[exim] An apparent limitation of hosts_max_try

Top Page
Delete this message
Reply to this message
Author: Richard Clayton
Date:  
To: exim-users
Subject: [exim] An apparent limitation of hosts_max_try

here's a little gem from some logs for a large ISP from Monday....

Someone generates a bounce to "Xavier@???" (that's what
customers sometimes do, especially with spam -- one lives with it)

This domain is set up with 15 MX records most of which resolve to
hundreds (yes hundreds -- go look!) of A records... there is also
some commonality between these lists of IP addresses and those listed
for other domains to which bounces are also being sent

eg (incomplete list of similar domains, from a very quick scan):

        aboutusjobs.com
        authentictoday.com
        beyondreliable.com
        carconvoy.com
        crurl.com
        cyberserversusa.com
        expiresanyday.com
        netserversusa.com
        netutilization.com
        otcdistribution.com
        roadsideartists.com
        roadsideaudio.com
        teachdaily.com
        timesrunningout.com
        ugotaccess.com
        urhometown.com
        usaanalysis.com
        usaaudiobooks.com
        usabachelors.com
        visualacoustic.com
        weekendadvice.com
        weekendalert.com
        weekendcowboy.com
        whatsnewdaily.com


viz: this isn't an accident, it's intentional :( and there's a fair
amount of traffic (dozens of messages a day, even on a "Bank Holiday",
to these domains)

BTW: the domains appear to be linked (perhaps tenuously) to a ROKSO
listing ... so the intention is probably not entirely benign, but
whatever the intention -- the effect is impressive :(

well -- what happens is this sort of thing...

11:38:33 1CitCq-000OBb-6f <= <> H=(ntserv01.xxx.com) [x.x.x.x] P=esmtp S=14324
id=x@NTSERV01 from <> for Xavier@???
11:40:11 1CitCq-000OBb-6f bounce.nowheredirect.com [69.150.222.11]: Connection
refused
11:41:26 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.17]: Operation
timed out
11:42:41 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.13]: Operation
timed out
11:43:56 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.16]: Operation
timed out
11:43:56 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.10]: Connection
refused

those were the two lowest MX machines, so now on to the 12(!) at MX=500

11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.48]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.63]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.200]:
Connection refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.54]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.178]:
Connection refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.20]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.6]: Connection
refused

snip 120 more delivery attempts to other IP addresses; all are refused

11:45:26 1CitCq-000OBb-6f mailer07.nowheredirect.com [69.150.223.50]: Connection
refused
11:45:26 1CitCq-000OBb-6f mailer07.nowheredirect.com [69.150.223.68]: Connection
refused

snip 36 more of these attempts

11:46:45 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.246]: Operation
timed out
11:48:00 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.254]: Operation
timed out
11:49:15 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.248]: Operation
timed out
11:50:30 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.247]: Operation
timed out
11:51:45 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.251]: Operation
timed out
11:53:00 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.249]: Operation
timed out
11:54:15 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.250]: Operation
timed out
11:55:30 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.253]: Operation
timed out
11:56:45 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.252]: Operation
timed out

that was quick! that's timing out for you, rather than refusal!

11:56:45 1CitCq-000OBb-6f mailer09.nowheredirect.com [69.150.223.118]:
Connection refused

snipped 36 more failures to the many names of mailer09

11:56:49 1CitCq-000OBb-6f mailer10.nowheredirect.com [69.150.223.167]:
Connection refused

this is getting boring -- there's 36 more to mailer10

11:58:09 1CitCq-000OBb-6f mailer01.nowheredirect.com [69.150.222.176]:
Connection refused

and then 110 more to mailer01

11:58:21 1CitCq-000OBb-6f mailer06.nowheredirect.com [69.150.223.11]: Connection
refused

and 35 more to mailer06

11:59:40 1CitCq-000OBb-6f mailer03.nowheredirect.com [69.150.222.242]: Operation
timed out
12:00:55 1CitCq-000OBb-6f mailer03.nowheredirect.com [69.150.222.245]: Operation
timed out

and after just those 2 to mailer03 at very long last, what we
wanted all along finally happens -- and the fallback machine gets it

12:00:55 1CitCq-000OBb-6f => xavier@??? <Xavier@???>
F=<> R=error_message T=remote_smtp H=post-fallback.mail.demon.net
[194.217.242.94] C="250 2.0.0 accepted; S577121AbUL0MAz"
12:00:56 1CitCq-000OBb-6f Completed

so after 22 minutes cluttering up the machine and 399 delivery attempts
(imagine the time would be with more timeouts and fewer refusals) it
finally goes to the fallback machine where it doesn't get in the way of
the real service that is being provided.

Anyway, I'd suggest that hosts_max_try (at its default setting of 5)
isn't really sufficient in the face of (effectively) malicious DNS
contents... perhaps a hosts_total_try of 20 or so would be a useful
addition to the tuning toolkit ? or is there something like that
already that I missed in the fine documentation ??

From what I have read, there certainly seems to have been some tweaking
down the years to deal with properly configured hosts -- so I suspect
that this may need careful adjustment to avoid throwing babies out with
the 399 gallons of bath-water!

-- 
richard @ highwayman . com                       "Nothing seems the same
                          Still you never see the change from day to day
                                And no-one notices the customs slip away"