Mailbomb

hostpc.com

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,053
Location
Schenectady, NY
Why does Exim fail DURING the SMTP transaction not after?



Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.
This saves bandwidth as the email data is never received into your server
This saves server resources as the email never has to be processed
This complies with the SMTP RFC's because the sending SMTP server receives the DENY command
Your server does not send a bounce message (just the DENY command)
Your server does not send anything to the sender of the email (i.e. the address in the From: line)
The sending SMTP server is responsible for notifying the original sender
 
The information in the logfile is just spamassassin's generic processing line. This isn't enough info to tell if exim is misconfigured, etc.

AFAIK, exim will by default reject messages for accounts that don't exist during the SMTP transaction:

2005-06-07 15:07:38 H=ip-132.net-81-220-200.roubaix.rev.numericable.fr [81.220.200.132] F=<[email protected]> rejected RCPT <[email protected]>

However, if there is a catch all set up (as mentioned in the WHT thread), this reject won't occur and the message would be correctly processed by spamd before being delivered as specified by the catch all.

You'll have to get into the exim logs and not the maillog to really determine what's going on.
 
The point is, Exim is set to Fail (in the user cp) ... we've tried ignore, and catchall.

If catchall is used, ALL get processed and delivered to the catchall box.

If ignore is used (against RFC) - it's still being processed by Exim

If fail is used, it attempts to " The sender is notified that the address doesn't exist" - but it's still being processed by Exim

I'll also add this latest tally:

1,923,891 emails TODAY
 
Ouch.

If you're set to "fail", exim should respond with a 550 to the RCPT. This should be the end of it as far as exim is concerned:
Code: 
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 my.mailserver.com ESMTP Exim 4.51 Tue, 07 Jun 2005 15:58:45 -0400
MAIL FROM:<validsender@validdomain>
250 OK
RCPT TO:<[email protected]>
550
quit
221 my.mailserver.com closing connection
Connection closed by foreign host.
Exim says:
Code: 
2005-06-07 15:59:37 H=localhost [127.0.0.1] F=<validsender@validdomain> rejected RCPT <[email protected]>:
2005-06-07 15:59:49 H=localhost [127.0.0.1] incomplete transaction (QUIT) from <validsender@validdomain>
There should be nothing in the maillog about this transaction.
 
Are you using jlasman's exim.conf file for exim4 ?

I have never seen the word "incomplete" in any exim log - and I just grepped them again to be sure - nada.

I assume you're showing /var/log/exim/mainlog?
 
I'm using the "default" config for the most part... yes, that's from mainlog.

If the RCPT fails (550) and the MTA then sends a QUIT, exim logs that as an incomplete transaction on my machines...
 
I suppose that when someone talks about an exim expert on this list they might be referring to me.

Though I don't consider myself an expert, only someone who has attempted to understand Internet email since it existed, and who now uses and likes exim.

That said...

hostpc.com, you're showing us excerpts from maillog, which says nothing about how exim processes email. Forget about it. Look in the /var/log/exim/ directory for mainlog and for rejectlog. Note that the lines in rejectlog are also in mainlog, but it's a lot easier to grep them, read them, understand them, when they're in a logfile of their own. Note also that you can change the various exim logfiles to show whatever you want; the current exim logfile configuration is the one I decided on over a year ago. If it doesn't work for you, feel free to change it.

And if you want us to be able to consider your logs when attempting to help you, send us no more than 100 lines from rejectlog.

Now let's look at the post. Is 55,000 emails a lot? Perhaps. None of our accounts does that many in a day. Should it affect your server? Perhaps. You didn't tell us how powerful your server is.

It's up to you to decide whether or not you want to keep customers with that kind of load.

You may want to disallow any other catchall setting besides "fail"; though we don't have a problem, perhaps you do.

The problem with a catchall account is that all email from dictionary attacts will end up in the catchall. Practically none of our clients still use a catchall account, though many used to before spam became such a problem.

Are you using SpamBlocker for any of your domains? You'll find that SpamBlocker will block over 80% of the spam, even from dictionary attacks.

How do you know this account got all those emails? How did you count them?

Presuming they did, you may certainly decide you don't want accounts with that many emails; that's certainly a decision you can make.

And you may certainly shut off an account going over your limits, as long as you make your terms clear to your clients before you exercise them.

I've said it before, and I'm saying it again...

Use SpamBlocker. Then use SpamAssassin.

If you've made changes to your exim.conf file you may want to download a new one, or wait another day or so until I issue a new one (it was to have happened tonight; it might still, though I doubt it).

Jeff
 
I just tested and get this in mainlog.

