I have a sendmail server handling inbound/outbound e-mail for several
hundred mailboxes. It's been running with several dns blacklists for a
couple of years. Aside from occasional issues with the dns lists being
unavailable, it's worked quite well.

Over the past few weeks, I've noticed a rapidly increasing number of
connections such as this lingering around on the system:

sendmail: server [122.252.205.69] cmd read


maillog entries for this IP show that it is repeatedly trying and being
rejected by a dns blacklist. Curious as to why I hadn't seen much of
this before, I sniffed the TCP traffic and found that the remote host is
simply running MAIL-FROM/RCPT-TO repeatedly, despite the rejection
messages. When this is multiplied over dozens of hosts connected, it
results in lots of extra sendmail processes consuming resources.


Any suggestions about how to alleviate this? One option I thought of is
to disconnect immediately upon dnsbl rejection, but that is probably
counter-productive as the remote host would most likely just connect
again. Nonetheless, how could I accomplish that using standard
sendmail.cf entries for dnsbls?

Other thoughts? Most appear to be zombie hosts, so it's unlikely that
any firewall implementations would much.


Thanks,

-Bill

In article <13dv14carm027b1@corp.supernews.com>, Bill <bill@pitz.net> wrote:
>I have a sendmail server handling inbound/outbound e-mail for several
>hundred mailboxes. It's been running with several dns blacklists for a
>couple of years. Aside from occasional issues with the dns lists being
>unavailable, it's worked quite well.
>
>Over the past few weeks, I've noticed a rapidly increasing number of
>connections such as this lingering around on the system:
>
>sendmail: server [122.252.205.69] cmd read
>
>
>maillog entries for this IP show that it is repeatedly trying and being
>rejected by a dns blacklist. Curious as to why I hadn't seen much of
>this before, I sniffed the TCP traffic and found that the remote host is
>simply running MAIL-FROM/RCPT-TO repeatedly, despite the rejection
>messages. When this is multiplied over dozens of hosts connected, it
>results in lots of extra sendmail processes consuming resources.
>
>
>Any suggestions about how to alleviate this? One option I thought of is
>to disconnect immediately upon dnsbl rejection, but that is probably
>counter-productive as the remote host would most likely just connect
>again. Nonetheless, how could I accomplish that using standard
>sendmail.cf entries for dnsbls?
>
>Other thoughts? Most appear to be zombie hosts, so it's unlikely that
>any firewall implementations would much.
>
>
>Thanks,
>
>-Bill

There was a patch posted to this newsgroup last February that implemented
a BadRcptShutdown option. This kills the connection after too many bad
RCPT-TO commands are issued. Check the archives of this group and see if
you can find it. If not, I could post it again.
--
Tom Schulz
schulz@adi.com

Thomas Schulz wrote:
> There was a patch posted to this newsgroup last February that implemented
> a BadRcptShutdown option. This kills the connection after too many bad
> RCPT-TO commands are issued. Check the archives of this group and see if
> you can find it. If not, I could post it again.

Thanks - I found it, and applied it. Seems to be working well.


Regards,

-Bill