PDA

View Full Version : Server under email attack?

propheci
05-01-2007, 10:26 AM
For the past couple of days, my server has been receiving tons of email. On Saturday, when I did a top, the load average over 900! Even now, it's hovering at 50, 50, 50. Normally, it's under 1 since my sites don't get that much traffic.

Looking through my ps list, there is a ton of qmail-smtpd, /var/qmail/bin/relaylock, tcp-env /var/qmail/bin/relaylock processes running. Under /var/log, my maillog is size 0. In /var/log/messages, I do see this line:

Deactivating service smtp due to excessive incoming connections. Restarting in 30 seconds.

Anyway, what can I do to stop this? Thanks.
propheci
05-01-2007, 03:20 PM
A bit more info. I looked in /usr/local/psa/var/log/maillog and there is a ton of relaylock entries:

May 1 15:23:25 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 83.29.160.230:3774 (bto230.neoplus.adsl.tpnet.pl)
May 1 15:23:27 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 76.4.65.73:28115 (va-76-4-65-73.dhcp.embarqhsd.net)
May 1 15:23:29 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 201.143.104.198:61407 (red-corp-201.143.104.198.telnor.net)
May 1 15:23:30 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 218.106.254.66:2099 (not defined)
May 1 15:23:30 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 90.194.162.245:4233 (5ac2a2f5.bb.sky.com)
May 1 15:23:31 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 90.194.162.245:4304 (5ac2a2f5.bb.sky.com)
May 1 15:23:32 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 62.114.74.89:4126 (not defined)
May 1 15:23:32 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 61.63.96.40:4460 (61-63-96-40.nty.dynamic.lsc.net.tw)
May 1 15:23:32 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 62.202.4.132:2542 (132.4.202.62.fix.bluewin.ch)
May 1 15:23:33 chi01-003-08 relaylock: /var/qmail/bin/relaylock: mail from 63.225.235.30:2289 (dumont.nacorp.com)

Basically a few every second. Are these relay requests? How can I just ignore them?
ManagerJosh
05-02-2007, 02:45 AM
Please open up a support ticket immediately and ask Senad, Kevin or someone else to examine this immediately.