LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Ove teh past 7 days we have been bombarded with some sort of Denial of Service attack comign on out SMTP port.  The Spam Filter is running at 100% utilization.  Our daily logs have grown from 6k per day to 57K.

The server is so busy handling these requests that legitimate emails are not getting through.

Here is a samplke from out logs

05/09/10 23:59:59:101 -- (7144) Connection from: 62.57.61.107  -  Originating country : Spain
05/09/10 23:59:59:101 -- (7144) IP is in local blacklist cache. Disconnecting: 62.57.61.107
05/09/10 23:59:59:163 -- (7144) No Data Received
05/09/10 23:59:59:163 -- (7144) Disconnect
05/10/10 00:00:00:163 -- (2904) Connection from: 62.57.61.107  -  Originating country : Spain
05/10/10 00:00:00:163 -- (2904) IP is in local blacklist cache. Disconnecting: 62.57.61.107
05/10/10 00:00:00:226 -- (2904) No Data Received
05/10/10 00:00:00:226 -- (2904) Disconnect
05/10/10 00:00:08:304 -- (5128) Connection from: 112.158.247.64  -  Originating country : N/A
05/10/10 00:00:08:304 -- (5128) IP is in local blacklist cache. Disconnecting: 112.158.247.64
05/10/10 00:00:08:366 -- (5128) No Data Received
05/10/10 00:00:08:366 -- (5128) Disconnect
05/10/10 00:00:08:694 -- (6140) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:08:694 -- (6140) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:08:757 -- (6140) No Data Received
05/10/10 00:00:08:757 -- (6140) Disconnect
05/10/10 00:00:09:085 -- (9400) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:085 -- (9400) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:148 -- (9400) No Data Received
05/10/10 00:00:09:148 -- (9400) Disconnect
05/10/10 00:00:09:273 -- (7216) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:273 -- (7216) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:335 -- (7216) No Data Received
05/10/10 00:00:09:335 -- (7216) Disconnect
05/10/10 00:00:09:476 -- (8264) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:491 -- (8264) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:554 -- (8264) No Data Received
05/10/10 00:00:09:554 -- (8264) Disconnect
05/10/10 00:00:09:663 -- (4236) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:663 -- (4236) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:726 -- (4236) No Data Received
05/10/10 00:00:09:726 -- (4236) Disconnect
05/10/10 00:00:11:085 -- (3696) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:085 -- (3696) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:148 -- (3696) No Data Received
05/10/10 00:00:11:148 -- (3696) Disconnect
05/10/10 00:00:11:523 -- (4472) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:523 -- (4472) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:585 -- (4472) No Data Received
05/10/10 00:00:11:585 -- (4472) Disconnect
05/10/10 00:00:11:819 -- (8424) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:819 -- (8424) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:882 -- (8424) No Data Received
05/10/10 00:00:11:882 -- (8424) Disconnect

Is there aything we can do to reduce the amount of traffic coming through

We are currently on Version 4.0.1.786

I am hoping to upgrade to the current vertsion today.  Perhaps this will fix the issue

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
johndpatriot1 Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 03 November 2006 Location: Canada Status: Offline Points: 18	Post Options Post Reply Quote johndpatriot1 Report Post Thanks(0) Quote Reply Topic: DoS Attack on our Server Posted: 10 May 2010 at 9:45am
	Ove teh past 7 days we have been bombarded with some sort of Denial of Service attack comign on out SMTP port. The Spam Filter is running at 100% utilization. Our daily logs have grown from 6k per day to 57K. The server is so busy handling these requests that legitimate emails are not getting through. Here is a samplke from out logs 05/09/10 23:59:59:101 -- (7144) Connection from: 62.57.61.107 - Originating country : Spain 05/09/10 23:59:59:101 -- (7144) IP is in local blacklist cache. Disconnecting: 62.57.61.107 05/09/10 23:59:59:163 -- (7144) No Data Received 05/09/10 23:59:59:163 -- (7144) Disconnect 05/10/10 00:00:00:163 -- (2904) Connection from: 62.57.61.107 - Originating country : Spain 05/10/10 00:00:00:163 -- (2904) IP is in local blacklist cache. Disconnecting: 62.57.61.107 05/10/10 00:00:00:226 -- (2904) No Data Received 05/10/10 00:00:00:226 -- (2904) Disconnect 05/10/10 00:00:08:304 -- (5128) Connection from: 112.158.247.64 - Originating country : N/A 05/10/10 00:00:08:304 -- (5128) IP is in local blacklist cache. Disconnecting: 112.158.247.64 05/10/10 00:00:08:366 -- (5128) No Data Received 05/10/10 00:00:08:366 -- (5128) Disconnect 05/10/10 00:00:08:694 -- (6140) Connection from: 189.32.80.130 - Originating country : Brazil 05/10/10 00:00:08:694 -- (6140) IP is in local blacklist cache. Disconnecting: 189.32.80.130 05/10/10 00:00:08:757 -- (6140) No Data Received 05/10/10 00:00:08:757 -- (6140) Disconnect 05/10/10 00:00:09:085 -- (9400) Connection from: 189.32.80.130 - Originating country : Brazil 05/10/10 00:00:09:085 -- (9400) IP is in local blacklist cache. Disconnecting: 189.32.80.130 05/10/10 00:00:09:148 -- (9400) No Data Received 05/10/10 00:00:09:148 -- (9400) Disconnect 05/10/10 00:00:09:273 -- (7216) Connection from: 189.32.80.130 - Originating country : Brazil 05/10/10 00:00:09:273 -- (7216) IP is in local blacklist cache. Disconnecting: 189.32.80.130 05/10/10 00:00:09:335 -- (7216) No Data Received 05/10/10 00:00:09:335 -- (7216) Disconnect 05/10/10 00:00:09:476 -- (8264) Connection from: 189.32.80.130 - Originating country : Brazil 05/10/10 00:00:09:491 -- (8264) IP is in local blacklist cache. Disconnecting: 189.32.80.130 05/10/10 00:00:09:554 -- (8264) No Data Received 05/10/10 00:00:09:554 -- (8264) Disconnect 05/10/10 00:00:09:663 -- (4236) Connection from: 189.32.80.130 - Originating country : Brazil 05/10/10 00:00:09:663 -- (4236) IP is in local blacklist cache. Disconnecting: 189.32.80.130 05/10/10 00:00:09:726 -- (4236) No Data Received 05/10/10 00:00:09:726 -- (4236) Disconnect 05/10/10 00:00:11:085 -- (3696) Connection from: 72.27.7.111 - Originating country : Jamaica 05/10/10 00:00:11:085 -- (3696) IP is in local blacklist cache. Disconnecting: 72.27.7.111 05/10/10 00:00:11:148 -- (3696) No Data Received 05/10/10 00:00:11:148 -- (3696) Disconnect 05/10/10 00:00:11:523 -- (4472) Connection from: 72.27.7.111 - Originating country : Jamaica 05/10/10 00:00:11:523 -- (4472) IP is in local blacklist cache. Disconnecting: 72.27.7.111 05/10/10 00:00:11:585 -- (4472) No Data Received 05/10/10 00:00:11:585 -- (4472) Disconnect 05/10/10 00:00:11:819 -- (8424) Connection from: 72.27.7.111 - Originating country : Jamaica 05/10/10 00:00:11:819 -- (8424) IP is in local blacklist cache. Disconnecting: 72.27.7.111 05/10/10 00:00:11:882 -- (8424) No Data Received 05/10/10 00:00:11:882 -- (8424) Disconnect Is there aything we can do to reduce the amount of traffic coming through We are currently on Version 4.0.1.786 I am hoping to upgrade to the current vertsion today. Perhaps this will fix the issue

yapadu Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 12 May 2005 Status: Offline Points: 297	Post Options Post Reply Quote yapadu Report Post Thanks(0) Quote Reply Posted: 10 May 2010 at 8:47pm
	Hi John, Did you remove a bunch of lines from the log or anything? You have included about 11 seconds worth of logs, if that is all the traffic your server saw in 11 seconds then the problem must be something else and not the volume of traffic hitting the server. Obviously it depends on the hardware, but spamfilter can process hundreds of connections at the same time, during 11 seconds a server could see hundreds or thousdands of connections without an issue. I assume you are looking at the Windows performance monitor, and see spamfilter using all the CPU? Is the machine single or multiple cores? Which operating system? If you have not already, you might also want to turn on grey listing which will help reduce the amount of time a remote server is connected to your server. Edited by yapadu - 10 May 2010 at 9:55pm
	-------------------------------------------------------------- I am a user of SF, not an employee. Use any advice offered at your own risk.

