Server overloaded - SPAM? Exim processes

[postcd]

Hello i need help,

i can see exim processes like this on my server:
27869 mailnull 25 0 7700 852 532 R 4 0.0 0:17.53 /usr/sbin/exim -bd -q60m

There are load spikes and swap is at 50-100%

Mail Queue is at maximum 4000+ messages and tail -f /var/log/exim_mainlog shows some like spammy esmtp threads.


2011-08-10 00:04:12 1QquPD-00061H-TD <= ***@****.org H=ns35.****.com [254.254.254.254] P=esmtps X=TLSv1:AES256-SHA:256 S=3117 id=E1QquUw-0002Z5-DQ@ns35.****.com

Im not able to discover what is the cause and what i need to ban, how to protect server, so im asking you there. There are more details from cPanel mail stats:

Time spent on the queue: all messagesTime Messages Percentage Cumulative Percentage
Under 1m 58312 44.1% 44.1%
5m 47 0.0% 44.1%
3h 4 0.0% 44.1%
6h 1 0.0% 44.1%
12h 6 0.0% 44.1%
1d 8 0.0% 44.2%
Over 1d 73844 55.8% 100.0%

Top 50 mail rejection reasons by message countMessages Mail rejection reason
8264 Unknown
2327 Rejected RCPT: Sender verify failed
492 Rejected MAIL: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Top 50 mail temporary rejection reasons by message countMessages Mail temporary rejection reason
6499 Temporarily rejected RCPT: Could not complete sender verify

Top 50 rejected ips by message countMessages Rejected ip
7493 local
1630 [*.*.*.*]
68 [*.*.*.*]
61 [*.*.*.*]

PLEASE, can anyone help me what exactly to do to discover source of this issue and eliminate it? It must be also helpfull for more members.

Thank you,
P.

[postcd]

Please can You help me and all who have same issue to recognize what is the cause?

[syslint]

You may better enable spam cops RBL checking from whm -> Exim configuration editor

[postcd]

You may better enable spam cops RBL checking from whm -> Exim configuration editor

-
Thank you, i enabled this today, and added my server IP to the whitelist on same config page. But even before i enabled this, LOAD was quite low. I restarted httpd, exim etc, at first look nothing changed.. So LOAD is no longer problem maybe, but there are still those SMTP senders mentioned in first post..! Please how can i eliminate them and stop using blacklist external service?

Swap Used 96.29% (1,012,080 of 1,051,064)

Thank you

[postcd]

lfd: The exim delivery queue size is 19940

I need to note that i have high number of incoming emails, like 100 per minute and most coming into non existing email and are relayed to existing email address.

[cPanelTristan]

What does "come into non-existing email and are relayed to existing email mean" exactly? Are they forwarded by accounts on the machine that exist? What is the full route for one of the messages?

Code:

exigrep messageID /var/log/exim_mainlog

Where messageID is the exim ID given to the message. For example, 1QuRrF-0007sJ-WF would be a message ID for a message on my machine.

[tdens]

Swapping like that is bad, obviously.

Sounds like you may have catchall addresses enabled. They're on by default, so if you didn't disable them, anything sent to any username at a real domain will be sent to the default user for that domain. Look under server configuration - tweak settings - default catch-all. If that's not the case, please describe the problem better so others can help (I'm a complete WHM newb, sorry).

[postcd]

What does "come into non-existing email and are relayed to existing email mean" exactly? Are they forwarded by accounts on the machine that exist? What is the full route for one of the messages?

--
Hello, this is full route:

2011-08-19 20:**:40 1QuTp5-0000LF-Ub <= cetl@home.soka.ac.jp H=home.soka.ac.jp [150.37.251.**] P=esmtps X=TLSv1:AES256-SHA:256 S=1342 id=20110***1829.p7JIT*****2376@home.soka.ac.jp T="[CETL STAFF BBS-No.54109]Satellite Direct" from <cetl@home.soka.ac.jp> for *****@mydomain.info
2011-08-19 20:**:40 1QuTp5-0000LF-Ub => :blackhole: <*****@mydomain.info> R=virtual_aliases
2011-08-19 20:**:40 1QuTp5-0000LF-Ub Completed

What i meant is that i have Catch all mail. But in fact i realised that i deleted all mailboxes on that domain and set :blackhole:

Even when i suspend all suspicious cPanel accounts, those email entries coming into exim_mainlog.

Server load is quite ok, except 95-100% full swap and overloaded mailqueue 19k mails

[cPanelTristan]

This entry doesn't show it was relayed. It shows that it went to :blackhole: to be deleted.

[postcd]

So it was not relayed, what i can do about it? My simple question is how to discover what script causing the issue? Or what is the cause, how i can discover it exactly. If anyone can help me, i would be gratefull.

[cPanelTristan]

If these are incoming emails, there isn't a script causing the issue that I can see. Rather than worrying about the emails that are going to :blackhole: and not in the mail queue, it would be more helpful to see an email (header and exigrep details) that is one of those 195k in your mail queue. WHM > Mail Queue Manager area has the emails where you can view one of them.

[postcd]

Thanks,
It showed me around 4K emails on that queue, total its 19k.

Its probably sorted by date message is in queue. all these are in queue for 45-46days probably? There is 45d for example
All these originating from one account on my server. And are certinly spam which i did not sent.

Return-path: <myaccname@server.mysite.info>
Received: from myaccname by server.mysite.info with local (Exim 4.69)
(envelope-from <myaccname@server.mysite.info>)
id 1QdwZ1-0002Hz-Qo
for ***stins@bellsouth.net; Tue, 05 Jul 2011 05:44:43 +0200
To: ***stins@bellsouth.net
Subject: INFORMATION AND NEED URGENT REPLY
From: Taif Bin *** <taif_***@rediffmail.com>
Reply-To: taifbin***@yahoo.com

Is there any command which will delete all emails from queue that match one particular cpanel account or are older than X number days?
What i can do?

When i did exigrep, it returned nothing on this email.

[cPanelTristan]

To remove all messages older than 5 days from the mail queue:

Code:

exiqgrep -o 432000 -i | xargs exim -Mrm

Here 86400 * 5 = 432000 seconds, so this is the number of seconds in 5 days. If you want to delete everything older than a day, use 86400 or 86400 x # for whatever number of days old.

For all emails sent to a certain domain, you'd run:

Code:

exiqgrep -ir domain.com | xargs exim -Mrm

For all emails sent from a certain domain, you'd run:

Code:

exiqgrep -if domain.com | xargs exim -Mrm

[postcd]

Thanks,
i used the command to delete all queued more than 5 days.
Now queue has around 43 messages and SWAP used is 100%..

There are entries added into exim_mainlog where there is text like "Warning: Sender rate 12.3 / 1h" etc

[cPanelTristan]

There are entries added into exim_mainlog where there is text like "Warning: Sender rate 12.3 / 1h" etc

Yes, the sender rates are set due to WHM > Exim Configuration Editor > Ratelimit suspicious SMTP servers being set to "On"