Mailing List CGatePro@mail.stalker.com Message #96271
From: Paul Hess <hesspaul@gmail.com>
Subject: Re: Need Help ... Queue filled up from backscatter
Date: Mon, 29 Sep 2008 06:38:31 -0700
To: <CGatePro>
X-Mailer: Apple Mail (2.929.2)
One additional comment.  My most immediate problem is that I can't understand why the 1000 queued messages are not being delivered to that user.  If they could be delivered it would clear the queue and the mail would start flowing and I could try to put rules in place to discard this backscatter for a while.

On Sep 27, 2008, at 9:13 AM, Paul Hess wrote:

Hello,

Shortly after midnight one user was hit with a massive backscatter 'attack'.  In case I have the term wrong, what I mean by that is that she is receiving a huge number of bounce messages as if she had been sending spam to a zillion places.   I am fairly sure that her account has not actually been sending those messages and that I do not have an open relay and, in case there was some security breach, I have also changed her password.

My current situation is that nothing can get queued to any user, because my queue is full at the limit I set of 1000.  "temp file cannot be created".  Of the 1000 queued messages 998 are to that user.  How do I get it to delete, or even deliver to that user, all those queued backscatter messages to unclog my server so other users can get mail?   I think I've diagnosed the problem correctly but maybe not because the initial logs seem strange to me.  I've pasted below the logs from just when something strange occurred.  Then there is a gap until 03:46 at which point I get into the too many messages problem.

Also is there some rule pattern that people use to block some or all of these form coming in?  Is it advised to do that?  This account happens to be my wife's and it's ok if I need to tell her that she won't get any legitimate bouncebacks for the next few days till this blows over if that's what it takes.  My experience from much smaller backscatter attacks is that if I can just weather the storm and accept all the messages then I'm fine but I can't seem to get the server moving again to do that.

Any advice or help will be greatly appreciated.  I need to solve this problem but I'll also potentially be missing some activities with my kids that have been promised for quite a while and I'm looking for any shortcuts to solve the problem.  For instance if it means to go in via shell and delete all queue messages to that user I'm willing to do so but not sure how.  

                              - Paul




00:31:15.047 3 PWD too many (3) streams open
00:31:15.047 3 PWD [0.0.0.0]:8106 <- [127.0.0.1]:63162 connection rejected
00:31:15.059 1 EXTFILTER(CGPSA) bad response: FAILURE
00:31:15.059 2 QUEUE([6077203]) enqueued
00:31:15.059 2 QUEUE([6077204]) from <>, 2566 bytes (<receipt-60036827@brest.by>)
00:31:15.059 2 QUEUE([6077204]) enqueued
00:31:15.059 2 QUEUE([6077200]) from <>, 8304 bytes (<20080927043012.6AEC869AF9@relay1.ukrpack.net>)
00:31:15.060 2 ENQUEUER-000003([6077200]) [6077200] rule(CGPSA_Catcher): added header 'X-WWSpamSuspected:  WWMSpam - Assassin'
00:31:15.060 2 QUEUE([6077200]) enqueued
00:31:15.060 2 QUEUE([6077205]) from <>, 2449 bytes (<receipt-50300787@itcom.net.ua>)
00:31:15.060 2 QUEUE([6077205]) enqueued
00:31:15.060 2 QUEUE([6077206]) from <leaders-bounces@troop284.net>, 9481 bytes (<mailman.871.1222489848.12844.leaders@troop284.net>)
00:31:15.076 3 PWD too many (3) streams open
00:31:15.076 3 PWD [0.0.0.0]:8106 <- [127.0.0.1]:63163 connection rejected
(end of that log file.  then the next log file begins at 03:46AM ...)
03:46:40.880 3 DNR-027728(GGMAIL01.gibson-gruenert.local) A:host name is unknown
03:46:40.880 3 SMTPI-015389(GGMAIL01.gibson-gruenert.local) failed to resolve HELO parameter: host name is unknown. Real address is [74.223.187.58]
03:46:40.998 1 SMTPI-015389([74.223.187.58]) temp file cannot be created. Error Code=too many messages in the server queue
03:46:41.322 1 SMTPI-015390(upiter.tomsk.itsib.com) temp file cannot be created. Error Code=too many messages in the server queue
03:46:41.615 1 SMTPI-015388(cp0.adhost.com) temp file cannot be created. Error Code=too many messages in the server queue
03:46:43.068 1 SMTPI-015391(nycsgw11.iac.com) temp file cannot be created. Error Code=too many messages in the server queue
03:46:43.770 1 SMTPI-015394(fileserver.hospiceofcharlescounty.org) temp file cannot be created. Error Code=too many messages in the server queue
03:46:44.012 1 SMTPI-015393(va1.ihostsxode.net) temp file cannot be created. Error Code=too many messages in the server queue
03:46:44.799 1 SMTPI-015395(s1.unihoster.com) temp file cannot be created. Error Code=too many messages in the server queue
03:46:44.932 1 SMTPI-015392(ns1.humtum.us) temp file cannot be created. Error Code=too many messages in the server queue
03:46:45.338 3 DNR-027746(74.54.132.85.IN-ADDR.ARPA) PTR:host name is unknown
0

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster