A client's courieresmtp service stopped accepting connections until
restarted. Examination of the logs show a storm of spam email
connections from an address with a pattern bman...@yahoo.com where
the X's are various letters and numbers. The to addresses were all
sorts of names, almost none of which corresponded to actual accounts.
Logs show up to 10 esmtp connections/second for about 4 minutes which
spilled over to secondary and tertiary mail servers.
The email itself was typical spam of size 3KB. The unusual thing was
that the connections were from about 15 different IP addresses scattered
all over the place.
Logs also show the usual regular "Started ./courieresmtp, pid=xxx,
maxdels=40, maxhost=4, maxrcpt=100" messages after the spam storm
stopped though the server refused connections port 25 connections until
restarted about 36 hours later. Esmpt appears to be the only service
that had problems: local mail and pop continued to function.
The only abnormal thing I noticed in the sar log for the 10min period
containing the spam storm was a bufpg/s=-7 which was unusually low and a
plist-sz=185 which was unusually high.
/etc/esmtpd contains (among other things):
Other than coming from many IP addresses at the same time, this looks
like a typical, though more intense, spam pattern. The amount of
incoming emails was probably the highest the server (dual 300Mhz, 500MB
RAM RedHat 8.0 on 1/4 T1 DSL) ever had, but I don't think close to
overwhelming the hardware or OS.
Is there anything I can do to prevent the esmptd service from refusing
connections if similar circumstances occur in the future? Why didn't
the courieresmtp restart clear the problem?
P.S. Courier rocks! The feature set is immense and I love the range of
authentication methods. Thanks and congratulations to the heroes who
maintain and provide this great (and I think better) alternative to
sendmail or exchange.