[Dovecot] Fishing attempt locking up dovecot

Jerry Yeager jerry at scene-naturally.dyndns.org
Wed Dec 12 05:02:56 EET 2007 

On Dec 11, 2007, at 5:58 PM, dovecot-request at dovecot.org wrote:

>
>
> Message: 10
> Date: Tue, 11 Dec 2007 15:58:16 -0700
> From: Patrick Milvich <patrick at milvich.com>
> Subject: [Dovecot] Fishing attempt locking up dovecot
> To: dovecot at dovecot.org
> Message-ID: <8C5CE5FE-BD2F-40C4-8A36-A4CD8BD533DB at milvich.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> I've mentioned this before but only heard from one other person who
> has experienced this, but it's becoming a pretty serious issue.
>
> The situation:
> A spammer sets a bot on a fishing attempt to gain email addresses,
> causing numerous login processes to spawn and suck up all available
> resources.
>
> The problem:
> Obviously this can act like a dos attack, but the real issue is after
> the spammer stops (by virtue of being added to our firewall blacklist,
> being caught and shut down by their isp, or otherwise), dovecot
> doesn't seem to relinquish the resources, causing "too many files
> open" errors for normal usage.
>
>

stuff cut out

>
> End of dovecot Digest, Vol 56, Issue 33
> ***************************************


Will the following be of any help to you? (it is a patch for Postfix  
2.4.nn) It would seem that the type of fishing expedition you mention  
would fall into the bit described below (lots of errors). While it  
will not directly solve the "out of resources" Dovecot problem, it may  
limit the up-front damage, followed with a CRON script running every  
twenty minutes or so that scans the last line of the mail log for the  
'too many files open' error and upon finding it runs a version of the  
killall imap-login processes.


ftp://postfix.mirrors.pair.com/index.html


Postfix 2.4 patch (PGP signature ) to add stress-adaptive behavior to  
the SMTP server. When some mail flood keeps all server ports busy,  
this feature can be used to quickly drop connections from clients that  
make errors, and to reduce the time that Postfix waits for a client  
command. This may delay some legitimate deliveries, but it will allow  
you to still keep some mail flowing. After the mail flood ends,  
Postfix reverts to its normal behavior.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2447 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20071211/a910530e/attachment.bin

More information about the dovecot mailing list