spambot attack & max incomming reached |
Post Reply 
|
| Author | |
Pierre 
Newbie 
Joined: 24 August 2010 Status: Offline Points: 5 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: spambot attack & max incomming reachedPosted: 14 October 2010 at 10:31am |
|
We have 3 relay servers we use for incomming and outgoing mail. From time to time one of them is under attack by spambots and then the max number of concurrent incomming smtp connections (currently set at 50) is reached. What then happens is that new connection attempts are accepted, but dropped immediately and therefore that legitimate new connection attempts get a "smtp connection error" NDR. I would think that ones the max concurrend incoming connections are reached, logsat would refuse any new connection and that legitimate connection attempts would then fail over to a secondary relay server based on the mx config. Is there a way to configure logsat to stop handling incoming request once the max is reached or is there another way to solve this issue? Edited by Pierre - 15 October 2010 at 11:42am |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 14 October 2010 at 7:49pm |
|
Pierre,
That is odd (the NDR). When the max connection limit is reached, SpamFilter abruptly terminates the connection, sending a "421 Too many connections on the server" error first. This should cause the remote SMTP server to retry sending the email for a reasonable number of times, absolutely not to send back an NDR to the sender right away. If they send an NDR without retrying at least a few times (the RFC 5321 does not specify a minimum threshold), they're violating RFC. Furthermore, in the retry, they should be attempting to connect to your secondary MX records if present. If you have a specific sender for which you experience this behavior, you may want to let them know of the problem. If there's multiple such cases with multiple senders, are you certain that they are indeed not trying to connect to the secondaries (or retrying to send the email thru SpamFilter at a later time)? We'd be happy to examine SpamFilter's activity logfile for you if you'd like to look for abnormalities.
|
|
|
|
|
Pierre
Newbie
Joined: 24 August 2010 Status: Offline Points: 5 |
Post Options
Thanks(0)
Quote Reply
Posted: 15 October 2010 at 11:48am |
|
I have been monitoring a bit more and I can see that the spambot attacks are more frequently and also last longer. So I assume that legitimate mail does not get an NDR on the first connection attempt, but later one, when it gives up. But strange that they never fail over to one of the other MX servers. Those are not busy at all at that time. It would be great if you could take a look at f.e. yesterdays log file. How do I send it over? Edited by Pierre - 15 October 2010 at 11:49am |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 15 October 2010 at 4:31pm |
|
If the zipped logfile is smaller than 8MB, you can simply email it to us at support at logsat dot com. If not, I'll be sending you a PM shortly with our FTP info to upload the file. Please also let us know the to/from email addresses that are getting the NDR (a copy of the NDR would also help). If you happen to know the IP of the remote server, that will help to of course.
|
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.145 seconds.