It is common for zombie spam hosts to connect to a mail server, attempt to send their messages, and sit idle indefinitely, or at least until sendmail's Timeout.command is reached.

By default, sendmail will wait 1 hour for another command in server SMTP. The RFC minimum for Timeout.command is 5 minutes, which I recommend setting on all sendmail servers, as no legitimate system should take more than 5 minutes between SMTP commands.

This 5 minute limit does not mean that a connection will be terminated if it is in the process of the SMTP DATA command; Timeout.command refers to the time between completion of a previous SMTP command and start of a new SMTP command.

Add the following to sendmail.mc to lower Timeout.command to 5 minutes:
define(`confTO_COMMAND', `5m')dnl

Clients whose sessions are terminated with Timeout.command will appear in the maillog like this:
timeout waiting for input from [] during server cmd read

The following Perl script will show IPs with at least $threshold connections in CMD READ on a Solaris system.


use strict;

my %cmd_read;
my $threshold = 10;

foreach (`/usr/ucb/ps axuww | /usr/bin/egrep 'sendmail: server.*cmd read'`) {
   $cmd_read{$1}++ if (/sendmail:\sserver.*\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\scmd\sread$/);

# Subroutine to sort hash by ascending value
sub hashValueAscendingNum {
   $cmd_read{$a} <=> $cmd_read{$b};

print "List of IPs with $threshold connections or greater in CMD READ\n\n";

# Print sorted results
foreach my $key (sort hashValueAscendingNum (keys(%cmd_read))) {
   printf "%-15s (%-d)\n", $key, $cmd_read{$key} if
      ($cmd_read{$key} >= $thresho

Example output:

List of IPs with 10 connections or greater in CMD READ   (12)

Back to brandonhutchinson.com.
Last modified: 2007/10/09