[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Strange problem with mail...

Hi ppl, first I wont to state that this is my first mail to this list, if by
any chance this is not the right list to do so plz point me to the correct
Last sunday the mail server start kicking process, actually it did such a
mess, that it trow all daemons down. When I check the console this message
was the only thing left:
__alloc_pages: '-order allocation failed (gfp=0x....) 

dots refer to diferent numbers, so I restart the server and everything whent
fine, for a wile at least, after an hour or so the system did the same, and 
the console show the same message, well i check arround and find some
problems report for kernel 2.4.26 to which I had recently migrate. Well, I
reboot with the old kernel look in to the monitor for a while, and again
everything look good. So I whent home, expecting the problem was solve,
at the following day the problem apear again, so I make a deeper chek, dig
arround the logs, and after a couple of hours, i find a mail that call my
attention. It was a porn spam deliver to one of our users, but when I check
the XXX-H, and XXX-D file of the message in the header I found this,

root 0 0
1093197628 0
-helo_name host.serverspain.com
-received_protocol esmtp
-body_linecount 6

201P Received: from [] (helo=host.serverspain.com)
	by davinci.fcien.edu.uy with esmtp (Exim 3.35 #1 (Debian))
	id 1Bywdo-0001e9-00
	for <smart@fcien.edu.uy>; Sun, 22 Aug 2004 15:00:35 -0300
070P Received: (qmail 19271 invoked by uid 48); 22 Aug 2004 17:39:30 -0000
033  Date: 22 Aug 2004 17:39:30 -0000
062I Message-ID: <20040822173930.19270.qmail@host.serverspain.com>
023T To: smart@fcien.edu.uy
014  X-Priority: 1
030F From: webmaster@sexo4ever.com
014  X-Priority: 1
030F From: webmaster@sexo4ever.com

The thing is that the last two lines:

014  X-Priority: 1
030F From: webmaster@sexo4ever.com

Repeat them selves about 7000 times. When I remove this message from the
mail server the problem stop. 
Unless im wrong this is an attack and prety
successfull, it kill the server and it take me some time to figure it out.
Is there any report on this kind of attack before, and is there any
protection against it, can be filter with the exim filter system, or do I
need some config, to do? As i get this message from the
/var/spool/exim/input, it exim, and thus Im asumming that it evade the
amavisd with clamd and spamassassin. Is that asumption correct?
For the record the hardware it self is a IBM Netfinity 3500 with 1 P 3
500Mhz 256 Mb Ram and a 16Gb scsi disc. All packages are updated. Exept for
amavisd-new and clmad which as they are not include in woody I have to install
them from source.


Reply to: