You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jean-Paul Natola <jn...@familycareintl.org> on 2010/04/13 20:04:32 UTC
accepted connection from DNSBL's
Hi all ,
I recently upgraded to sa-3.3.0 and I think my blacklists aren't working, I'm getting nailed from servers around the globe that are on the DNSBL list, I did run sa-update after the upgrade
How can I confirm that the BL rules are working
Re: accepted connection from DNSBL's
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2010/04/13 3:30 PM, Jean-Paul Natola wrote:
> Ideally, correct me if I'm wrong, wouldn't I want SA to drop the connection after doing a lookup on the IP or are you saying I should do that on the gateway
SA doesn't have the ability to drop connections. It only scans what is
handed to it. This is an MTA-level issue. You may be able to find out
on the Exim list if Exim is able to drop connections sooner based on an
RBL hit, but these logs really don't look out of place to me. I see
these all the time from botnets to server farms, and sites like Constant
Contact. Every log entry makes me just a little bit happier that I was
able to prevent them from consuming all available threads and resources
remain open for legitimate uses.
--
/Jason
Re: accepted connection from DNSBL's
Posted by Matt Kettler <mk...@verizon.net>.
On 4/13/2010 3:30 PM, Jean-Paul Natola wrote:
> --
> > var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
>
> /Jason Ideally, correct me if I'm wrong, wouldn't I want SA to drop
> the connection after doing a lookup on the IP or are you saying I
> should do that on the gateway
Those log messages have nothing to do with SpamAssassin or DNSBLs. That
is exim refusing a connection during the initial connection attempt,
prior to any commands being sent. SpamAssassin can't get involved so
early because it is a message content scanner, thus it needs content to
scan. SA has no clue what your MTA (in this case exim) is doing with
connections. SpamAssassin's only input is a whole, complete message, and
it cannot be called without one. Its only outputs are a marked up
message, or a numeric score (in the case of spamc -c).
Here, 110.139.156.19 is trying to bombard your mailserver with a large
number of simultaneous connections for delivering mail, something well
behaved hosts generally won't do.
Exim (which is your MTA, thus the agent accepting mail) has started
refusing additional connections from this IP address, because there are
already a large number open and it looks like an attack. Odds are very
good that this host is doing one (or more) of the following:
1) performing a dictionary attack to scan for valid email addresses.
2) bombing you with spam
3) attempting to exploit your MTA and install a rootkit/backdoor or some
other malware.
Either way, it is good that it is getting slowed down. It is probably
case 1), if I had to guess, but you'd have to look if there's a lot of
"unknown address" errors being generated by that host in your mail logs.
RE: accepted connection from DNSBL's
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
-----Original Message-----
From: Jason Bertoch [mailto:jason@i6ix.com]
Sent: Tuesday, April 13, 2010 2:53 PM
To: users@spamassassin.apache.org
Subject: Re: accepted connection from DNSBL's
On 2010/04/13 2:38 PM, Jean-Paul Natola wrote:
> Well just to confirm I have taken the IP addresses and entered them here
> http://www.dnsbl.info/dnsbl-database-check.php
>
> and almost ALL of them are listed in at least 5 of the lists,
>
> this one was on 9 of the lists see below
>
> var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:18 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:18 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:19 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:19 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:20 Connection from [110.139.156.19] refused: too many connections
>
> My setup is as follows
> Freebsd
> Exim
> Clamav
> SA
>
This is an MTA connection limit, which is not a bad thing. Sane limits
should always be placed on servers. I suspect that in Exim the RBL's
are checked after local connection limits. This is likely nothing to
worry about. You may want to verify that this is a PER HOST connection
limit and not server-wide, though. The Exim list may be more helpful in
that regard.
