Mail Server DOS Hell

It’s been a momentous couple of weeks. The nightmare began one sunny afternoon when I noticed a flurry of activity on both servers here. The drive access lights were on full, and there was the sound of drive noise like I’d never seen before. I decided to access the server via a web application, similar to cpanel, called webmin and see the system messages. The mail log took forever to come up, as it had ballooned to some 120 MB in size, but as soon as it came up I could see what all the noise was about. See below:

This was just the beginning as eventually both servers would have a relay queue of over 20,000 messages, and the smpt server at Telus would eventually start to deny this traffic. The address 216.232.70.68 is listed as a proxy server, and a known one for allowing outside relaying. The problem is that we are on the same subnet, otherwise, postfix would have immediatley timed out and denied this host relay access. Since I use the SMTP server at Telus for it’s credible PTR (this avoids being listed by spamcop or sorbs for too short a refresh time), the server itself is hardened a begins to deny this kind of constant barrage. Most of the email addresses where unreachable, thereby getting deferred, which means the queue manager just waits a specific period before retrying. A hopeless bottleneck, I then shut the server down and began the long process of deletion of some 20 Thousand deferred, and numbered, text files.

Immediately thereafter, I get a warning from Telus saying that I am risking losing service due to my breaking their anti-spamming rules. Unfortunately for me, they only see my IP and not the proxy in their server logs. I, of course, had sent them a detailed email with snippings of both the email and mail log files to show another IP was the blame, but I sent it via my mail server, quite by accident, and it never got delivered in the mayhem of 20,000 messages. Here’s a sample of the messages being sent, it’s a deffered record, so it’s looks a little harsh:

1128977141Ssusanna@idxc.orgA,client_name=s216-232-70-68.bc.hsia.telus.netA
client_address=216.232.70.68A>message_origin=s216-232-70-68.bc.hsia.telus.net
[216.232.70.68]Ahelo_name=sitemail.everyone.netAprotocol_name=ESMTPOtex409@orionpolaris.comR
tex409@orionpolaris.comOtex259@orionpolaris.comRtex259@orionpolaris.comOtetranitrate7@
orionpolaris.comRtetranitrate7@orionpolaris.comOtexagogo@orionpolaris.comRtexagogo@orionpolaris.comO
thorin13@orionpolaris.comRthorin13@orionpolaris.comOthorly@orionpolaris.comRthorly@orionpolaris.comO
thorbald@orionpolaris.comRthorbald@orionpolaris.comOtommytang@orionpolaris.comRtommytang@orionpolaris.comO
tmdance@orionpolaris.comRtmdance@orionpolaris.comOtmkl23@orionpolaris.comRtmkl23@orionpolaris.comO
tndogs@orionpolaris.comRtndogs@orionpolaris.comOtownsend@oriontele.comRtownsend@oriontele.comO
thorten@oriontele.comRthorten@oriontele.comOthreeleggedlou@oriontele.comRthreeleggedlou@oriontele.comO
thornton@oriontele.comRthornton@oriontele.comOthorsvoice@oriontele.comRthorsvoice@oriontele.comO
threescore7@oriontele.comRthreescore7@oriontele.comM
Received: from sitemail.everyone.net(s216-232-70-68.bc.hsia.telus.net [216.232.70.68])

The message then forwards to a site offering a quick snake-oil fix, and probably some sweet credit card fraud as well. Swell people, eh?

Alive and Well after Server Hell Kobrashell Hell