Print Page | Close Window

spambot attack & max incomming reached

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6881
Printed Date: 16 December 2017 at 11:55am


Topic: spambot attack & max incomming reached
Posted By: Pierre
Subject: spambot attack & max incomming reached
Date Posted: 14 October 2010 at 10:31am

We have 3 relay servers we use for incomming and outgoing mail.

From time to time one of them is under attack by spambots and then the max number of concurrent incomming smtp connections (currently set at 50) is reached.

What then happens is that new connection attempts are accepted, but dropped immediately and therefore that legitimate new connection attempts get a "smtp connection error" NDR.

I would think that ones the max concurrend incoming connections are reached, logsat would refuse any new connection and that legitimate connection attempts would then fail over to a secondary relay server based on the mx config.

Is there a way to configure logsat to stop handling incoming request once the max is reached or is there another way to solve this issue?




Replies:
Posted By: LogSat
Date Posted: 14 October 2010 at 7:49pm
Pierre,

That is odd (the NDR). When the max connection limit is reached, SpamFilter abruptly terminates the connection, sending a "421 Too many connections on the server" error first. This should cause the remote SMTP server to retry sending the email for a reasonable number of times, absolutely not to send back an NDR to the sender right away. If they send an NDR without retrying at least a few times (the RFC 5321 does not specify a minimum threshold), they're violating RFC. Furthermore, in the retry, they should be attempting to connect to your secondary MX records if present.
If you have a specific sender for which you experience this behavior, you may want to let them know of the problem. If there's multiple such cases with multiple senders, are you certain that they are indeed not trying to connect to the secondaries (or retrying to send the email thru SpamFilter at a later time)? We'd be happy to examine SpamFilter's activity logfile for you if you'd like to look for abnormalities.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Pierre
Date Posted: 15 October 2010 at 11:48am

I have been monitoring a bit more and I can see that the spambot attacks are more frequently and also last longer. So I assume that legitimate mail does not get an NDR on the first connection attempt, but later one, when it gives up. But strange that they never fail over to one of the other MX servers. Those are not busy at all at that time.

It would be great if you could take a look at f.e. yesterdays log file. How do I send it over?


Posted By: LogSat
Date Posted: 15 October 2010 at 4:31pm
If the zipped logfile is smaller than 8MB, you can simply email it to us at support at logsat dot com. If not, I'll be sending you a PM shortly with our FTP info to upload the file. Please also let us know the to/from email addresses that are getting the NDR (a copy of the NDR would also help). If you happen to know the IP of the remote server, that will help to of course.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window