--
/Jason
Ideally, correct me if I'm wrong, wouldn't I want SA to drop the connection after doing a lookup on the IP or are you saying I should do that on the gateway
Re: accepted connection from DNSBL's
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2010/04/13 2:38 PM, Jean-Paul Natola wrote:
> Well just to confirm I have taken the IP addresses and entered them here
> http://www.dnsbl.info/dnsbl-database-check.php
>
> and almost ALL of them are listed in at least 5 of the lists,
>
> this one was on 9 of the lists see below
>
> var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:18 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:18 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:19 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:19 Connection from [110.139.156.19] refused: too many connections
> /var/log/exim/mainlog:2010-04-13 14:24:20 Connection from [110.139.156.19] refused: too many connections
>
> My setup is as follows
> Freebsd
> Exim
> Clamav
> SA
>
This is an MTA connection limit, which is not a bad thing. Sane limits
should always be placed on servers. I suspect that in Exim the RBL's
are checked after local connection limits. This is likely nothing to
worry about. You may want to verify that this is a PER HOST connection
limit and not server-wide, though. The Exim list may be more helpful in
that regard.
--
/Jason
RE: accepted connection from DNSBL's
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
-----Original Message-----
From: Jason Bertoch [mailto:jason@i6ix.com]
Sent: Tuesday, April 13, 2010 2:27 PM
To: users@spamassassin.apache.org
Subject: Re: accepted connection from DNSBL's
On 2010/04/13 2:11 PM, Jean-Paul Natola wrote:
>
> ... I think my blacklists aren't working...
>
> ...I'm getting a bunch of "refused too many connections"...
>
It sounds like your hitting a MTA connection limit, which doesn't have
anything to do with blacklists, although I suppose it could also be a
connection limit to your DNS resolver. Where are you finding these
messages, and can you describe your setup? MTA
(sendmail/postfix/qmail)? How are you querying the blacklists (in SA
only, or at the MTA level)? Are you running a local resolver? And most
importantly, what else did you change while upgrading SA?
--
/Jason
Well just to confirm I have taken the IP addresses and entered them here
http://www.dnsbl.info/dnsbl-database-check.php
and almost ALL of them are listed in at least 5 of the lists,
this one was on 9 of the lists see below
var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
/var/log/exim/mainlog:2010-04-13 14:24:17 Connection from [110.139.156.19] refused: too many connections
/var/log/exim/mainlog:2010-04-13 14:24:18 Connection from [110.139.156.19] refused: too many connections
/var/log/exim/mainlog:2010-04-13 14:24:18 Connection from [110.139.156.19] refused: too many connections
/var/log/exim/mainlog:2010-04-13 14:24:19 Connection from [110.139.156.19] refused: too many connections
/var/log/exim/mainlog:2010-04-13 14:24:19 Connection from [110.139.156.19] refused: too many connections
/var/log/exim/mainlog:2010-04-13 14:24:20 Connection from [110.139.156.19] refused: too many connections
My setup is as follows
Freebsd
Exim
Clamav
SA
To be Totally Honest I had set this box up a LONG time ago (4 years? Maybe) with assistance from a good friend and list member, and the only thing I have done since is upgrade ports on my box update those 3 apps exim clam and sa and scheduled clam update and sa updates via cron
Re: accepted connection from DNSBL's
Posted by Jason Bertoch <ja...@i6ix.com>.
On 2010/04/13 2:11 PM, Jean-Paul Natola wrote:
>
> ... I think my blacklists aren't working...
>
> ...I'm getting a bunch of "refused too many connections"...
>
It sounds like your hitting a MTA connection limit, which doesn't have
anything to do with blacklists, although I suppose it could also be a
connection limit to your DNS resolver. Where are you finding these
messages, and can you describe your setup? MTA
(sendmail/postfix/qmail)? How are you querying the blacklists (in SA
only, or at the MTA level)? Are you running a local resolver? And most
importantly, what else did you change while upgrading SA?
--
/Jason
RE: accepted connection from DNSBL's
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
________________________________________
From: Jean-Paul Natola [mailto:jnatola@familycareintl.org]
Sent: Tuesday, April 13, 2010 2:05 PM
To: 'users@spamassassin.apache.org'
Subject: accepted connection from DNSBL's
Hi all ,
I recently upgraded to sa-3.3.0 and I think my blacklists aren't working, I'm getting nailed from servers around the globe that are on the DNSBL list, I did run sa-update after the upgrade
How can I confirm that the BL rules are working
------------------------------------------------
Hit send to quick, what is happening I'm getting a bunch of "refused too many connections"