Mail5 / 11/3/2005 12:00p

[Vantage]

We are working on the issue. There are 1800 connections to mail5 at the moment. All of these new virus spams are taking up all of the smtp connections.

[rheide]

It looks like this issue is going into its 21st hour. Has Vortech really been working on this for the last 21 hours with no solution or did you think that it was fixed and it "broke" again?

At this point I'm at a loss as to what to tell my customers. :-)

** I can send emails at the moment, but I can tell something is wrong based on how long it takes. **

[bubba]

How do you switch to another mail server?

b

[Vantage]

The issue is not a vortech issue. We have been through this before (As other resellers can tell you) when a new virus comes out. Holiday weekends are a very popular time for things like this.
The mail servers are just gitting hit so hard that they run out of connections.

Normaly mail5 has anywhere from 150 to 300 connections durring a busy day. at the moment there are 1800 connections open to it. That is a serious jump in connections and we have to process the mail comming in over the connections. This is taking time, and the connections are building up.

At the moment there are no issues. If we see the problem again we will clean out the connections again. We are looking for ways to kill off the bad connections, but we dont want to start rejecting mail from places like AOL and Gmail accidently.

[rheide]

Vantage, I think I can speak for most users on mail5. This consistenance lately for this mail server to have issues is just too high. If each one of the my mail servers experienced this once in a few months, it wouldn't be a big deal but mail5 has consistently had issues. Maybe its bad luck, maybe a user on the server is being attacked (I just made that up), but something. I'm not suggesting that you guys are doing anything wrong

Anyway, I would gladly open up my space on the server and move to a different mail server. I'll let someone else enjoy it for awhile.

Can you tell us if there is an easy way to move our clients (who will still stick with us) to a different mail server?

*** I've had an email sitting in my outbox for 10 minutes now, is that what should be happening right now? **

A few questions:

If this is due to a virus, why aren't all the mail servers experiencing the same thing? What would cause mail5 to get drilled as opposed to all the other servers (which seem to be working just fine)

Why are the emails being sent multiple times? IE. My client received 9 copies of the email I tried to send him. Why would the excessive connections cause the email to be sent 9 times. Seems like it would be working 9x as hard.

[Garreg]

Is this problem affecting any other mail servers? I've just had to turn the 'contact us' form off on m site due to SPAM... (I've opened a ticket) They are all coming from (or pretending to be) Unix17. The mail server I use is Mail3.

[streamlineweb]

For all those having issues with "contact us" form spam, I have the solution. If an admin could start a new thread with this message in it as well, I would be thankful, as for some reason right now I do not have access to start a new thread.

Here we go......

The exploit comes from adding additional line feeds and breaks and header info into a field you use while setting up your header for the email.

Namely, this field is your email field.

For example I could place into your contact form email field the following:

"sample@abc.com\r\n\r\nBcc:PLACE_ALL_SPAM_EMAILS_H ERE"

As all of us traditionally build our headers for the email, this would insert all of those additional emails, as well as any other header files they want to include using the same hack.


So.......

The solution is pretty simple, and here's the PHP example:

1) Take your $_POST['email'] fields or equivelent, and strip all of the line breaks out via preg_replace.

$_POST['email'] = preg_replace("/\r/", "", $_POST['email']);
$_POST['email'] = preg_replace("/\n/", "", $_POST['email']);


2) Set up an IF statement to see if the POST field contains "bcc" (which is used in all of these exploits).... if it does, either ignore it or set it to email you the info as a spammer. Just be sure to hard code your to and from on this email and not use the probematic post fields. If it doesn't, let it email as usual.

if(preg_match("/bcc/i", $_POST['email'])){
Ignore or Email Myself a SPAMMER message
} else {
Email as usual
}



This little trick has pretty much stopped all contact form SPAM on my sites, and should be implemented across the board here at Vortech - I'm sure we'd see the email numbers drop dramatically.


Hope this helps!

[Brangwyn]

The biggest problem with the Virus or any virus for that matter, isn't the virus emails themselves, it's the extra load disinfecting the payload and the bounce messages that effectively doubles the load.

Certainly in this situation it isn't contact forms that are the culprit, this is a genuine virus that hit the wild about 4 days ago or so now thats causing the problem.

[Silverbug]

Quote:

"sample@abc.com\r\n\r\nBcc:PLACE_ALL_SPAM_EMAILS_H E RE"

thats really handy to know, cheers streamlineweb

[streamlineweb]

Oh, I agree that the latest craziness is not due to contact form spam alone, but the above solution has stopped, for one of my domains alone, about 90 contact form attacks a day, each containing hundreds of emails bcc'd in each message through the exploit.

Multiply that by the number of contact forms on Vortech servers..... it can add up. While it may not be the thing affecting performance, it very well could be contributing to the blacklisting we've seen.


-D

[generic]

just got my first support call about mail 5. still not allowing connecitons.

thought i was ok

[mresell]

I am extremely careful about what I will use as an email form.

[Craig_Smith]

Mail5 looks to be back and working again, but put in a ticket if your still having issues.

[opt2004]

I put a ticket in on the following issue earlier today.

I sent an email to support@vortechhosting.com this morning to report a problem that I was receiving duplicate emails to my email accounts. Well I guess that not only am I receiving duplicates, but everytime I send an email it is sending duplicates. After receiving over 30+ automatic emails from support (each with a unique ticket #), I received an email from support telling me that if I did not stop sending emails, they would turn off my email.
Well, I got on the phone and talked to tech support and let them know that I have only submitted one ticket and that the whole reason why I submitted the ticket was the same reason they were getting the duplicates.

This same situation has occurred at least 3 times in November. I am starting to think that nobody knows how to fix this problem.

OPT2004

[rheide]

Craig - I was told this was all due to a virus outbreak in general. So my question is, how would it all of a sudden be working fine? Does it mean the virus isn't sending emails at the moment? I'm just confused as to how something like this gets "resolved" since a virus would be out of the hands of Vortech. Thanks.