Sendmail server load spikes

Q I seem to be having some serious problems with Sendmail. Earlier this evening Sendmail seemed to be causing my server load to spike up in the 4.0 or greater area. When I ran the top command there were several instances of Sendmail going and they were the top processes running. It seemed to be affecting the server for an hour or so. I wish I'd taken a snapshot of the top command at the time. My first question is, what do I look for in my mail log file? What sort of things should raise flags? One issue I have is that I get a lot of spam. Lots of mail is addressed to users that don't exist on my server, configured.unknown.al.charter.com [192.168.10.20] (may be forged) Also, around the time of the problem I found records like this with a strange URL in them:

Nov 12 16:16:13 server1 sendmail[18756]: NOQUEUE:otherdomain.com.br
[192.168.10.30] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

My second question: when I check my running processes, what sort of Sendmail commands should be running? Is there anything odd about this?

20334 ? S 0:00 sendmail: server 27.domain.com [192.168.10.40] child wait
20336 ? S 0:00 sendmail: ./iAE2ECt20336 27.domain.com[192.168.10.40]:DATA

Any thoughts you have on troubleshooting the maillog file would be greatly appreciated. Thanks in advance.

A I don't believe the service load you are experiencing is due to spam coming into your system (successful or failed), unless it's a targeted attack. A CPU load of 4.0 is really quite high and a mail server, unless under attack or extremely busy, should not use so much resources. Going through your mail log by hand can be painstaking even if you don't receive very much traffic. Logwatch at www.logwatch.org is able to go through your mail logs and give you summaries of what is happening. You should be able to tell from here if you have one serious culprit causing you trouble. For a more detailed analysis you could also install Anteater from anteater.drzoom.ch. Although it can be tricky to set up it can give you some very readable reports.

The entries you've pointed out are more than likely spam but again, so much mail is these days. I'd highly recommend setting up some level of spam filtering on your system. At the very least subscribe to some RBLs: Spamhaus is a good option. Your second log excerpt is a connection to your server on the SMTP port that was not used to send a message. This could be a port-scan or if there are many of them it could by a Denial of Service attempt (although not a terribly effective one). The last entry you mention is just Sendmail processing a message.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar