Gary Mills
mills@cc.UManitoba.CA
Sat Jan 4 23:06:20 UTC 2003
`dccm' on our main mail server has been failing recently. The likely cause was an e-mail address harvesting attack from a compromised workstation on a cable modem. It was using hundreds of connections to check random user names. The first indication of trouble was: Jan 4 01:34:56 electra dccm[21819]: [ID 109917 mail.error] DCC, mi_rd_cmd: read returned -1: Connection reset by peer This was followed by: Jan 4 09:25:31 electra dccm[21819]: [ID 125918 mail.error] DCC: accept() returned invalid socket (Too many open files), try again Jan 4 09:25:31 electra dccm[21819]: [ID 925838 mail.error] dcc_mkstemp(/var/dcc/log/004/09/tmp.37CTm2): Too many open files Here's how it appeared to sendmail, in a different incident: Jan 2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.error] h026MGQe027811: Milter read(dcc): timeout before data read Jan 2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.info] h026MGQe027811: Milter (dcc): to error state Jan 2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.info] h026MGQe027811: Milter: from=<97rok@hotmail.com>, reject=451 4.7.1 Please try again later Jan 2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.info] h026MGQe027811: from=<97rok@hotmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=h24-66-73-149.wp.shawcable.net [24.66.73.149] During the attacks, sendmail limits connections to 4 per second. This would be sufficient protection, if `dccm' wouldn't fall over. Is there a way to make `dccm' more resilient? -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
More information about the DCC
mailing list
