Koozali.org formerly Contribs.org

qpsmtpd-forkserver processes puts a high load on the server

Offline holck

  • ****
  • 272
qpsmtpd-forkserver processes puts a high load on the server
« on: January 05, 2019, 09:53:25 AM »
Recently, I've had two incidents where qpsmtpd-forkserver puts a high load on my server. Here is a snip from the output from top:

Code: [Select]
top - 09:27:35 up 13 days,  9:19,  1 user,  load average: 0.21, 0.32, 0.32
...

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
29996 qpsmtpd   20   0  152m  40m 4252 S 20.6  1.1   0:00.62 qpsmtpd-forkser
 3139 root      20   0 1587m  21m 1908 S  0.3  0.6  62:01.88 fail2ban-server
Usually, the load averages are only a few percent.

Searching for the qpsmtpd-forkserver processes shows that new processes keep turning up, connected to the same, remote IP address:

Code: [Select]
28409 ?        S      0:15 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5
29614 ?        S      0:24 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
29999 ?        S      0:00 /usr/bin/qpsmtpd-forkserver [190.64.84.98 : r190-64-84-98.su-static.adinet.com.uy : 09:27:41 2019-01-05]
30000 ?        S      0:00 /usr/bin/qpsmtpd-forkserver [103.207.37.246 : Unknown : 09:27:42 2019-01-05]
...
28409 ?        S      0:15 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5
29614 ?        S      0:24 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
30014 ?        R      0:00 /usr/bin/qpsmtpd-forkserver [103.207.37.246 : Unknown : 09:28:02 2019-01-05]
...
28409 ?        S      0:15 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5
29614 ?        S      0:24 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
30023 ?        R      0:00 /usr/bin/qpsmtpd-forkserver [103.207.37.246 : Unknown : 09:28:16 2019-01-05]
...
28409 ?        S      0:15 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5
29614 ?        S      0:24 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
30030 ?        Z      0:00 [qpsmtpd-forkser] <defunct>
...
28409 ?        S      0:15 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 465 -c 10 -m 5
29614 ?        S      0:24 /usr/bin/perl -Tw /usr/bin/qpsmtpd-forkserver -u qpsmtpd -l 0.0.0.0 -p 25 -c 40 -m 5
30034 ?        S      0:00 /usr/bin/qpsmtpd-forkserver [103.207.37.246 : Unknown : 09:28:32 2019-01-05]

This just goes on and on...

If I ban the remote IP-address, using fail2ban, the problem is gone:
Code: [Select]
$ sudo fail2ban-client set qpsmtpd banip 103.207.37.246
Code: [Select]
top - 09:30:48 up 13 days,  9:22,  1 user,  load average: 0.12, 0.24, 0.28
...

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
  481 squid     20   0  144m  80m 4388 S  0.3  2.1   1:06.91 squid 
 3139 root      20   0 1587m  21m 1908 S  0.3  0.6  62:02.43 fail2ban-server
Is this something to worry about?

Happy new year, and a warm thank you to everyone contributing to SME :-)
« Last Edit: January 05, 2019, 09:59:02 AM by holck »
......

Offline mmccarn

  • *
  • 2,374
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #1 on: January 05, 2019, 01:51:59 PM »
That IP is located in Vietnam, and is listed on 14 different blocklists:
https://ipinfo.io/103.207.37.246
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a103.207.37.246&run=toolpage#

Were the connections blocked by the qpsmtpd rbl plugin?

If not, why not?

If so, why didn't fail2ban block the attacking IP automatically?

Are there any attacks on services other than smtp from the same IP?

Offline holck

  • ****
  • 272
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #2 on: January 06, 2019, 09:10:22 AM »
That IP is located in Vietnam, and is listed on 14 different blocklists:
https://ipinfo.io/103.207.37.246
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a103.207.37.246&run=toolpage#

Were the connections blocked by the qpsmtpd rbl plugin?
No
Quote
If not, why not?
Apparently qpsmtpd-forkserver never got so far. The IP-address wasn't checked.
Quote
Are there any attacks on services other than smtp from the same IP?
No, I haven't been able to find any other attacks

......

Offline mmccarn

  • *
  • 2,374
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #3 on: January 06, 2019, 04:21:49 PM »
No Apparently qpsmtpd-forkserver never got so far. The IP-address wasn't checked.No, I haven't been able to find any other attacks

you might want to review your RBL configuration, and consider enabling one of the services that lists this IP. If you already have one or more of the listing services enabled, you might want to adjust other settings somewhere. 

The 'naughty' plugin changes the dnsbl disconnect behavior in a way that may be causing you headaches.

I made some customizations to the helo plugin on my SME to identify misbehaving remote systems earlier in the connection (at the risk of causing problems for remote users): https://forums.contribs.org/index.php?topic=53223.0

Offline holck

  • ****
  • 272
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #4 on: January 07, 2019, 11:18:39 AM »
Thanks for the advice

I already use Spamhaus Zen, which catches a lot bad-behaving IP-adresses, including the IP-address in question. As I see it, qpsmtpd-forkserver gets stuck early in the connection - even before the IP-address is checked against the various black-lists.

I will look into the post you mention and consider modifying the helo plugin...

Thanks,
Jesper
......

Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #5 on: January 11, 2019, 10:50:31 PM »
Recently, I've had two incidents where qpsmtpd-forkserver puts a high load on my server.

It would be useful if you could use tcpdump to collect a packet capture of what that address is sending to port 25 which is causing qpsmtpd to use a lot of CPU. Perhaps there is something that can be fixed in qpsmtpd to recognise the bad behaviour and disconnect.

Quote
Searching for the qpsmtpd-forkserver processes shows that new processes keep turning up, connected to the same, remote IP address:

...

This just goes on and on...
Quote

So maybe it is not sending anything, but just opening lots of connections...
« Last Edit: January 11, 2019, 10:53:03 PM by CharlieBrady »

Offline holck

  • ****
  • 272
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #6 on: January 18, 2019, 08:48:37 AM »
Below is a sample output from tcpdump. 192.99.7.175 is the remote IP address.

Code: [Select]
08:42:29.735857 IP 5.103.132.90.smtp > 192.99.7.175.46466: Flags [P.], seq 1384180636:1384180670, ack 219308459, win 115, length 34
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4502  ..../@....Uy..E.
        0x0010:  004a 0134 4000 4006 e7a4 0567 845a c063  .J.4@.@....g.Z.c
        0x0020:  07af 0019 b582 5280 eb9c 0d12 61ab 5018  ......R.....a.P.
        0x0030:  0073 5210 0000 3232 3020 6b61 726f 6c69  .sR...220.karoli
        0x0040:  6e65 2e69 6273 6761 6172 6465 6e2e 646b  ne.ibsgaarden.dk
        0x0050:  2045 534d 5450 0d0a                      .ESMTP..
08:42:29.831910 IP 192.99.7.175.46466 > 5.103.132.90.smtp: Flags [P.], seq 1:15, ack 34, win 256, length 14
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4502  ....Uy..../@..E.
        0x0010:  0036 5635 4000 6906 69b7 c063 07af 0567  .6V5@.i.i..c...g
        0x0020:  845a b582 0019 0d12 61ab 5280 ebbe 5018  .Z......a.R...P.
        0x0030:  0100 5049 0000 4548 4c4f 2055 4a54 4f73  ..PI..EHLO.UJTOs
        0x0040:  514b 0d0a                                QK..
08:42:29.832016 IP 5.103.132.90.smtp > 192.99.7.175.46466: Flags [.], ack 15, win 115, length 0
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4500  ..../@....Uy..E.
        0x0010:  0028 0135 4000 4006 e7c7 0567 845a c063  .(.5@.@....g.Z.c
        0x0020:  07af 0019 b582 5280 ebbe 0d12 61b9 5010  ......R.....a.P.
        0x0030:  0073 fae7 0000                           .s....
08:42:29.834926 IP 5.103.132.90.smtp > 192.99.7.175.46466: Flags [P.], seq 34:159, ack 15, win 115, length 125
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4502  ..../@....Uy..E.
        0x0010:  00a5 0136 4000 4006 e747 0567 845a c063  ...6@.@..G.g.Z.c
        0x0020:  07af 0019 b582 5280 ebbe 0d12 61b9 5018  ......R.....a.P.
        0x0030:  0073 526b 0000 3235 302d 6962 7367 6161  .sRk..250-ibsgaa
        0x0040:  7264 656e 2e64 6b20 4869 206e 7335 3038  rden.dk.Hi.ns508
        0x0050:  3037 332e 6970 2d31 3932 2d39 392d 372e  073.ip-192-99-7.
        0x0060:  6e65 7420 5b31 3932 2e39 392e 372e 3137  net.[192.99.7.17
        0x0070:  355d 0d0a 3235 302d 5049 5045 4c49 4e49  5]..250-PIPELINI
        0x0080:  4e47 0d0a 3235 302d 3842 4954 4d49 4d45  NG..250-8BITMIME
        0x0090:  0d0a 3235 302d 5349 5a45 2035 3030 3030  ..250-SIZE.50000
        0x00a0:  3030 300d 0a32 3530 2053 5441 5254 544c  000..250.STARTTL
        0x00b0:  530d 0a                                  S..
08:42:29.951556 IP 192.99.7.175.46466 > 5.103.132.90.smtp: Flags [P.], seq 15:27, ack 159, win 256, length 12
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4502  ....Uy..../@..E.
        0x0010:  0034 5636 4000 6906 69b8 c063 07af 0567  .4V6@.i.i..c...g
        0x0020:  845a b582 0019 0d12 61b9 5280 ec3b 5018  .Z......a.R..;P.
        0x0030:  0100 9e40 0000 4155 5448 204c 4f47 494e  ...@..AUTH.LOGIN
        0x0040:  0d0a                                     ..
08:42:29.952540 IP 5.103.132.90.smtp > 192.99.7.175.46466: Flags [P.], seq 159:185, ack 27, win 115, length 26
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4502  ..../@....Uy..E.
        0x0010:  0042 0137 4000 4006 e7a9 0567 845a c063  .B.7@.@....g.Z.c
        0x0020:  07af 0019 b582 5280 ec3b 0d12 61c5 5018  ......R..;..a.P.
        0x0030:  0073 5208 0000 3530 3020 556e 7265 636f  .sR...500.Unreco
        0x0040:  676e 697a 6564 2063 6f6d 6d61 6e64 0d0a  gnized.command..
08:42:30.048946 IP 192.99.7.175.46466 > 5.103.132.90.smtp: Flags [F.], seq 27, ack 185, win 255, length 0
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0028 5637 4000 6906 69c5 c063 07af 0567  .(V7@.i.i..c...g
        0x0020:  845a b582 0019 0d12 61c5 5280 ec55 5011  .Z......a.R..UP.
        0x0030:  00ff f9b7 0000 0000 0000 0000            ............
08:42:30.067676 IP 5.103.132.90.smtp > 192.99.7.175.46466: Flags [F.], seq 185, ack 28, win 115, length 0
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4500  ..../@....Uy..E.
        0x0010:  0028 0138 4000 4006 e7c4 0567 845a c063  .(.8@.@....g.Z.c
        0x0020:  07af 0019 b582 5280 ec55 0d12 61c6 5011  ......R..U..a.P.
        0x0030:  0073 fa42 0000                           .s.B..
08:42:30.132882 IP 192.99.7.175.59841 > 5.103.132.90.smtp: Flags [SEW], seq 4153497208, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0034 5638 4000 6a06 68b8 c063 07af 0567  .4V8@.j.h..c...g
        0x0020:  845a e9c1 0019 f791 5678 0000 0000 80c2  .Z......Vx......
        0x0030:  2000 c497 0000 0204 05b4 0103 0308 0101  ................
        0x0040:  0402                                     ..
08:42:30.132960 IP 5.103.132.90.smtp > 192.99.7.175.59841: Flags [S.E], seq 359390978, ack 4153497209, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4500  ..../@....Uy..E.
        0x0010:  0034 0000 4000 4006 e8f0 0567 845a c063  .4..@.@....g.Z.c
        0x0020:  07af 0019 e9c1 156b df02 f791 5679 8052  .......k....Vy.R
        0x0030:  3908 b791 0000 0204 05b4 0101 0402 0103  9...............
        0x0040:  0307                                     ..
08:42:30.163693 IP 192.99.7.175.46466 > 5.103.132.90.smtp: Flags [.], ack 186, win 255, length 0
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0028 5639 4000 6906 69c3 c063 07af 0567  .(V9@.i.i..c...g
        0x0020:  845a b582 0019 0d12 61c6 5280 ec56 5010  .Z......a.R..VP.
        0x0030:  00ff f9b6 0000 0000 0000 0000            ............
08:42:30.233249 IP 192.99.7.175.59841 > 5.103.132.90.smtp: Flags [.], ack 1, win 256, length 0
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0028 563a 4000 6a06 68c2 c063 07af 0567  .(V:@.j.h..c...g
        0x0020:  845a e9c1 0019 f791 5679 156b df03 5010  .Z......Vy.k..P.
        0x0030:  0100 30ac 0000 0000 0000 0000            ..0.........
08:42:31.623741 IP 5.103.132.90.smtp > 192.99.7.175.59841: Flags [P.], seq 1:35, ack 1, win 115, length 34
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4502  ..../@....Uy..E.
        0x0010:  004a 2d04 4000 4006 bbd4 0567 845a c063  .J-.@.@....g.Z.c
        0x0020:  07af 0019 e9c1 156b df03 f791 5679 5018  .......k....VyP.
        0x0030:  0073 5210 0000 3232 3020 6b61 726f 6c69  .sR...220.karoli
        0x0040:  6e65 2e69 6273 6761 6172 6465 6e2e 646b  ne.ibsgaarden.dk
        0x0050:  2045 534d 5450 0d0a                      .ESMTP..
08:42:31.724155 IP 192.99.7.175.59841 > 5.103.132.90.smtp: Flags [P.], seq 1:17, ack 35, win 256, length 16
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0038 563b 4000 6a06 68b1 c063 07af 0567  .8V;@.j.h..c...g
        0x0020:  845a e9c1 0019 f791 5679 156b df25 5018  .Z......Vy.k.%P.
        0x0030:  0100 d9b3 0000 4548 4c4f 2066 6578 6b66  ......EHLO.fexkf
        0x0040:  5962 6d75 0d0a                           Ybmu..
08:42:31.724261 IP 5.103.132.90.smtp > 192.99.7.175.59841: Flags [.], ack 17, win 115, length 0
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4500  ..../@....Uy..E.
        0x0010:  0028 2d05 4000 4006 bbf7 0567 845a c063  .(-.@.@....g.Z.c
        0x0020:  07af 0019 e9c1 156b df25 f791 5689 5010  .......k.%..V.P.
        0x0030:  0073 3107 0000                           .s1...
08:42:31.727179 IP 5.103.132.90.smtp > 192.99.7.175.59841: Flags [P.], seq 35:160, ack 17, win 115, length 125
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4502  ..../@....Uy..E.
        0x0010:  00a5 2d06 4000 4006 bb77 0567 845a c063  ..-.@.@..w.g.Z.c
        0x0020:  07af 0019 e9c1 156b df25 f791 5689 5018  .......k.%..V.P.
        0x0030:  0073 526b 0000 3235 302d 6962 7367 6161  .sRk..250-ibsgaa
        0x0040:  7264 656e 2e64 6b20 4869 206e 7335 3038  rden.dk.Hi.ns508
        0x0050:  3037 332e 6970 2d31 3932 2d39 392d 372e  073.ip-192-99-7.
        0x0060:  6e65 7420 5b31 3932 2e39 392e 372e 3137  net.[192.99.7.17
        0x0070:  355d 0d0a 3235 302d 5049 5045 4c49 4e49  5]..250-PIPELINI
        0x0080:  4e47 0d0a 3235 302d 3842 4954 4d49 4d45  NG..250-8BITMIME
        0x0090:  0d0a 3235 302d 5349 5a45 2035 3030 3030  ..250-SIZE.50000
        0x00a0:  3030 300d 0a32 3530 2053 5441 5254 544c  000..250.STARTTL
        0x00b0:  530d 0a                                  S..
08:42:31.827647 IP 192.99.7.175.59841 > 5.103.132.90.smtp: Flags [P.], seq 17:29, ack 160, win 256, length 12
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0034 563c 4000 6a06 68b4 c063 07af 0567  .4V<@.j.h..c...g
        0x0020:  845a e9c1 0019 f791 5689 156b dfa2 5018  .Z......V..k..P.
        0x0030:  0100 d45f 0000 4155 5448 204c 4f47 494e  ..._..AUTH.LOGIN
        0x0040:  0d0a                                     ..
08:42:31.828641 IP 5.103.132.90.smtp > 192.99.7.175.59841: Flags [P.], seq 160:186, ack 29, win 115, length 26
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4502  ..../@....Uy..E.
        0x0010:  0042 2d07 4000 4006 bbd9 0567 845a c063  .B-.@.@....g.Z.c
        0x0020:  07af 0019 e9c1 156b dfa2 f791 5695 5018  .......k....V.P.
        0x0030:  0073 5208 0000 3530 3020 556e 7265 636f  .sR...500.Unreco
        0x0040:  676e 697a 6564 2063 6f6d 6d61 6e64 0d0a  gnized.command..
08:42:31.929098 IP 192.99.7.175.59841 > 5.103.132.90.smtp: Flags [F.], seq 29, ack 186, win 255, length 0
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0028 563d 4000 6a06 68bf c063 07af 0567  .(V=@.j.h..c...g
        0x0020:  845a e9c1 0019 f791 5695 156b dfbc 5011  .Z......V..k..P.
        0x0030:  00ff 2fd7 0000 0000 0000 0000            ../.........
08:42:31.947704 IP 5.103.132.90.smtp > 192.99.7.175.59841: Flags [F.], seq 186, ack 30, win 115, length 0
        0x0000:  0008 ae8a 2f40 009c 0297 5579 0800 4500  ..../@....Uy..E.
        0x0010:  0028 2d08 4000 4006 bbf4 0567 845a c063  .(-.@.@....g.Z.c
        0x0020:  07af 0019 e9c1 156b dfbc f791 5696 5011  .......k....V.P.
        0x0030:  0073 3062 0000                           .s0b..
08:42:32.048059 IP 192.99.7.175.59841 > 5.103.132.90.smtp: Flags [.], ack 187, win 255, length 0
        0x0000:  009c 0297 5579 0008 ae8a 2f40 0800 4500  ....Uy..../@..E.
        0x0010:  0028 563e 4000 6a06 68be c063 07af 0567  .(V>@.j.h..c...g
        0x0020:  845a e9c1 0019 f791 5696 156b dfbd 5010  .Z......V..k..P.
        0x0030:  00ff 2fd6 0000 0000 0000 0000            ../.........

Does this give a clue about the problem?

Kind regards,
Jesper
......

Offline ReetP

  • *
  • 1,875
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #7 on: January 18, 2019, 11:53:16 AM »
As a matter of interest, what does it tell you in the qpsmtpd log for the connection?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline holck

  • ****
  • 272
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #8 on: January 19, 2019, 04:25:37 PM »
As a matter of interest, what does it tell you in the qpsmtpd log for the connection?
Absolutely othing with standard logging. Maybe if I switch to verbose logging, I can get some info.
......

Offline ReetP

  • *
  • 1,875
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #9 on: January 20, 2019, 01:41:30 AM »
Ok. Please give it a go.

Wondering if this has any relationship to the max connection issues reported elsewhere here.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,374
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #10 on: January 20, 2019, 02:35:53 PM »
Wondering if this has any relationship to the max connection issues reported elsewhere here.

I would not expect this to be related to the max connection issue -- that issue generates appropriate log entries.

Quote
Quote
As a matter of interest, what does it tell you in the qpsmtpd log for the connection?
Absolutely othing with standard logging.

With config getprop qpsmtpd LogLevel set to the default value of 6 you should see some entries in your logs for these connections - eg
grep '192.99.7.175' /var/log/*qpsmtpd/* 
If qpsmtpd is not even logging a "connect" for this then the attacker has found a very low-level bug in qpsmtpd or your log retention settings need to be increased.  If your qpsmtpd log history does not go back far enough to find the offending connections, you can increase the retention time by increasing "KeepLogFiles":
Code: [Select]
config setprop qpsmtpd KeepLogFiles 30
config setprop qpsmtpd KeepLogFiles 30
signal-event email-update
(revert to default by replacing "30" with "10")


My top suspect is still the 'naughty' plugin introduced in SME 9.2 and enabled by default for the dnsbl and helo plugins.  Your TCPDUMP output includes two 'EHLO' commands, which are allowed to continue to the AUTH stage with naughy enabled, but would be forcefully disconnected by the 'helo' plugin if it was reconfigured.

You could also tell dnsbl to reject connections from listed servers immediately by changing the reject instruction from 'naughty' to '1' like this:
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
sed 's/naughty/1/' /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/22dnsbl >/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/22dnsbl
signal-event email-update

Revert to default behavior using:
Code: [Select]
'rm' /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/22dnsbl
signal-event email-update

When playing with the 'naughty' config for the 'helo' plugin, I used this command to gauge success (connections being blocked by 'helo' instead of 'naughty'):
https://wiki.contribs.org/Email_Statistics#Count_messages_by_qpsmtpd_disposition

Offline ReetP

  • *
  • 1,875
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #11 on: January 20, 2019, 05:03:40 PM »
:thumbsup: :-)

Just trying to cover all the bases but certainly a look at the logs will help
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline holck

  • ****
  • 272
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #12 on: January 21, 2019, 09:20:19 AM »
I will increase the qpsmtpd loglevel from previously 4 to 6 as suggested. And wait for the problem to reappear, so I can provide more information...

Jesper Holck
......

Offline holck

  • ****
  • 272
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #13 on: January 22, 2019, 11:06:05 PM »
So, here we are - a snip of the qpsmtpd log file (level 6), showing the communication with the remote IP:
Code: [Select]
2019-01-22 22:58:49.499989500 13527 Accepted connection 1/40 from 103.207.38.156 / Unknown
2019-01-22 22:58:49.501441500 13527 Connection from Unknown [103.207.38.156]
2019-01-22 22:58:49.804338500 13527 (init) smeoptimizer: Attachment filter enabled.
2019-01-22 22:58:51.108738500 13527 (connect) earlytalker: pass, not spontaneous
2019-01-22 22:58:51.110188500 13527 (connect) relay: skip, no match
2019-01-22 22:58:51.119986500 13527 (connect) dnsbl: karma -1 (-1)
2019-01-22 22:58:51.120046500 13527 (connect) dnsbl: fail, NAUGHTY, zen.spamhaus.org
2019-01-22 22:58:51.120695500 13527 220 karoline.ibsgaarden.dk ESMTP
2019-01-22 22:58:51.344073500 13527 dispatching EHLO ylmf-pc
2019-01-22 22:58:51.345262500 13527 (ehlo) helo: karma -1 (-2)
2019-01-22 22:58:51.345323500 13527 (ehlo) helo: fail, NAUGHTY, in badhelo
2019-01-22 22:58:51.346331500 13527 250-ibsgaarden.dk Hi Unknown [103.207.38.156]
2019-01-22 22:58:51.346397500 13527 250-PIPELINING
2019-01-22 22:58:51.346450500 13527 250-8BITMIME
2019-01-22 22:58:51.346507500 13527 250-SIZE 50000000
2019-01-22 22:58:51.346559500 13527 250 STARTTLS
2019-01-22 22:58:51.565791500 13527 dispatching AUTH LOGIN
2019-01-22 22:58:51.566086500 13527 (unrecognized_command) count_unrecognized_commands: 'auth', (1)
2019-01-22 22:58:51.566222500 13527 500 Unrecognized command
The above sequence repeats itself constantly, until I interrupt it by banning the remote IP
......

Offline ReetP

  • *
  • 1,875
Re: qpsmtpd-forkserver processes puts a high load on the server
« Reply #14 on: January 22, 2019, 11:37:51 PM »
Ahhh... I have a hack somewhere to block ylmf-pc

Have a hunt for that here or in bugs as I'm sure I documented what I did to block it.

On mobile currently so can't find it easily.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation