The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim attack - "no IP address found for host" - causing high cpu load

Discussion in 'General Discussion' started by nat, Feb 6, 2005.

  1. nat

    nat Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    -------------

    a few seconds in /var/log/exim_mainlog

    2005-02-06 11:23:57 no IP address found for host 2835.216.255.60 (during SMTP connection from (host58-136.pool8249.interbusiness.it) [82.49.136.58])
    2005-02-06 11:23:57 no IP address found for host 2835.216.255.60 (during SMTP connection from (0x50a141c8.boanxx14.adsl-dhcp.tele.dk) [80.161.65.200])
    2005-02-06 11:23:58 no IP address found for host 2835.216.255.60 (during SMTP connection from (word.it) [220.81.103.208])
    2005-02-06 11:23:59 no IP address found for host 2835.216.255.60 (during SMTP connection from h0040d00b712b.ne.client2.attbi.com [66.30.87.143])
    2005-02-06 11:24:00 no IP address found for host 2835.216.255.60 (during SMTP connection from (69.72.194.186) [220.84.194.27])
    2005-02-06 11:24:00 no IP address found for host 2835.216.255.60 (during SMTP connection from ppp-61.90.27.32.revip.asianet.co.th [61.90.27.32])
    2005-02-06 11:24:01 no IP address found for host 2835.216.255.60 (during SMTP connection from (mail.biglaketransport.com) [65.69.37.250])
    2005-02-06 11:24:02 no IP address found for host 2835.216.255.60 (during SMTP connection from (pcp01102026pcs.pntiac01.mi.comcast.net) [68.61.236.68])

    -------------

    CPU usage over 24 hour time period.

    mailnull 87.97 4.36 0.0
    Top Process %CPU 91.5 /usr/sbin/exim -bd -q60m
    Top Process %CPU 91.0 /usr/sbin/exim -bd -q60m
    Top Process %CPU 79.8 /usr/sbin/exim -bd -q60m

    There are only 82 e-mails in queue and have deleted them.

    -------------


    1. I have already setup the dictionary attack acl. http://www.configserver.com/free/eximdeny.html

    1b. Since the dictionary attack acl does not catch this, i did this to add the ips to /etc/exim_deny:

    tail -f /var/log/exim_mainlog | grep --line-buffered "no IP address found for host" | grep --line-buffered -P "\d+\.\d+\.\d+\.\d+" -o >> /etc/exim_deny &

    2. I also use the following RBL's:

    dnslists = brazil.blackholes.us : \
    malaysia.blackholes.us : \
    china.blackholes.us : \
    sbl-xbl.spamhaus.org : \
    bl.spamcop.net : \
    relays.ordb.org : \
    cbl.abuseat.org : \
    blackholes.mail-abuse.org : \
    spam.dnsrbl.net : \
    opm.blitzed.org

    3. I have also removed the rbl's and dictional attack acl from exim to see if that help. (it didn't so I added them back and they are working)

    My load has exceeded 40.


    Any ideas?
     
    #1 nat, Feb 6, 2005
    Last edited: Feb 6, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's pretty odd. Do you have any added EHLO/HELO checking in your ACL's in exim.conf?

    I'm wondering if the domain name 2835.216.255.60 is confusing exim because it thinks it is an IP address (which of course it isn't).

    It might be possible to use the following before where you would have put the dictionary attack ACL:

    Code:
     deny message = Rejected
             hosts = 2835.216.255.60
    
     deny message = Rejected
             domains = 2835.216.255.60
    Might need tweaking. Feel free to PM me if you'd like free hands-on help.
     
Loading...

Share This Page