You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rajkumar S <ra...@gmail.com> on 2007/09/06 17:55:21 UTC
[OT] Seeing increase in smtp concurrency ?
Hi,
Does any one seeing increasing smtp concurrency for the past couple of
weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
all experience the same problem. The spam does not increase, but this
is hogging my mail servers. Probably a new crop of spamming tools?
I am attaching one qmail-mtrg graph that shows the problem.
http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
raj
Re: [OT] Seeing increase in smtp concurrency ?
Posted by mouss <mo...@netoyen.net>.
Aaron Wolfe wrote:
> On 9/6/07, Jeff Chan <je...@surbl.org> wrote:
>
>> Quoting Rajkumar S <ra...@gmail.com>:
>>
>>
>>> Hi,
>>>
>>> Does any one seeing increasing smtp concurrency for the past couple of
>>> weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
>>> all experience the same problem. The spam does not increase, but this
>>> is hogging my mail servers. Probably a new crop of spamming tools?
>>>
>>> I am attaching one qmail-mtrg graph that shows the problem.
>>>
>>> http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
>>>
>>> raj
>>>
>>>
>> Some botnets are starting to hold mail connections open for much longer
>> after
>> getting a 5xxx blacklist response. Reason is unknown; could be coding
>> errors
>> or deliberate. Many people are changing their smtpd timeouts form the RFC
>> 300
>> seconds down to 45 seconds:
>>
>> http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx
>>
>> Here's the postfix for it:
>>
>>
>> ## to deal with botnets not hanging up
>> # Drop default from RFC limit of 300s to 45s
>> #
>> smtpd_timeout = 45s
>>
>>
>> Some people are even using 10 seconds, which seems short to me. The RFC
>> requires 300 seconds.
>>
>> Jeff C.
>>
>>
>
>
>
> Same problem here on several servers. Reducing the timeout helps, but
> violates RFC and is simply reducing the effects rather than fixing the
> issue. Is there any RFC valid way for a server to hang up on a client,
> especially after a 5xx?
>
If you suspect this is a zombie (pbl.spamhaus.org, generic rDNS,
"farway", completely broken smtp client...), then return 421 and close
the connection instead of return 5xx.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Chris Edwards <ch...@eng.gla.ac.uk>.
On Fri, 7 Sep 2007, Jason Haar wrote:
| What if SMTP servers report a 5XX and then drop the connection? I know
| that's not compliant, but a real mail server would have got the 5XX and
| so (mainly) wouldn't retry, and a spammer would have their connection
| terminated.
In exim-speak this is "drop" instead of "deny".
"drop: This verb behaves like deny, except that an SMTP connection is
forcibly closed after the 5xx error message has been sent."
--
Chris Edwards, Glasgow University Computing Service
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Henrik Krohns <he...@hege.li>.
On Fri, Sep 07, 2007 at 10:19:49AM +0100, Justin Mason wrote:
>
> Henrik Krohns writes:
> > On Fri, Sep 07, 2007 at 02:20:21AM -0500, Jeff Chan wrote:
> > > Quoting Henrik Krohns <he...@hege.li>:
> > >
> > > > On Fri, Sep 07, 2007 at 10:09:27AM +1200, Jason Haar wrote:
> > > > >
> > > > > I knew things like this would eventually happen. Spammers basically have
> > > > > infinite resources, they can deliver us a LOT of hurt when they wish to.
> > > > > I can think of a lot worse things they could do - and probably will :-(
> > > >
> > > > You are mixing things up. Spammers want to send as much stuff as possible.
> > > > Evil hackers/kiddies/whatever are the ones that want to shut you down.
> > >
> > > Spam gangs, virus writers, phishers, bot herders, etc., tend to be many of the
> > > same criminals. The Storm malware can send spam, do ddos, infect other
> > > machines, etc. Some of the authors of spamware were found to also be authors
> > > of viruses and malware.
> >
> > Ok, they may be some of the same people, but when they are operating as
> > "Spammers", I doubt they have delaying mail in mind.
>
> They don't particularly care what happens to your MTA -- they just
> want to push out as many messages as possible, to as many addresses
> as possible. If this overwhelms some smaller sites, c'est la vie,
> I'd guess.
Yeah I was referring to the "bug" the leaves the connections hanging. I
don't see why it would be done knowingly.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Henrik Krohns <he...@hege.li>.
On Fri, Sep 07, 2007 at 02:20:21AM -0500, Jeff Chan wrote:
> Quoting Henrik Krohns <he...@hege.li>:
>
> > On Fri, Sep 07, 2007 at 10:09:27AM +1200, Jason Haar wrote:
> > >
> > > I knew things like this would eventually happen. Spammers basically have
> > > infinite resources, they can deliver us a LOT of hurt when they wish to.
> > > I can think of a lot worse things they could do - and probably will :-(
> >
> > You are mixing things up. Spammers want to send as much stuff as possible.
> > Evil hackers/kiddies/whatever are the ones that want to shut you down.
>
> Spam gangs, virus writers, phishers, bot herders, etc., tend to be many of the
> same criminals. The Storm malware can send spam, do ddos, infect other
> machines, etc. Some of the authors of spamware were found to also be authors
> of viruses and malware.
Ok, they may be some of the same people, but when they are operating as
"Spammers", I doubt they have delaying mail in mind.
PS. Please don't reply in private.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Matthias Haeker <mh...@its-h.de>.
Hi all
probably more a sendmail Question and i googled around but may someone
can give me a short input
for 5xx
i have
$#error $@ 5.7.1 $: "550 Mail from [" $&{client_addr} "] Rejected.
in my sendmail.cf
does anybody know how i have to change it to 421
$#error $@ 4.2.1 $: "421 Mail from [" $&{client_addr} "] Rejected.
??
reducing the time out didnt help realy so i would like to give 421 a try
Matthias
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Jeff Chan <je...@surbl.org>.
Quoting Henrik Krohns <he...@hege.li>:
> On Fri, Sep 07, 2007 at 10:09:27AM +1200, Jason Haar wrote:
> >
> > I knew things like this would eventually happen. Spammers basically have
> > infinite resources, they can deliver us a LOT of hurt when they wish to.
> > I can think of a lot worse things they could do - and probably will :-(
>
> You are mixing things up. Spammers want to send as much stuff as possible.
> Evil hackers/kiddies/whatever are the ones that want to shut you down.
Spam gangs, virus writers, phishers, bot herders, etc., tend to be many of the
same criminals. The Storm malware can send spam, do ddos, infect other
machines, etc. Some of the authors of spamware were found to also be authors
of viruses and malware.
http://www.theregister.co.uk/2007/06/11/anti-spam_ddos/
Anti-spam sites weather DDoS assault | The Register
Jeff C.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Henrik Krohns <he...@hege.li>.
On Fri, Sep 07, 2007 at 10:09:27AM +1200, Jason Haar wrote:
>
> I knew things like this would eventually happen. Spammers basically have
> infinite resources, they can deliver us a LOT of hurt when they wish to.
> I can think of a lot worse things they could do - and probably will :-(
You are mixing things up. Spammers want to send as much stuff as possible.
Evil hackers/kiddies/whatever are the ones that want to shut you down.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Jason Haar <Ja...@trimble.co.nz>.
Aaron Wolfe wrote:
>
> Same problem here on several servers. Reducing the timeout helps, but
> violates RFC and is simply reducing the effects rather than fixing the
> issue. Is there any RFC valid way for a server to hang up on a
> client, especially after a 5xx?
>
What if SMTP servers report a 5XX and then drop the connection? I know
that's not compliant, but a real mail server would have got the 5XX and
so (mainly) wouldn't retry, and a spammer would have their connection
terminated.
Is there any real downside to this? (one I can think of: mailing-list
broadcasts would be slowed down due to retries if invalid addresses were
present...)
I knew things like this would eventually happen. Spammers basically have
infinite resources, they can deliver us a LOT of hurt when they wish to.
I can think of a lot worse things they could do - and probably will :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Aaron Wolfe <aa...@gmail.com>.
On 9/6/07, Jeff Chan <je...@surbl.org> wrote:
>
> Quoting Rajkumar S <ra...@gmail.com>:
>
> > Hi,
> >
> > Does any one seeing increasing smtp concurrency for the past couple of
> > weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
> > all experience the same problem. The spam does not increase, but this
> > is hogging my mail servers. Probably a new crop of spamming tools?
> >
> > I am attaching one qmail-mtrg graph that shows the problem.
> >
> > http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
> >
> > raj
> >
>
>
> Some botnets are starting to hold mail connections open for much longer
> after
> getting a 5xxx blacklist response. Reason is unknown; could be coding
> errors
> or deliberate. Many people are changing their smtpd timeouts form the RFC
> 300
> seconds down to 45 seconds:
>
> http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx
>
> Here's the postfix for it:
>
>
> ## to deal with botnets not hanging up
> # Drop default from RFC limit of 300s to 45s
> #
> smtpd_timeout = 45s
>
>
> Some people are even using 10 seconds, which seems short to me. The RFC
> requires 300 seconds.
>
> Jeff C.
>
Same problem here on several servers. Reducing the timeout helps, but
violates RFC and is simply reducing the effects rather than fixing the
issue. Is there any RFC valid way for a server to hang up on a client,
especially after a 5xx?
-Aaron
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> Quoting Rajkumar S <ra...@gmail.com>:
> > Does any one seeing increasing smtp concurrency for the past couple of
> > weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
> > all experience the same problem. The spam does not increase, but this
> > is hogging my mail servers. Probably a new crop of spamming tools?
On 06.09.07 11:09, Jeff Chan wrote:
> Some botnets are starting to hold mail connections open for much longer
> after getting a 5xxx blacklist response. Reason is unknown; could be
> coding errors or deliberate. Many people are changing their smtpd
> timeouts form the RFC 300 seconds down to 45 seconds:
> Some people are even using 10 seconds, which seems short to me. The RFC
> requires 300 seconds.
It "requires" 300 seconds this way:
An SMTP server SHOULD have a timeout of at least 5 minutes while it
is awaiting the next command from the sender.
(rfc 2821, section 4.5.3.2).
SHOULD means "unless you have good reason" (rfc 2119).
preserving of being DoSed is good reason.
I think lowering maybe to 60 seconds is not a problem.
btw maybe someone could gather list of those IPS and creating a blacklist...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Kelson <ke...@speed.net>.
Johnson, S wrote:
> It's interesting you say that.... I don't give a response (most of the
> time they're not there to receive it anyway and it clogs up my server
> with undeliverable email - especially in BIG spam attacks). I have not
> experienced this with my servers at all. Last week, a friend of mine
> that owns a very large spam filtering/relay company got hit hard with
> this issue.
I think Jeff was talking about a 5xx response in the SMTP transaction,
not generating a bounce message after the fact.
When you say your friend was hit with "this issue," do you mean the
server was clogged with undeliverable bounces, or do you mean they saw
spammers hanging onto open connections longer than reasonable in a sort
of reverse-tarpit?
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
RE: [OT] Seeing increase in smtp concurrency ?
Posted by "Johnson, S" <sj...@edina.k12.mn.us>.
It's interesting you say that.... I don't give a response (most of the
time they're not there to receive it anyway and it clogs up my server
with undeliverable email - especially in BIG spam attacks). I have not
experienced this with my servers at all. Last week, a friend of mine
that owns a very large spam filtering/relay company got hit hard with
this issue.
With all this, my graphs have not budged. I'm thinking it was
deliberate.
-----Original Message-----
From: Jeff Chan [mailto:jeffc@surbl.org]
Sent: Thursday, September 06, 2007 11:10 AM
To: Rajkumar S
Cc: users@spamassassin.apache.org
Subject: Re: [OT] Seeing increase in smtp concurrency ?
Quoting Rajkumar S <ra...@gmail.com>:
> Hi,
>
> Does any one seeing increasing smtp concurrency for the past couple of
> weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
> all experience the same problem. The spam does not increase, but this
> is hogging my mail servers. Probably a new crop of spamming tools?
>
> I am attaching one qmail-mtrg graph that shows the problem.
