and reviewing the logs for
clues on what else to deem a bad hit. No trouble since 16:11 UTC that
I've noticed.
Thanks,
--
Ricardo Anguiano
ASF Infrastructure Team
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Please keep discussion mailing list replies *on-list*
Not Currently Available For Hire
