[BlueOnyx:21940] Re: SMTP freezes with AVSPAM

[Jeff Folk]

Thanks Michael,

> On Apr 11, 2018, at 3:13 PM, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> There are several AM components that monitor the components of the
> AV-SPAM (and Sendmail) and fire them up again if they are failing.
> Between AV-SPAM 6.3.0-1 (that you have) and the current 6.3.2-1 that
> mechanism also saw a few more improvements and it already works much
> better.
> 
> So it might help if you upgrade to the latest version.

I will consider this.

> 
>> Clearing the AV-SPAM database helps for a couple days, at the 
>> expense of losing all the learned rules… Not liking that.
>> 
>> Any suggestions?
> 
> There are a couple of other ways. Here is what I do. I have a cronjob
> which (about once a week) does this:
> 
> whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net
> 103.103.232.23 | grep origin: | cut -d ' ' -f 6 | head -1) | grep -w
> "route:" | awk '{print $NF}' |sort -n > /etc/apf/glob_deny.rules
> 
> However: This is run on a 5209R, where "whois" supports the "-T"
> parameter. On EL6 it doesn’t.

Pretty cool.

> Another option: In the AV-SPAM in the "GeoIP"-Tab tick the checkbox
> "Block Blacklist entirely" and if you're adventurous also tick "Block
> Blacklist with APF" and make sure to have "CN" ticked under "Blacklist”.

Alas, that is pretty much how my GeoIP looks. Only Asia countries allowed are Israel and Cyprus. APF isn’t installed on this box, so that option is not available. I’m assuming a China attack, as the IPs in Failed logins are all China (from ssh attacks). Maybe I’m looking in the wrong room. Seems counter-intuitive to me that these ssh attacks would kill SMTP.

Thanks for the suggestions, and anything else you can think of.

Jeff