Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - spambot attack & max incomming reached
  FAQ FAQ  Forum Search   Register Register  Login Login

spambot attack & max incomming reached

 Post Reply Post Reply
Author
Pierre View Drop Down
Newbie
Newbie


Joined: 24 August 2010
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Pierre Quote  Post ReplyReply Direct Link To This Post Topic: spambot attack & max incomming reached
    Posted: 14 October 2010 at 10:31am

We have 3 relay servers we use for incomming and outgoing mail.

From time to time one of them is under attack by spambots and then the max number of concurrent incomming smtp connections (currently set at 50) is reached.

What then happens is that new connection attempts are accepted, but dropped immediately and therefore that legitimate new connection attempts get a "smtp connection error" NDR.

I would think that ones the max concurrend incoming connections are reached, logsat would refuse any new connection and that legitimate connection attempts would then fail over to a secondary relay server based on the mx config.

Is there a way to configure logsat to stop handling incoming request once the max is reached or is there another way to solve this issue?



Edited by Pierre - 15 October 2010 at 11:42am
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 14 October 2010 at 7:49pm
Pierre,

That is odd (the NDR). When the max connection limit is reached, SpamFilter abruptly terminates the connection, sending a "421 Too many connections on the server" error first. This should cause the remote SMTP server to retry sending the email for a reasonable number of times, absolutely not to send back an NDR to the sender right away. If they send an NDR without retrying at least a few times (the RFC 5321 does not specify a minimum threshold), they're violating RFC. Furthermore, in the retry, they should be attempting to connect to your secondary MX records if present.
If you have a specific sender for which you experience this behavior, you may want to let them know of the problem. If there's multiple such cases with multiple senders, are you certain that they are indeed not trying to connect to the secondaries (or retrying to send the email thru SpamFilter at a later time)? We'd be happy to examine SpamFilter's activity logfile for you if you'd like to look for abnormalities.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Pierre View Drop Down
Newbie
Newbie


Joined: 24 August 2010
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Pierre Quote  Post ReplyReply Direct Link To This Post Posted: 15 October 2010 at 11:48am

I have been monitoring a bit more and I can see that the spambot attacks are more frequently and also last longer. So I assume that legitimate mail does not get an NDR on the first connection attempt, but later one, when it gives up. But strange that they never fail over to one of the other MX servers. Those are not busy at all at that time.

It would be great if you could take a look at f.e. yesterdays log file. How do I send it over?


Edited by Pierre - 15 October 2010 at 11:49am
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 15 October 2010 at 4:31pm
If the zipped logfile is smaller than 8MB, you can simply email it to us at support at logsat dot com. If not, I'll be sending you a PM shortly with our FTP info to upload the file. Please also let us know the to/from email addresses that are getting the NDR (a copy of the NDR would also help). If you happen to know the IP of the remote server, that will help to of course.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.