Dealing With A Distributed Spam Attack (exim)

May 16, 2007

We've been seeing sluggish performance on our mail gateways, and so I started doing some digging in the logs. It looks like we are filling up with messages like:

2007-05-16 12:22:16 Connection from [xx.xx.xx.xx] refused: too many connections

We have our max connections set to 20 (total, not host-specific) in exim4. So I started tailing the logs, and sure enough, we are getting bombarded with requests to randomstring@ourdomain.com coming from all over the map. The requests are getting denied of course, but that doesn't help the connection issue since they are consuming all of them, preventing real mail (for the most part) from getting through.

What is the proper way to deal with something like this? I could certainly just up the max connections value from 20 to 40 or 50 or whatever, but I'm not sure what kind of performance impact that will have on the rest of the traffic going through our gateways.

Since the spam attempts are coming from all over the place, it doesn't seem like I can just firewall out a few addresses and be done with it.

This particular rack is a cluster of web and database servers behind two gateway boxes, which handle the mail traffic (so this problem is on the gateways, the actual mail server itself sits behind the gateways and never actually sees these fake emails).

View 1 Replies


ADVERTISEMENT

Dealing With A DDoS Attack

Feb 8, 2008

I've got CSF setup, but the problem is, I can't seem to keep the SYN Attack blocked without blocking all my legit hits.

View 5 Replies View Related

My Exim Is Under Attack

Dec 16, 2008

my exim is under ddos:

exim (pid 8042 8158 8169 8175 8249 8254 8267 8276 8384 8397 8398 8556 8560 8561 8587 8663 8669 8705 8707 8711 8752 8783 8790 8796 8799 8811 8881 8883 8884 8929 8932 8934 9014 9019 9025 9035 9060 9087 9089 ...............)

how can i solve it?

View 11 Replies View Related

Most Ruthless Dictionary Spam Attack

Sep 14, 2007

RHEL3/Cpanel/Exim

So one of my domains is getting a dictionary attack. It is a popular domain and "big deal" it happens all the time. Well, this time it is the most ruthless distributed dictionary attack I have ever seen.

Today marks the one week period and emails are flooding in 10 to 15 a second (of course none of them ever get delivered). It is like hail pounding on a thin tin roof and the denial/logging alone has the server load at least quadrupled!

Oh yeh, the best part. I have a beautiful list of over 7,000 banned IP addresses (and growing every minute, now THATS DISTRIBUTED!).

View 2 Replies View Related

Plesk 11.x / Linux :: Spam Attack - Passwords Discovered

May 28, 2014

I'm getting a big problem on my server.

From 1 week until now I got 4 spam attacks. The attacker is the same, because the emails sent are iqual.

The technique is also the same, they use an email account (compromissed password) and send emails through smtp server.

When I detect the attack, i do:

1. identify the compromised account
2. Change password from the compromised account
3. Stop qmail
4. Clear queue with qmail-remove
5. Start qmail

The problem is that they already used 4 diferent domains since the first attack. So, here is my problem, how do they discover the passwords?! How can I solve this problem? I have hundreds of emails accounts and can't change it all.

CentOS release 5.10 (Final)
Plesk 11.0.9 

View 1 Replies View Related

Plesk 11.x / Linux :: Reinstall Qmail After Spam Attack

May 22, 2014

I need reinstall qmail after spam atack and follows the post.URL....It says:

rpm -Uvh --force psa-qmail

but my system return an error message..error: opening psa-qmail failed: it does not existe file or directory (error: la apertura de psa-qmail falló: No existe el fichero o el directorio)

rpm -q psa-qmail

return

psa-qmail-1.03-cos5.build1013120126.11

And my system is CentOS

View 3 Replies View Related

Exim Server - Being Used To Relay Spam?

Dec 3, 2008

Exim server - being used to relay spam?

Hoping someone can help here. I have a web server running a couple of sites, has been for a couple of years now. With one of the domains, I have an email forwarder setup through cpanel to forward mail sent to a specific address at that domain to my gmail account (it's a "contact us" type address). I don't think the email address is listed on the web anywhere.

Anyway, I am noticing a lot of spam emails being sent to that address, from that same address and they all appear to be relayed through my exim server legitimately. Obviously they aren't (as I am not sending them).

I am only familiar with sendmail, and am unsure about where to look for any possible hacks to my exim server. Can someone point me in the right direction? I want to stop these spam messages being sent, asap.

View 3 Replies View Related

Exim Load Is High And TONS Of Spam

Mar 8, 2008

after noticing the SQL errors on my sites, I went in to take a closer look.

First thing I noticed was my server load was at 200! This was all due to EXIM!

I stopped exim and then watched my load go back down to like 1... then started it, and it gradually rose again.

After using the Exim Cheat Sheet...

I discovered I had over 7000 messages frozen in my que and a few thousand not frozen.

