Re: [Exim] URGENT help too many connections

Top Page
Delete this message
Reply to this message
Author: Eric Kuzniar
Date:  
To: exim-users
CC: aymana
Subject: Re: [Exim] URGENT help too many connections
>I start seeing "Connection from [xxx.xxx.xxx.xxx]
>refused: too many connections" in the mainlog
>
>it's so much that tail -f keeps going on so fast and
>that causes no single Email to get through.
>
>smtp_accept_max is been set to 70
>
>exim4 is the one been installed
>
>Looks like we been attacked by random IP to un
>existing mail users on our mailserver
>
>what should i do ?
>
>thanks
>

    Sounds like you are  getting joe-jobbed. If this is the case the
IP's aren't random IP's but rather thousands of seperate mailservers
connecting to yours to send bounce messages to spam that was sent with
forged headers stating they were from randomcrap@yourdomain. Since these
are all distinct mailservers trying to send you bounces they will
probably be well behaved and retry many times before giving up. Some
mailservers will try 1000's of times an hour. This can be painful. If
your normal traffic allows, you can look for some of these offenders and
block them at the IP level until load stabilizes. Also, some of the
requests will be for Sender Verification. Try increasing your
smtp_connect_backlog to as much as your machine can bear. You will have
to tweak it down after the spam run is over, however, because, although
your machine may be able to handle the backlog when just telling people
no such user, it probably won't be able to handle that many when most of
the mail is real. Also be prepared for tons of stupid automated UCE:
messages to postmaster from moronic systems demanding you take
appropriate action to make sure they never get any spam again. If your
configuration allow, even if just for a short period of time, publish
some SPF records real quick, it actually helps.


       Eric