Messaging Gateway

 View Only
Back to discussions
Expand all | Collapse all

SMTP Monitoring issues

Migration User

Migration UserJul 29, 2009 05:38 PM

mta-stats –w n (n=#seconds between outputs)
Migration User

Migration UserAug 06, 2009 03:47 PM

Still happening each night between 1 and 6am EST.

  • 1.  SMTP Monitoring issues

    Posted Jul 16, 2009 09:23 AM
     We are using Brightmail 8.0.2 on 8360 hardware. Since we upgraded from 7.7 to 8.0.2 we have a strange issue with our WUG monitoring software. We monitor SMTP on the appliance and between approximately 1 am and 6am EST, our monitor software always shows the Brightmail appliance as not responding. I checked the logs on the appliance and we have a tens of thousands these messages between 1 and 6 am and then it just goes away by 6am....

    Jul 16, 2009 5:51:38 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 61.81.128.240: - message rejected.
    Jul 16, 2009 5:51:37 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 122.163.61.209: - message rejected.
    Jul 16, 2009 5:51:37 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 119.65.226.8: - message rejected.
    Jul 16, 2009 5:51:37 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 78.172.113.98: - message rejected.
    Jul 16, 2009 5:51:37 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 119.65.226.8: - message rejected.
    Jul 16, 2009 5:51:37 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 12.101.134.21: - message rejected.
    Jul 16, 2009 5:51:37 AM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 218.144.167.222: - message rejected.

    Is the appliance just getting slammed and it is taking longer to respond? or is something wrong with the appliance. I also looked at the inbound email dashboard summaries and between 1 and 6am the graph shows that during that same window the appliance accepted 50% less email. Then around 6am its back up to the normal load of emails...

    Any thoughts?

    Stephen



  • 2.  RE: SMTP Monitoring issues

    Posted Jul 16, 2009 11:04 AM
    Hi,

    I'm just wondering if you have the traffic shaping feature enabled on Symantec Brightmail Gateway or if there is a Symantec Brightmail Traffic Shaper (SBTS) appliance in front of your SBG.
    On SBG, that feature can be enabled / disabled under Reputation-> Connection Classification.

    Federico


  • 3.  RE: SMTP Monitoring issues

    Posted Jul 16, 2009 12:48 PM
     We do not have a Traffic Shaper in front of our SBG but Connection Classification  is enabled...


  • 4.  RE: SMTP Monitoring issues

    Posted Jul 16, 2009 01:17 PM
    Suggest using the "mta-stats" command line tool to monitor the number of simultaneous connections to the box.  You may be getting hit with an unusually high number of connections. There are some tuning options available to you that can help.

    Here's my suggestion:

    when you are experiencing this problem, run "mta-stats" every 3 or 4 seconds, and capture the output.  Look for patterns in the number of connections.  Reply back with your results.


  • 5.  RE: SMTP Monitoring issues

    Posted Jul 28, 2009 01:44 PM
    We are having the issue right now...the logs are showing the same thing: Max Connections from different IPs. I did the mta-stats and we are showing 6000-7000 inbound listener connections.

    Jul 28, 2009 1:34:11 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 24.63.159.123: - message rejected.
    Jul 28, 2009 1:34:11 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 189.79.84.181: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 174.96.56.155: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 61.110.113.172: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 61.110.113.172: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 77.49.141.83: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 82.35.34.42: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 93.100.187.39: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 95.56.36.229: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 113.130.211.71: - message rejected.
    Jul 28, 2009 1:34:10 PM EDT Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 189.74.190.17: - message rejec


    Are we getting attacked???!!



  • 6.  RE: SMTP Monitoring issues

    Posted Jul 28, 2009 02:03 PM
    just like that..the attack stopped...nothing in the logs any further.  Checked mta stats again and only 8 inbound listener connections...

    How can tune BSG to handle these attacks? Reputation feature is turned on...


  • 7.  RE: SMTP Monitoring issues

    Posted Jul 29, 2009 05:38 PM
    mta-stats –w n (n=#seconds between outputs)




  • 8.  RE: SMTP Monitoring issues

    Posted Jul 29, 2009 05:49 PM
    Hi,

    Please, check this Article:

    http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009060214212254

    Thank you,
    Marco Bicca



  • 9.  RE: SMTP Monitoring issues

    Posted Jul 30, 2009 08:34 AM
    Thanks for the replies but we've now identified that issue is that we are getting hammered by spammers during certiain times of the day. We normaly avg anywhere from 5 to 10 connections per second. But during certain times overnight and even during the afternoon the other day, we get hit by spammers and the connections go up to 6000 - 7000 connections per second. This obviously hammers the appliance and it slows down in its SMTP response which is why our Monitoring goes off. 

    So the question I have now is what can I do about these Spammer Attacks? It is definitely happening every night between 1 and 5am ET. You can see the example of the logs earlier in this thread. I'm using reputation service already.....




  • 10.  RE: SMTP Monitoring issues

    Posted Jul 30, 2009 01:36 PM
    Hi there,

    Have you altered your bad senders policy at all under the Reputation?
    Here is what my default install looks like:



     Is yours different to that?

    //ian


  • 11.  RE: SMTP Monitoring issues

    Posted Jul 30, 2009 10:51 PM

     This is what ours looks like. Before we upgraded to BSG 8, we were using DHA and Email Virus Attack so I guess it just left it enabled after the upgrade. Should I disable those two features like your default install is?

    imagebrowser image
     



  • 12.  RE: SMTP Monitoring issues

    Posted Aug 06, 2009 03:47 PM
    Still happening each night between 1 and 6am EST.


  • 13.  RE: SMTP Monitoring issues

    Posted Feb 09, 2010 09:38 AM
    Hi dnslammers,

    Did anything help to resolve this issue, or the issue just disappeared by itself?

    Thanks

    Adnan


  • 14.  RE: SMTP Monitoring issues

    Posted Feb 10, 2010 02:23 PM
     Nope still have the issue. Any other ideas?

    Still get this between 1 and 6 am EST.

    Feb 10, 2010 5:47:04 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 210.131.210.2: - message rejected.
    Feb 10, 2010 5:47:04 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 64.191.134.147: - message rejected.
    Feb 10, 2010 5:47:04 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 75.103.120.222: - message rejected.
    Feb 10, 2010 5:47:03 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 59.90.240.101: - message rejected.
    Feb 10, 2010 5:47:02 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 207.53.196.156: - message rejected.
    Feb 10, 2010 5:47:02 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 62.109.189.248: - message rejected.
    Feb 10, 2010 5:47:02 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 95.132.216.34: - message rejected.
    Feb 10, 2010 5:47:02 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 59.96.176.181: - message rejected.
    Feb 10, 2010 5:47:02 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX connections from host 201.43.51.99: - message rejected.
    Feb 10, 2010 5:47:02 AM EST Warning MAIL03 (Inbound Email) MTA
    sieve: MAX