[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQXTR - Help! Being spammed into next week

Subject: Re: [cobalt-users] RaQXTR - Help! Being spammed into next week
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Sun Dec 8 19:51:01 2002
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"Tim Skipper" <mailinglists@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Steve, and others that replied....
>
> Well my server was brought down again and the RAID is busy rebuling
> itself currently, and my maillog is upto 19mb already (from this
> morning).  Here's a sample of the headers from two mails that got
> through (to valid accounts on the uk-email.com domain):

Dan already did the heavy lifting so I won't comment on the sources of the
spam.  See his email.

> As you can see they're not coming from a consistant IP address. The only
> thing that is relatively common is the from line, which is always
> amandaXXXX@xxxxxxxx, where XXXX is a random sequence.

If your users don't get legitimate email from juno.net you could block it
temporarily.  Or setup a procmail rule to reject email from
amanda.*@juno.net for the account the catchall account that's being targeted
instead, though that will consume signficant bandwidth since the full email
will be received by the mail server, whereas blocking using a blacklist of
choice or denying in access via Sendmail will not.

> I've got top running, and at any one time there's from 6 to 20 instances
> of sendmail running.

Unfortunately that doesn't tell us anything about normal conditions on your
server.  And you haven't provided any details about load on the server or
RAM being used by these processed.  I asked to understand the scope of the
problem, to quantify the effect on your server and hopefully ease your fears
that it was eating up your bandwidth and CPU cycles.  I don't think it's
been mentioned, but you can change the configuration of Sendmail in
sendmail.cf to better handle your current load.  That's not really the best
fix though since it doesn't address the root cause of your problem.

> Here's the output from tail maillog as of now:
> from=<amandaqa030@xxxxxxxx>, size=0, class=0, nrcpts=0, proto=SMTP,
> daemon=MTA, relay=[218.76.241.33]
> Dec  8 22:00:17 ns sendmail[8121]: gB8Lxb808121:

The size is 0 and there are 0 recipients so this email wasn't accepted by
the server.  This verifies that the impact on bandwidth should be minimal.
You didn't really provide sufficient answers to any of the things I
suggested looking into though so unfortunately there's not much more I can
add.

> Any help would be much appreciated, I can't afford for my server to keep
> going down.

Between those of us who've replied you've been told several possible
solutions.  There's not really much more that can be suggested.  If you
don't have the expertise or time to implement a sufficient solution you
might want to consider finding a consultant to help you.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

Follow-Ups:
- RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
  - From: Dan Kriwitsky

References:
- RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
  - From: Tim Skipper

Prev by Date: [cobalt-users] [RAQ3] Installing a RAQ550 ISO?
Next by Date: Re: [cobalt-users] [RAQ3] Installing a RAQ550 ISO?
Previous by thread: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week
Next by thread: RE: [cobalt-users] RaQXTR - Help! Being spammed into next week

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index