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 10 May 2010 at 10:50pm
	johndpatriot1, As yapadu correctly stated, the number of connections you indicated is actually below average. With a daily logfile size of 60K, you are probably processing only about 70,000-90,000 connections per day. SpamFilter can easily handle millions per day, depending on the server's hardware. The high CPU usage could caused by a large/corrupt Bayesian database (in use by the Bayesian statistical filter). If you do use the bayesian filter, could you please check the size of the files db.dat and db.dat.prb in the \SpamFilter\Corpus directory? If they are in the order of 100MB in size or more, this will could be a potential issue. SpamFilter routinely cleans up this database to remove older/stale entries from it. If the database has grown too much in size, you can try to stop SpamFilter, delete (or rename) the SpamFilter/corpus directory, and then restart SpamFilter. That should reset the corpus database for the bayesian filter and allow it to learn about new incoming emails from scratch.
	Roberto Franceschetti LogSat Software Spam Filter ISP

johndpatriot1 Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 03 November 2006 Location: Canada Status: Offline Points: 18	Post Options Post Reply Quote johndpatriot1 Report Post Thanks(0) Quote Reply Posted: 11 May 2010 at 8:50am
	I am guessing that it has to do with the Max concurrent incoming smtp connections. Ours is currently configured for 10. But what you guys are saying that is really low. out server has runnning flawlessly at 10 for 3 years, maybe its time to increase that number. What number makes sense to set this too? John,

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 11 May 2010 at 4:25pm
	The answer depends on your hardware, but since you appear to be receiving about the same amount of emails we ourselves receive at logsat.com (our own average logfiles range from 60KB to 80KB), as an example let me provide you with our stats. On average our SpamFilter server has between 3-8 concurrent connections, even though when under "attack" by spambots we see that number increas to 30-40 concurrent connections. These spambots can hit us several times per day, and the "beating" will last several minutes. Our "Max concurrent incoming SMTP connections" is set to 150, while our "Max concurrent SMTP connections from same IP" is set to 20. Our server has a single quad-core 2GHz CPU with 4GB RAM, and its CPU is usually only between 3%-15%. As a side-note, the server does many other things besides running SpamFilter :-) As a side-note, we updated this server 3 years ago. Before we (purposely) had our live SpamFilter installed on very low end server with a 400MHz Pentium and only 384MB of RAM. Under those conditions SpamFilter used on average 20% CPU. The amount traffic 3 years ago was about 20% lower than it is today.
	Roberto Franceschetti LogSat Software Spam Filter ISP

johndpatriot1 Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 03 November 2006 Location: Canada Status: Offline Points: 18	Post Options Post Reply Quote johndpatriot1 Report Post Thanks(0) Quote Reply Posted: 11 May 2010 at 4:41pm
	We are running on a Celeron 2.93 Ghz machien with Windows XP and 512mb Ram Our normal concurrent conections is 0 -1 so when I see 80 + at a time it scares me. I have configured it to allow up to 500 concurrent connections and it is actually running better (not sure why but then I guess who cares if it works) Thanks for you advive John,

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 11 May 2010 at 4:58pm
	John, 500 may be a bit too excessive, I'd suggest bringing it back down to 100-200. The bursts of spambots don't usually last a long time, and temporarily rejecting connections when they exceed by a factor of 100 your average load (from 1-2 connections to 100-200 max) is "normal" behavior from admins.
	Roberto Franceschetti LogSat Software Spam Filter ISP

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

DoS Attack on our Server