>
> http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
>
> raj
>
Some botnets are starting to hold mail connections open for much longer
after
getting a 5xxx blacklist response. Reason is unknown; could be coding
errors
or deliberate. Many people are changing their smtpd timeouts form the
RFC 300
seconds down to 45 seconds:
http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx
Here's the postfix for it:
## to deal with botnets not hanging up
# Drop default from RFC limit of 300s to 45s
#
smtpd_timeout = 45s
Some people are even using 10 seconds, which seems short to me. The RFC
requires 300 seconds.
Jeff C.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Jeff Chan <je...@surbl.org>.
Quoting Rajkumar S <ra...@gmail.com>:
> Hi,
>
> Does any one seeing increasing smtp concurrency for the past couple of
> weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
> all experience the same problem. The spam does not increase, but this
> is hogging my mail servers. Probably a new crop of spamming tools?
>
> I am attaching one qmail-mtrg graph that shows the problem.
>
> http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
>
> raj
>
Some botnets are starting to hold mail connections open for much longer after
getting a 5xxx blacklist response. Reason is unknown; could be coding errors
or deliberate. Many people are changing their smtpd timeouts form the RFC 300
seconds down to 45 seconds:
http://blogs.msdn.com/tzink/archive/2007/09/01/new-spamming-tactic.aspx
Here's the postfix for it:
## to deal with botnets not hanging up
# Drop default from RFC limit of 300s to 45s
#
smtpd_timeout = 45s
Some people are even using 10 seconds, which seems short to me. The RFC
requires 300 seconds.
Jeff C.
Re: [OT] Seeing increase in smtp concurrency ?
Posted by "Mr. Gus" <mr...@disco-zombie.net>.
Rajkumar S wrote:
> Hi,
>
> Does any one seeing increasing smtp concurrency for the past couple of
> weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
> all experience the same problem. The spam does not increase, but this
> is hogging my mail servers. Probably a new crop of spamming tools?
>
> I am attaching one qmail-mtrg graph that shows the problem.
>
> http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
Yeah, two weekends ago our mail servers got absolutely slammed with
connections that were left open. They'd get rejected, and then leave the
connection open for a while, then try again, and so on.
Our count of exim processes per server went up from our already
higher-than-it-recently-used-to-be 500 to around 1,000. This continued
on monday, climbing to around 1300. Restarting exim and killing off
these old connections would only relieve it for ten minutes or less.
When it hit 1500, we moved a few of our rbls to the connect phase, which
brought it down to about 150 exim procs. Yeesh...
--
Gus
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Rajkumar S <ra...@gmail.com>.
On 9/6/07, Rick Macdougall <ri...@ummm-beer.com> wrote:
> For qmail I added the file timeoutsmtpd in /var/qmail/control with a
> value of 180 inside it (default is 7200) and it seems to have fixed the
> problem without causing any new problems.
Thanks, I have changed timeoutsmtpd to 60 and the server is now
breathing easy :)
The effect is pretty dramatic in the graph.
http://img464.imageshack.us/img464/4921/smtpdaysr7.png
raj
Re: [OT] Seeing increase in smtp concurrency ?
Posted by Rick Macdougall <ri...@ummm-beer.com>.
Rajkumar S wrote:
> Hi,
>
> Does any one seeing increasing smtp concurrency for the past couple of
> weeks? I run couple of (qmail/simscan/spamassassin) mail servers and
> all experience the same problem. The spam does not increase, but this
> is hogging my mail servers. Probably a new crop of spamming tools?
>
> I am attaching one qmail-mtrg graph that shows the problem.
>
> http://img403.imageshack.us/img403/2224/smtpmonthyq4.png
>
> raj
Hi,
Yup, I've seen that across all the mail servers I manage. Seems the
latest crop of Zombies don't disconnect correctly.
For qmail I added the file timeoutsmtpd in /var/qmail/control with a
value of 180 inside it (default is 7200) and it seems to have fixed the
problem without causing any new problems.
Mind you these are external MX servers and there are no dialup users
connecting to them, if there were end users connecting I'd probably
raise that 180 to 300 or maybe even 600.
Regards,
Rick