Timeout.command
It is common for zombie spam hosts to connect to a mail server, attempt
to send their messages, and sit idle indefinitely, or at least until
sendmail's Timeout.command is reached.
By default, sendmail will wait 1 hour for another command in server SMTP. The RFC minimum for Timeout.command
is 5 minutes, which I recommend setting on all sendmail servers, as no
legitimate system should take more than 5 minutes between SMTP
commands.
This 5 minute limit does not mean that a connection will be terminated if it is in the process of the SMTP DATA command; Timeout.command refers to the time between completion of a previous SMTP command and start of a new SMTP command.
Add the following to sendmail.mc to lower Timeout.command to 5 minutes:
define(`confTO_COMMAND', `5m')dnl
Clients whose sessions are terminated with Timeout.command will appear in the maillog like this:
timeout waiting for input from [192.168.0.1] during server cmd read
The following Perl script will show IPs with at least $threshold connections in CMD READ on a Solaris system.
#!/usr/local/bin/perl
use strict;
my %cmd_read;
my $threshold = 10;
foreach (`/usr/ucb/ps axuww | /usr/bin/egrep 'sendmail: server.*cmd read'`) {
$cmd_read{$1}++ if (/sendmail:\sserver.*\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]\scmd\sread$/);
}
# Subroutine to sort hash by ascending value
sub hashValueAscendingNum {
$cmd_read{$a} <=> $cmd_read{$b};
}
print "List of IPs with $threshold connections or greater in CMD READ\n\n";
# Print sorted results
foreach my $key (sort hashValueAscendingNum (keys(%cmd_read))) {
printf "%-15s (%-d)\n", $key, $cmd_read{$key} if
($cmd_read{$key} >= $threshold);
}
Example output:
List of IPs with 10 connections or greater in CMD READ
192.168.0.1 (12)
Back to brandonhutchinson.com.
Last modified: 2007/10/09