2005-06-08 01:38:41 H=xxx.xxx.org [62.132.x.x] F=<[email protected]> rejected RCPT <[email protected]>:
2005-06-08 01:38:41 H=xxx.xxx.org [62.132.x.x] incomplete transaction (QUIT) from <[email protected]>

and in rejectlog.

2005-06-08 01:38:41 H=xxx.xxx.org [62.132.x.x] F=<[email protected]> rejected RCPT <[email protected]>:

It looks like mine isnt processing the email's since spamassassin isnt mentioned.

I suggest you check the user wasnt using catchall in any way and then compare your exim.conf with the spamblocker config.
 
Something else I was thinking about... just shooting in the dark since I haven't seen any of exim's logs:

A spammer could easily use your valid email address as a reply-to (or from) in their spam. This causes a TON of recipient mail servers to deliver bounces to your address. Since the address is "valid", even without a catchall they'll still get processed.

Unfortunately, there's not much you can do about this except completely disable the account (causing exim to reject it on receipt) until the "attack" stops.

If you can determine that the bomb is instead coming from a specific machine (or group of machines) you can deal with this at the firewall.

I would strongly recommend having an expert (like Jeff) spend an hour with your system.
 
This file is 14MB (one day)
http://www5.privatelabeldns.com/horse_exim_log.txt


reject log examples:
http://www5.privatelabeldns.com/horsereject.txt

This is the standard exim.conf that DA distributes (your tweaked version jeff)

It did, obviously become a huge load on our servers...

You didn't tell us how powerful your server is.
Click to expand...

Server is a Dell, p4 2.8Ghz, with 1.5GB of RAM, 120GB SATA hard drive. I dont think power is an issue.

Client did not have a catchall - mail was set to ignore the first week, and when that didn't help, it was set to fail - and got worse.


If you've made changes to your exim.conf file you may want to download a new one
Click to expand...

No changes have been made to the default, I dont profess to be an exim expert - in fact, I really dont like Exim, but it's managable. Thats another story tho.

Just looking for some advice. This has happened to us several times, and I know for a fact it's happended with Gary @ Dixiesys. I'm sure it must be happening to others - perhaps we can work towards a solution together before others encounter the problem.

Thanks for any help you can provide
 
If you can determine that the bomb is instead coming from a specific machine (or group of machines) you can deal with this at the firewall.
Click to expand...

I wish it was that easy ... it was coming from every IP block imaginable. It changed constantly
 
Well if you are sure the config is the same that DA distributes, then my guess is that you are not been bombed in a normal way, they must be using some sort of workaround that makes exim process the email, perhaps the way ballyn said using reply-to address. This could be a considered a form of denial of service if thats what they were doing.
 
Please post a small piece of the log that shows the mail is being processed. I haven't seen proof of that.

If the mail is being refused and the refusal is being logged, well... that's what it's supposed to do, though if you don't want the logging you can adjust it in the exim.conf file.

If it's being delivered somewhere, please show me with specific log lines.

Thanks.

Jeff
 
jlasman said:
Please post a small piece of the log that shows the mail is being processed. I haven't seen proof of that.

If the mail is being refused and the refusal is being logged, well... that's what it's supposed to do, though if you don't want the logging you can adjust it in the exim.conf file.

If it's being delivered somewhere, please show me with specific log lines.

Thanks.

Jeff
Click to expand...

You may not intend it to sound like that (maybe you do) - but I dont appreciate the arrogant attitude that I see in this response.

I never said the mail WAS being delivered, I said it was being processed by Exim, cosuming system resources (which was evident by the server loads peaking at 8+ while this domain was active (less than .8 when it was not)).



Joe
 
No, I don't mean the post to be arrogant, but the only thing I see I can do to it to make it not appear arrogant to you is to remove it, and then I'd have to remove yours and we'd be back where we started from.

The simple answer is that I can't take the time to read the entire thread each time I continue trying to help. So I take each post exactly at face value, which means I may not precisely call somethin the same thing you did.

If exim is running a high load processing an email it will show in the log. Please show me a log excerpt that shows how exim is processing the email.

I wrote the default exim.conf logging instructions, and they're fairly comprehensive; exim logs just about everything it does if you're using the default exim.conf file.

If you can show me how the logs say exim is processing the email, then I can look to see if there are any bugs in the exim.conf file. Otherwise I can't.

I spent a lot of time rading the webhostingtalk thread, and I don't see anything in it in your favor. I looked at your log file, and if there's a tree in there it certainly gets lost in the forest.

I'm sorry if you don't feel I'm going far enough to help you but I'm not a mind reader, and I can't find anything else to look for unless you can show me.

Jeff
 
You must log in or register to reply here.
Back
Top