hundredds of exim instances overloading server

**EMS** · 08-16-2005 05:46 AM

Hi,

Just had an incident whereby the server load went crazy. I restarted the server but whenever the network cable was plugged in - 1200 exim processes spooled up followed by clamd service which takes the load up to 100% and disk access is constant.

I got the datacenter to unplug the network cable, restart the server and stop exim - then plug it back in.

I then logged in remoteley and made sure the exim service was stopped, it was already starting again and building up 30 or 40 processes.

I've checked out the server and so far have been unable to find any compromised accounts or unusual files. /tmp is clean.

If exim is restarted it happens again.

Any ideas ?

**chirpy** · 08-16-2005 05:47 AM

Well, any relevant information should be in /var/log/exim_mainlog

**EMS** · 08-16-2005 07:48 AM

The mail queue had thousands of messages intended for one domin on the server. They appear to be delivery failures to a spam mesage sent with a spoofed header. They were not sent form the domain in question.

Its still happening - i'll run a script to clear out the mail queue every 30 seconds for messages contianing the content.

**abubin** · 08-16-2005 10:35 PM

you need to install some security in your exim. Most probably you are being bombarded by spams and/or dictionary attack.

Have you installed RBL and APF (with brute force detection)?

Also, did you disable "catch-all"?

**EMS** · 08-17-2005 10:47 AM

Originally Posted by abubin

you need to install some security in your exim. Most probably you are being bombarded by spams and/or dictionary attack.

Have you installed RBL and APF (with brute force detection)?

Also, did you disable "catch-all"?

APF with BFD installed - RBL not. They were all delivery failures to spam messages. The reason the server was being overloaded is because the customer had a catchall set. once I set it to :blackhole: things eased up. We dont prevent them from using a catchall mailbox.

**chirpy** · 08-17-2005 11:23 AM

APF and BFD won't do anythng about spam (unless you use the flawed exim blocker). You much better off with a dictionary attack ACL and not using :blackhole: - use :fail: instead, it's much lighter on your server resources and for many other reasons.

**elix** · 08-17-2005 02:21 PM

Run this command to convert all domains to :fail: instead of :blackhole:.

Code:

perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*

Also, I'd look at the headers in the mail queue to try to find out exactly where this coming from, and then I'd clear out the mail queue as that in itself could be causing high load.

Good luck.

Regards,

**EMS** · 08-18-2005 05:45 AM

But, wont :fail: send a reply back - where :blackhole: will simply discard the message ?

**chirpy** · 08-18-2005 05:46 AM

No:
http://www.configserver.com/free/fail.html

**EMS** · 08-18-2005 06:42 AM

Ahh, thanks. I got it the wrong way round.

LinkBack

Thread Tools

hundredds of exim instances overloading server

Server Overloading...

Server Overloading always

exim is overloading

Dedicated server keeps on overloading

Exim overloading server