[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange problem with mail...

Resending to correct address this time - list sender gets me every damn time.

Stephen Gran said at 27/08/04 02:53:

> This one time, at band camp, Jan Luehr said:
>> Greetings,...
>> Am Donnerstag, 26. August 2004 22:18 schrieb Thomas Sjögren:
>>> On Thu, Aug 26, 2004 at 09:44:51PM +0200, Jan Luehr wrote:
>>>> Greetings,....
>>>> Am Donnerstag, 26. August 2004 19:32 schrieb UnKnown:
>>>>> Hi ppl, first I wont to state that this is my first mail to this list,
>>>>> if by any chance this is not the right list to do so plz point me to
>>>>> the correct one.
>>>>> Last sunday the mail server start kicking process, actually it did such
>>>>> a mess, that it trow all daemons down. When I check the console this
>>>>> message was the only thing left:
>>>>> __alloc_pages: '-order allocation failed (gfp=0x....)
>>>> Ok. This looks like an exploit.
>>>> Wich Kernel do you use?
>>>> 2.4.26 is certainly not Woody-standard.
>>>> Are you able to find any binary causing these kind of messages?
>>> Sure it isnt the memory or filesystem?
>>> Some info:
>>> http://www.ussg.iu.edu/hypermail/linux/kernel/0404.2/1680.html
>>> http://mirror.hamakor.org.il/archives/linux-il/01-2004/8144.html
>>> http://lists.suse.com/archive/suse-linux-e/2003-Jul/1178.html
>> You may be right. I thought ReiserFS-Bugs in that way are relicts from the dark age of 2.4... >> However - failed memory allocation can also be a sympton of an exploit trying to access memory he shouldn't do ,)
> In this case, though, I think spamassassin was sparking OOM problems
> scanning an oversized email header block.  How exim wrote all those
> headers is another question, though - it shouldn't be doing that,
> I wouldn't think.

I've seen similar headers from exim (woody) where a bounce was trying to be delivered where the MX records pointed to or something similar (don't recall exactly). Setting "ignore_target_hosts = :" helped in that case though, having had a quick look, it doesn't seem to be the case here.

I do suspect some simliar loop though.

Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Reply to: