[Dovecot] Fishing attempt locking up dovecot

Patrick Milvich patrick at milvich.com
Wed Dec 12 00:58:16 EET 2007 

I've mentioned this before but only heard from one other person who  
has experienced this, but it's becoming a pretty serious issue.

The situation:
A spammer sets a bot on a fishing attempt to gain email addresses,  
causing numerous login processes to spawn and suck up all available  
resources.

The problem:
Obviously this can act like a dos attack, but the real issue is after  
the spammer stops (by virtue of being added to our firewall blacklist,  
being caught and shut down by their isp, or otherwise), dovecot  
doesn't seem to relinquish the resources, causing "too many files  
open" errors for normal usage.

The master process usually hangs around 40-50 files open at any given  
time, with about 10,000 logins a day (I use: lsof -p `cat /var/run/ 
dovecot/master.pid ` | wc -l), after the attempt is over I always see  
the files open shoot up to near 3,000 without it able to go down until  
a dovecot restart.

This usually happens about once a month, though we can get unlucky and  
have it happen a few days apart. I have some log excerpts below.

Wondering if this is happening through my own fault or at least within  
my ability to alleviate the issue. Is there a way to limit the number  
of connections from an ip address? Has anyone used login_executable to  
first hit their own solution to keep track of, and implement  
connection restrictions similar to what I'm aiming for?

Thanks for any insight
Patrick

dovecot -n
# 1.0.8: /usr/local/mail/dovecot/etc/dovecot.conf
base_dir: /var/run/dovecot/
log_path: /var/log/dovecot
protocols: imap imaps pop3 pop3s
ssl_cert_file: /usr/local/mail/ssl/certs/dovecot.pem
ssl_key_file: /usr/local/mail/ssl/private/dovecot.pem
ssl_cipher_list: ALL:!LOW
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable(default): /usr/local/mail/dovecot/libexec/dovecot/ 
imap-login
login_executable(imap): /usr/local/mail/dovecot/libexec/dovecot/imap- 
login
login_executable(pop3): /usr/local/mail/dovecot/libexec/dovecot/pop3- 
login
first_valid_uid: 500
mail_location: maildir:/Volumes/data/mail/%Ld/%Ln
mail_executable(default): /usr/local/mail/dovecot/libexec/dovecot/imap- 
before
mail_executable(imap): /usr/local/mail/dovecot/libexec/dovecot/imap- 
before
mail_executable(pop3): /usr/local/mail/dovecot/libexec/dovecot/pop3- 
before
mail_plugin_dir(default): /usr/local/mail/dovecot/lib/dovecot/imap
mail_plugin_dir(imap): /usr/local/mail/dovecot/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/local/mail/dovecot/lib/dovecot/pop3
pop3_uidl_format(default):
pop3_uidl_format(imap):
pop3_uidl_format(pop3): %08Xu%08Xv
auth default:
   mechanisms: plain digest-md5 login
   passdb:
     driver: sql
     args: /usr/local/mail/dovecot/etc/dovecot-sql.conf
   userdb:
     driver: static
     args: uid=exim gid=exim
plugin:
   quota: maildir


 From the logs, first entries showing the problem:
dovecot: Dec 10 16:17:02 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:02 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:03 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:03 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:03 Info: pop3-login: Disconnected:  
rip=207.245.39.90, lip=<lip>

A little later on:
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<pwitest>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<tsinternetuser>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<bill>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<web>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<barbara>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<www>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login: user=<user>,  
method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<nathan>, method=PLAIN, rip=207.245.39.90, lip=<lip>
dovecot: Dec 10 16:17:12 Info: pop3-login: Aborted login:  
user=<webmaster>, method=PLAIN, rip=207.245.39.90, lip=<lip>

etc. etc.

More information about the dovecot mailing list