Dramatic increase in "did not issue MAIL/EXPN/VRFY/ETRN ..."

[grendelos]

Greetings,

I am seeking suggestions on what to investigate with the following problem:

Beginning about January 13th, I have seen a 300 to 500% jump in my maillog of the error message:

[(remote ip)] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Normally I attribute such errors to spammers and port scans but last week I was informed of 2 legitimate emails that a remote sender could not send to two of my users and when I investigated it, I found the above error message associated with the senders IP address.

Bear in mind that we were still receiving email, so the problem seems to be with only particular IP addresses.

I checked my backup Sendmail server and found a similar increase in this type of error message.

I worked with this problem for about 24 hours and finally out of fear of losing legit email, I moved my (cringe) MS IIS SMTP server into the primary position. Once I did that, the IPs that were showing the error message in my sendmail log were connecting and getting thru on my MS IIS SMTP server. Now my Sendmail servers are in the secondary and tertiary positions and still are showing a high number of the error message listed above.

I have created from scratch, a new Sendmail server and it also has a large number of these error messages.

So the short version is, on Sendmail server 1 and 2, some email gets thru, some does not (with error message above). With the MS IIS SMTP server, email that does not get thru on Sendmail 1 and 2, does get thru.

I am open to suggestions and am willing to share configuration information that does not compromise security.

Thank you,
grendelos

 

[RhythmAce]

I tend to agree with your suspicians. That error you are getting isn't much help. It simply means that something connected but didn't do anything. So as you say, most of the time it's something scanning your ports. But with this happening so often, I'd turn my suspicians toward the server timing out before aconnection is made. This can be from overload or from something in the config file being set to low. There are a lot timeouts one could set but if you look in sendmail.mc most of them have the form of confTO_SOMETHING. The value is usually in miliseconds to wait for something to happen before timing out. Sorry I'm not much help but I don't know why this would just start all of a sudden if you haven't made any changes to the server. It is anybody's guess as to where this could lead. It's not unheard of to trace this problem all the way to the kernel.

 

[grendelos]

Thanks RhythmAce for the suggestion. I have double checked my config and I don't think this is the problem. By running my log level at -15, it appears that the connection and loss thereof happens all in the same second.

Concerning kernels, I have tried with 2 different kernels so far.

And I guess I should add that you are correct in that nothing had changed on either Sendmail server before the problem occurred.

grendelos

 

[grendelos]

Oh, and one other piece of information, during my troubleshooting, I setup a Postfix server which encountered similar error messages.

grendelos

 

[RhythmAce]

Can you make anything of the remote ip addresses. I wonder if it's a sad attempt at a DOS attack on your mail server. Other than the connection failures, has the overall mail activity increased? Are you getting any more junk mail than usual?

 

[grendelos]

The remote ips are all over the board and from the name resolution, you can tell alot of it is probably from spambots.

Volume wise, if you exclude all of the MAIL/EXPN/VRFY/ETRN errors, it is actually down, which in a way, makes sense because a high number of messages are not getting through. It would be difficult to count by including the error messages because a sizable number of the errors are periodic retries.

grendelos

 

[RhythmAce]

Since it is happening to whatever mail server you are running, I'd say it is some kind of attack on port 25 at your ip.

 

[grendelos]

The problem is it is only happening to my Sendmail servers. The MS IIS SMTP server accepts without any problem. And if it is an attack, they figured out very quickly when I added a new server to the network when troubleshooting.

It also seems that if it were a DOS, I would see one error right after another and I am not. There could be several minutes between errors and in the meantime, I accept (or reject based on dnsbl).

I have not completely ruled an attack out yet, but it is not a perfect answer.

grendelos

 

[RhythmAce]

sorry - I misunderstood you. I thought you put up the other servers and were getting the same thing - my bad.