Below is a message that I sent to the debain-isp mailing list. I hope
some one here might have some advice too.
It is my mail server that Tim is referencing in his email. I thought I
might add some more symptoms that I feel may be relevant. This first
occured after replacing my old bo system with a new potato system. This
was not an upgrade but a complete replacement. The old system is
currently in my truck ready to be put back in place. With in 12 hours
of the the system being fully functional smtp became "unavailable"
because there were too many connections. The first instance was caused
by someone on my own network. Restarting exim close all the connections
but they immediately started accumulating again. I disabled the users
dial in access and kicked him off. I figured this would reset or close
all his current connections. Wrong! 12 hours later his connections
still showed as "established" when running netstat. A reset of exim
killed them. I reviewed the reject log and saw the same type of errors
Tim wrote below but from my own network instead of att.net. I also saw
a reference to Back Orifice. Asking Tim about this explained the whole
Back Orifice virus/trojan/whatever thingy. I called the guy and talked
to him for a good hour. This is an elderly man with no clue as to how
to type let alone launch an attack. I got the guy to bring me his
machine so I could take a look at it. It had the exe~1 and exe~2 of the
Back Orifice stuff. His machine took over 10 minutes to boot and the
hard drive NEVER stopped being accessed. I cleaned the drive clean and
reinstalled for the guy to stop his problem but that doesn't stop
others.
I reviewd my old mail server and found that in the reject logs there had
been the same type of rejections from this gentleman in the past but,
although loading the server while occuring, they never stayed active
indefinately like now. On a hunch I have tried disabling the sender
verify options in exim. I don't believe they existed in the old exim
version I was running. I don't know yet if that has helped or not.
I hope this extra info can help with my situation.
Tim's original messgae follows:
I am working with a Potato install running exim that is a fairly busy
pop/imap/smtp server. There seems to be some problem with a system
that lives within att.net. The att system will open connection after
connection, until the Debian system crashes. The exim logs for the
connections show
1999-04-22 14:02:24 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
1999-04-22 14:02:49 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
1999-04-22 14:03:14 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
1999-04-22 14:03:39 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
1999-04-22 14:04:05 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
1999-04-22 14:04:30 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
1999-04-22 14:04:55 reject all recipients: 3 times bad sender
<bsto@default> H=218.new-york-71-72rs.ny.dial-access.att.net (default)
[12.79.16.218]
And the connections never close.
If we restart exim, the connections show:
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
1999-04-22 15:58:05 SMTP connection from
218.new-york-71-72rs.ny.dial-access.att.net (default) [12.79.16.218]
closed after SIGTERM
Can someone lend me a clue? I'm no dummy, but this one has me stumped.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home) >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 671 <<
>> http://www.buoy.com >< Ridge, NY 11961 <<
>> tps@???/tps@??? >< (516) 476-3031 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
--
*** Exim information can be found at
http://www.exim.org/ ***