efa-project.org

Hello,
We bought a new firewall and I noticed from the logs that it seems that EFA (10.0.0.4) sends thousands of requests every second around the world (as can be seen from the attachment below)
Does anyone know the reason for all these requests? Are correct or there is something to change in the firewall or EFA configuration?
Thank you
kind regards

What ports are being blocked? There are components such as DCC that use a distributed server network to perform checks against spam. It could also be the DNS lookup for blacklist checks. All depends on the ports.

thank you for your reply,
from lan to wan no ports are blocked, so I think is an answer that is blocked, but I don't know on wich port...

I will try to set a monitor on this public ip addresses

Yeah, until you know what is actually being blocked, it's kind of hard to determine what you should be looking for.

How many emails per day does your system get anyway? Do you have someone with a computer on the network that is sending junk?

Not enough information to diagnose your problem at the moment.

thank you for you reply and sorry for my (long) delay.
All our pc have a commercial antivirus, so I don't think this is a spam problem, futhermore EFA antispam should relay every outgoing email to a remote smtp server. so I do not even have an idea of what all those ips are contacted around the world.

Did you install EFA via an appliance or a custom build? What are the firewall rules from WAN -> EFA ?

Your problem is a hard one to debug without having access to your efa server.

If you efa server is making a lot of network requests, then you'll need to log into your efa server and find out what is making all the network requests.

Programs like ps, netstat, lsof, atop, htop, nethogs, ntop, iftop, top, etc. can help you find out what is running on your machine and what is making the network connections. Some of these programs are not in the base install, so you'll have to install them yourself.

Also, can you find out exactly what your firewall is blocking: e.g. "connection to X port Y is blocked". That will also give a big clue.

How much mail is your system sending/receiving per day?

Another thought, those blocked ip requests - they look like ips that belong to infrastructure type servers. Does your EFA box have the caching name server installed? Maybe it's making too many outward dns requests?

Look in your system log files for any interesting errors. In particular, pay attention you /var/log/messages and /var/log/maillog. You may find a clue in there.

Looking at this thread, I don't think anything is being blocked. Seems just like a warning about too many outgoing connections. I'm sure the firewall also has some sort of reporting so you can check what kind of connections it is talking about.

As people have mentioned, it might simple DNS queries.

no, the log files do say "ACCESS BLO..." which I assume means "access blocked"

if it is blocking the dns queries, then the spam scoring is going to be a little lower without the DNSRBL information.

Hello,
thanks to everyone for the answers. I probably found the solution.
Our firewall by default constantly monitors the connections number that each host enable and if this number reaches a threshold limit these connections are blocked. I've seen in the status monitor (not in logs pages) that all blocked requests are DNS_UDP. I've customized the maximum number of EFA server connections as 0 (unlimited) on the firewall session limit configuration page and of course the alert does not appear anymore.
I checked the number of active sessions and traffic generated by the server and is equal to traffic generated even before replacing the firewall.