On Tue, Aug 23, 2005 at 01:27:50PM -0400, Jessica Zhu wrote: > On Tue, 23 Aug 2005, Ed Wilts wrote: > > > Another possibility is that somebody outside of your organization forged > > their From: addresses to be from your domain. They then spam like crazy > > and all the bounce messages go to you. Somebody did that to us and it's > > not easy to recover from. The bounce messages come from all over so you > > can't block the senders (the sending host is likely legitimate anyway). > > > That's exactly what happened to us. Somebody outside of our organization > forged the From: addresses and we became the victim to that. At this > point, it seemed that our syslog is so busy to write the maillog that it > becomes a heavy process. This morning around 8AM, this drives our system > load over 20 and the system becomes slower and slower. Now it seemed the > worst time is over. However, I worried with such baounced back volumes > increasing, our system can not afford to it finally. I saw load averages well over 100 :-(. We have 2 mail servers in a round-robin configuration and they both got beaten into the ground. > All the messages come to random usernames. A lot don't exist. That makes it really, really hard to stop. Source addresses all over the place - typically legitimate - doing the right thing which is to bounce messages that are undeliverable. Unfortunately the bounce messages are going to you although you didn't send them. > > We cannot afford the system down. So really hope someone here > has the solution for this. There is no easy solution except to buy another server capacity to handle the load (and buying more servers isn't really easy either!). One other option is to configure sendmail to only accept mail to certain addresses and discard, not bounce, the rest. This requires a lot of maintenance with the access database if you have a lot of users coming and going. Long term, I see something like the authenticated sender mechanisms helping here - these will restrict messages from you to only come from your hosts. I don't think most of this stuff is working well in production yet though (SPF, et al). .../Ed > > > Jessica Zhu wrote: > > > > > > >Hi, > > > > > > > >It looks like we are experiencing the mail attack now. > > > > > > > >In our maillog, we have a lot of User Unknown message like the following. > > > > > > > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: > > > ><Oscard@xxxxxxxxxxxxx>... User unknown > > > >Aug 23 11:52:25 s1 sendmail[2110]: j7NFqPL02110: from=<>, > > > >size=17601, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, > > > >relay=mail.vis-inc.net [66.77.28.202] > > > > > > > >It looks like that all the from is <>, does anyone have the way to fight > > > >against it. > > > > > > > >Jessica -- Ed Wilts, RHCE Mounds View, MN, USA mailto:ewilts@xxxxxxxxxx Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list