After erasing all of the frozen messages because they were all spam, I am left wondering what I can do to stop this from happening again...

1. Is this spam being SENT FROM me? Or TO me?

2. Regardless of the answer to #1, how do I make it stop? I don't host any significant sites, and the server only has a few sites on it. None of the domains match up with anything I have anything to do with, so its all worthless and nobody on my server heavily uses their email through me.

What do I do? This is the second time I have had my system with a load this high and after the first time, I paid a chunck for more RAM.

View 4 Replies View Related

Exim Mail Spool More Than 20.000 Messages... / Spam

May 8, 2008

exim queue is always being filled by millions of spam mails...

In 5 minutes more than 1000 messages..

I have removed all several times but they insist in coming back..

In 1 one min:

1Ju7q6-00039t-031mDeleteDeliver Now
ALEXNSONIA@MSN.COM
1Ju7q6-00039w-161mDeleteDeliver Now
ALEXNSTEPH4-1-98@MSN.COM
1Ju7q6-0003A0-2s1mDeleteDeliver Now
ALEXIA27@BELLSOUTH.NET ...

View 7 Replies View Related

Exim :: Catch The User Sending Spam With Mailnull?

May 28, 2009

i have a vps but there is too much process called mailnull
after that the data centre closed my server for being sent spam

so how i can catch the user sending spam with mailnull?

View 7 Replies View Related

How To Find The Script Which Uses Exim And Apache To Send Spam

Mar 14, 2008

Not far ago somebody hacked our customer account through the vulnerability in phpBB Album module and uploaded some scripts. Then it started to send nigerian spam using exim and apache. These scripts were found and deleted and the Album module was fully deleted too. But when I look at the processes now I see that exim and httpd still start very often so the system resources are probably overused by them ......

View 7 Replies View Related

How To Limit/block Outgoing Spam - CPanel Servers + EXIM

Mar 12, 2008

My server is sending all emails via exim smarthost to other specialised exim server (both cPanel). How may I limit customers from sending out SPAM ? Mean to scan outgoing emails and delete/store in some folder which ones identified as SPAM. Preferrably the scan part to be on exim email proxy cause it is much idle.

View 0 Replies View Related

Distributed Memcached

May 4, 2007

i'm using RHEL 4, apache 1.3.37, php 4.4.6 and xcache 1.20. Now i'm looking into memcached and running it on more than one computer. So i got few questions:

1) Is it smart to run web/db on one server with 64mb memcached and remote box which is around 150ms from web/db with 2gb of allocated memory for memcached?

2) I saw if I want to use memcached i need to load in php memcache also. Since I already got xcache, will those two produce any products if they will work simultaneously.

I mostly need memcached to save mysql queries, and i'm happy how xcache caches dynamic pages.

I hope somebody here is using memcached. QPS are around 95.

View 3 Replies View Related

Currently Under SPAM Attack "vpopmail User Not Found"

Nov 3, 2009

I'm running a dedicated server with CentOS 5

Today I open my email logs and I was surprise by what I found!

Logs like this:

Nov 3 17:23:55 warhead vpopmail[5979]: vchkpw-smtp: vpopmail user not found sys@:118.167.19.58
Nov 3 17:23:58 warhead vpopmail[6010]: vchkpw-smtp: vpopmail user not found sys@:118.167.19.58 ...

View 6 Replies View Related

Distributed Data Store For Web

Mar 27, 2009

I intend to store and serve files that is around 1-200mb from servers that is physically separate. I wish to store 2 or 3 copies of each file as a redundancy solution. When the file is requested I want to serve a direct downloadable link to the file. I am looking for logic to distribute load, and to detect if a server is down. I also whish to redistribute the files if a server is taken out of the pool..

Is there any open/free systems for this I can use?

View 9 Replies View Related

IPScsi SAN For VMs + Distributed Disk

Apr 9, 2008

The company that I work for is looking to buy a SAN to use as a storage backbone and for VM's and as part of our distributed disk infrastructure. Since cost is an issue, we are looking at IScsi running on a gig network. We have looked at DellMD3000i, and IBM DS300s anybody have any experience with either. Any pros/cons. Also any other hardware recommendations in a similar cost.

View 0 Replies View Related

Dealing With Bad Connections

Jun 20, 2008

I've had a problem a couple of times where there is a bad ftp connection to a host. A trace reveals that there is a node timing out. What is a good way to work around this. Web based ftp client or other solution?

View 0 Replies View Related

Dealing With Log Files

Jan 21, 2007

I have apache rotate the logs daily and keep them in the users home directory in /logs/, however; these logs pile up over time and I need to delete them by hand. What is the best way to automate deletion of these log files? For example, i'd like to delete the logs after 7 days of logging. Can I do this with newsystemlog or somethign similar? Or do I need a shell script?

