Spam and SYN Flood?

["Curt LeCaptain" <lecaptainc () infinitytechnology com>]

I'm new to the list, so if I'm in the wrong place e-mailing this
message, I apologize.  For about the last 5-7 days, I've been noticing a
rather large amount of spam, all messages being sent to non-existant
addresses on our mail server, along with the majority of them showing up
as 0-byte e-mails with no FROM address.  Alongside this, I had noticed
that even though after I blocked IP addresses via ipchains (yes, we're
not running iptables right now, I'm looking to switch but it's an older
server, so migration is coming to a box that does have iptables on it
rather than ipchains), I'm seeing a rather large amount of SYN_RECV
connections to port 25.  This had created another issue, which was the
fact that all these syn connections were blocking mail access.  We'd
stop and start sendmail, be able to receive connections for a short
time, then lose all connectivity via port 25.  At this time was when I
had noticed these syn_recv connections.  
 
I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to
4096, as well as shorten the amount of time that a SYN connection
existed on the server.  What I'm looking for is, am I creating a denial
of service for myself, or is this coming from somewhere else that I'm
just not expecting.  If so, is there a way to trace this, or not?
 
Example of syn_recv from netstat -anp output
 
tcp        0      0 x.x.x.x:25        196.40.74.40:4892       SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        81.198.237.112:2609     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        85.37.219.136:18197     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        212.193.162.2:56128     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        193.25.197.69:57260     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        217.29.159.130:39079    SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        89.180.62.116:3583      SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        80.99.184.142:1509      SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        195.205.36.110:55455    SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        217.195.17.67:38192     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        220.110.2.106:51764     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        193.171.152.37:45375    SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        85.158.136.35:10157     SYN_RECV
-                   
tcp        0      0 x.x.x.x:25        210.188.201.9:38873     SYN_RECV
-    
 
(this can go on for about 1500 connections, so that's why only about 15
listed)
 
Any help is appriciated.
 
Curt L.

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------