-This morning I noticed that server was repeatedly being rebooted by SIM(works) becuase load was well above 45 or even 200

-When I checked I found too many instances of exim receiving messages. I think there were hundreds of them like below
mailnull 27430 0.2 0.2 6384 2976 ? D 17:48 0:00 /usr/sbin/exim -bd -q60m
mailnull 27432 0.2 0.2 6388 3004 ? D 17:48 0:00 /usr/sbin/exim -bd -q60m
mailnull 27435 0.3 0.2 6380 2996 ? D 17:48 0:00 /usr/sbin/exim -bd -q60m

Few minutes I could ssh into and sim would reboot due to exim load.

I quickly chmod 644 /usr/sbin/exim and
/sbin/service exim stop

Server load became below 0.10

Then
-I edited exim.conf and reduced this to 30 instead of 100
smtp_accept_max = 30

chmod 4755 /usr/sbin/exim and restarted.. load came under control

--I scanned the exim_mainlog and picked out thousands of
IPs that were attempting to connect to server
--I firewalled all these IPs in apf
--I have no open proxies (verifed)
--rbl tweak is enabled in exim(works)
--I have disabled nobody from sending mail from beginning.(verifed)
--FormMail.pl has already been protected from abuse.(verified)
--Blacklisted sites cannot send mail via this server(verifed)
--SMTP needs authentication (verified)

Now server load is back to normail... but still I see many spurious connections attempting to come when I
tail -f /var/log/exim_mainlog

What more can I do to handle incoming mail attack????
Is this some common attack happenign on the net?

Any help/pointers would be of great help.. thanks..

-Sree

---by the way SIM Works

Yea that new virus that launches against SCO is pretty bad today. I saw someplace something like 1/10 to 1/12 emails was infected with the virus. Though I have not been hit that bad some have, basically you have to weather it for the most part. Some people have shut down mail... You might be able to setup a filter for it but not sure how much that would actually help because it still has to process it.

Now my server load is around 1 and I have tightened MailScanner.conf and is now configured to delete suspected
messages instead to deliver.

Load comes immediately under control when I add target
domains in the /etc/rblblacklist

Thanks,
-Sree

CPU on most servers will be running high, no matter what mail program they have installed.

It is due to this new virus out, that is forwaring itself on and so forth.

There is a how-to somewhere in here, that says how-to tighten up your mailscanner.conf in order for it to protect against this new virus.

A quick freshclam command should fix most problems, if you have mailscanner connected to clam obviously

Yes, of course clam+mailscanner was installed already
and now I did.

freshclam
Current working dir is /usr/share/clamav
Checking for a new database - started at Wed Jan 28 02:41:12 2004
Connected to clamav.cpanel.net.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
Downloading viruses.db2 ......... done
Database updated (containing in total 20582 signatures).
Database updated from clamav.cpanel.net.

Thanks for the tip...
-Sree

Is it alright to run freshclam hourly ?
-Sree