View 2 Replies View Related

Dealing With Max_user_connections In SQL

Jun 13, 2007

I've had an issue come up recently that I haven't had to deal with before. I'm starting to get regular errors during peak traffic times saying that I have more then the max_user_connections allowed.

I tried setting this to a higher number using ini_set. Unfortunately my host overrides this. I've talked with the host and they cannot up the 15 user maximum.

I've been with this host a while and they have great support and really great service. I understand their need to limit this because it is a shared environment.

I'm wondering if there's anything I can do on my end to help avoid this problem.

Is the only option switching somewhere that lets me have more maximum connections? At the rate I'm going this problem will continue to grow, so it needs to be solved quickly.

View 4 Replies View Related

Distributed Server Monitoring Software

Jun 25, 2007

I'm looking into setting up a server-monitoring network: small globally distributed VPS servers all monitoring another main server (currently, just one server - but I would like it to be scalable).

When it notices it can't connect to a particular service, it should check to see if the other monitoring stations also can't connect - then a "master server" should send out an email + sms alert to the designated person for that server if all servers cannot connect.

Does such an open source piece of software exist? Or do I have to start writing my own...?

View 11 Replies View Related

Distributed Computing For Dedicated Servers Possible?

Jan 10, 2009

if you have a dedicated server, is it possible to let anyone become part of your dedi server using a software d/l?

eg: You put an app on your site for users to download,users download and run it, so now their internet connections become part of ur dedicated server, so when people access ur website, some data is downloaded from ur dedi server, and some data and cpu usage is used from the user's net connections who downloaded and are running the app.

Any commercial/open source software like this that lets website visitors become part of ur server?

View 0 Replies View Related

Dealing With A Persistent Hacker

Aug 25, 2007

I was checking my business server's IIS errors logs when I ran across the following error:

2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET

/w00tw00t.at.ISC.SANS.DFind 400 - Hostname -

Additional information about the those responsible for the hack attempts are as follows

(retrieved from domaintools.com):

CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27

Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.

Has anyone here had any similar experiences?

What do you think AT&T Yahoo's response will be?

Is there anything else I can do or should not do?

I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.

View 8 Replies View Related

Dealing With Strange File Names

Apr 30, 2007

I have a spider that is saving a few images files everyday on my servers. Due to the fact that the images are dynamically created the spider is not only saving them without an extention, but also using charachters from the link to create those file names.

I end up with:

0&Y=0
1&Y=0
2&Y=0
3&Y=0
.... and so on.

(there is no problems browsing those image files

What I need is to copy those files or move them to file names with an extention (png) for protection reasons.

I failed using cp, mv in doing so. it seams that the OS doesn't see those files as files.

That is how those files appear in ssh:

0&Y=0
1&Y=0
2&Y=0 ...

View 3 Replies View Related

Dealing With ThePlanet Sales Staff Is Like A Trip To The Dentist

Apr 17, 2008

I've been pretty happy with my servers with theplanet/ev1servers for the past, err, 5 years. But the OSes were out of date and it seemed like I could stand to get some significantly improved hardware for what I'm paying now (or, comparable hardware for a lot less).

I put in a RFQ from ThePlanet to see what I could do as far as upgrading my current server, hoping for something a little better than buying a new server while the old one is up and moving everything over, and also hopefully avoiding re-paying a one-time fee I had for a secondary hard drive.

Now I have no problem whatsoever with the result -- that my only option is to buy a new server, they won't migrate my HDs, and they won't upgrade my current server, and they won't give me any kind of credit for the second hard drive or let me transfer it to a new server. I get where they're coming form, even though it might make sense to figure out something a little better for a customer of 5 years that's dropped about $25k over that time period.

The problem is their sales staff. I'm surprised that theplanet (at least theplanet I remember from when I signed up) would have sales people so apathetic and basically useless.

Getting information I requested in my initial ticket took back-and-forth with a sales rep over the span of over 24 hours (and I still haven't really gotten an answer on one part, about my secondary hard drive). Actually looking at the ticket now, the initial response was over 24 hours after I opened a ticket (and it was opened during working hours).

Heck, the first two responses didn't even include a price for the hardware he wanted me to buy, just if I wanted to proceed and buy it.

Figuring it beats waiting I did one of their instant chats and before answering my questions I was told to be sure to give the guy credit for the servers I order. In fact, him telling me his contact information and to choose him were the only complete sentences I got, and roughly 80% of the communication I received.

I haven't needed support on my server recently, so I can't speak to if this is the quality of their support department now. I don't think I'll be around to find out though.

(Executive summary: Hello SoftLayer!)

View 5 Replies View Related

Exim - How To Remove Rbl Lists From Exim.conf

May 2, 2007

I am having issues in receieving emails. For some reason, the rbl lists I had setup are causing the server to reject emails (retry - timeout). So, I need to take this rbl list completely. How can I do that? exim.conf is locked and using the advanced editor is no fun even though I tried it putting the dnslists without the rbl causing the problem.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved