CPU usage high due to exim, through user root

[yufool]

I have had to kill this process continually for the last 48 hours. What should I do at this point? The mail queue looks normal (<100 msgs).

Below is also my netstat -p

I know that a lot of e-mail traffic is coming from or through outblaze, but don't know how to manage this traffic.

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
9115 root 25 0 41584 40M 2804 R 52.8 4.0 1:00 0 exim
5305 named 15 0 8684 8332 1460 S 1.5 0.8 3:16 0 named
2012 root 15 0 1208 1208 892 R 0.3 0.1 0:01 0 top
5307 named 15 0 8684 8332 1460 S 0.1 0.8 0:33 0 named
1 root 15 0 116 84 56 S 0.0 0.0 0:05 0 init
2 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 keventd
3 root 15 0 0 0 0 SW 0.0 0.0 0:01 0 kapmd
4 root 34 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd/0
7 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush
5 root 15 0 0 0 0 SW 0.0 0.0 1:32 0 kswapd
6 root 15 0 0 0 0 SW 0.0 0.0 4:18 0 kscand
8 root 15 0 0 0 0 SW 0.0 0.0 0:12 0 kupdated
9 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 mdrecoveryd
13 root 15 0 0 0 0 SW 0.0 0.0 0:25 0 kjournald

---------------------

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address Stat
e PID/Program name
tcp 0 0 vision.dreampod1.com:http lj602180.inktomisearc:57718 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:27386 spf6.us4.outblaze.com:smtp ESTA
BLISHED 1713/exim
tcp 0 0 vision.dreampod1.com:27397 mx.lax.untd.com:smtp ESTA
BLISHED 23640/exim
tcp 0 0 vision.dreampod1.com:pop3 208.0.110.51:2300 TIME
_WAIT -
tcp 0 1 vision.dreampod1.com:27398 spf0.us4.outblaze.com:smtp SYN_
SENT 31913/exim
tcp 0 0 vision.dreampod1.com:27395 spf7-22.us4.outblaze.c:smtp ESTA
BLISHED 7402/exim
tcp 0 0 vision.dreampod1.com:27390 spf7-22.us4.outblaze.c:smtp ESTA
BLISHED 6067/exim
tcp 0 0 vision.dreampod1.com:pop3 208.0.110.51:2305 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:pop3 208.0.110.51:2307 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:http rrcs-24-242-149-222.sw:1294 FIN_
WAIT2 -
tcp 0 0 vision.dreampod1.com:http rrcs-24-242-149-222.sw:1293 ESTA
BLISHED 23852/httpd
tcp 0 0 vision.dreampod1.com:http adsl-70-241-89-50.dsl.:1459 ESTA
BLISHED 23705/httpd
tcp 0 0 vision.dreampod1.com:http adsl-70-241-89-50.dsl.:1460 ESTA
BLISHED 23696/httpd
tcp 0 2727 vision.dreampod1.com:http 66-194-91-130.static.t:2281 ESTA
BLISHED 23695/httpd
tcp 0 0 vision.dreampod1.com:ssh cpe-68-206-52-12:cvspserver ESTA
BLISHED 1299/0
tcp 0 0 vision.dreampod1.com:pop3 pool-68-237-201-229.ny:1764 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:pop3 204-57-115-101.static.:8584 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:pop3 h98.128.28.71.ip.allte:3928 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:27300 user-12l2d0e.cable.min:auth FIN_
WAIT2 -
tcp 0 0 vision.dreampod1.com:http cpe-72-181-188-16.hou:60537 ESTA
BLISHED 23712/httpd
tcp 0 0 vision.dreampod1.com:http cpe-72-181-188-16.hou:60538 ESTA
BLISHED 23698/httpd
tcp 0 0 vision.dreampod1.com:pop3 cpe-68-206-48-178.hous:4575 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:http lj601721.inktomisearc:53017 TIME
_WAIT -
tcp 0 0 vision.dreampod1.com:http cpe-72-181-188-16.hou:60472 FIN_
WAIT2 -
tcp 0 0 vision.dreampod1.com:http pool-68-238-110-96.df:50889 ESTA
BLISHED -

 

[chirpy]

You really need to monitor your exim mainlog for odd/excessive activity.

 

[yufool]

tail -500 exim_mainlog

Here is the tail of my mainlog - looks like a lot of timeout connections. By the way, Chirpy I use your dictionary attack ACL - it's great!

Thank you

2006-06-23 12:36:11 1FtpZi-0005fF-R8 <= [email protected] H=(fontdi
ner.fontdiner.com) [69.94.4.193] P=esmtps X=TLSv1:AES256-SHA:256 S=2442 id=bM9rU
[email protected]
2006-06-23 12:36:13 1FsdYF-0000ur-7S ob-mail-com.mr.outblaze.com [64.71.166.197]
: Connection timed out
2006-06-23 12:36:41 1FtRY8-0007s9-Ux SMTP timeout while connected to ob-mail-com
.mr.outblaze.com [64.71.166.199] after initial connection: Connection timed out
2006-06-23 12:36:41 1FsdX0-0000sf-MR SMTP timeout while connected to ob-mail-com
.mr.outblaze.com [64.71.166.199] after initial connection: Connection timed out
2006-06-23 12:37:25 1Ftpav-0005jK-As <= [email protected] U=dreampo
d P=local-bsmtp S=2803 [email protected]
etro.com
2006-06-23 12:37:26 1Ftpav-0005jK-As => chinh <[email protected]> R=virtual_use
r T=virtual_userdelivery
2006-06-23 12:37:26 1Ftpav-0005jK-As Completed
2006-06-23 12:37:26 1FtpZi-0005fF-R8 => chinh <[email protected]> R=virtual_sa_
user T=virtual_sa_userdelivery
2006-06-23 12:37:26 1FtpZi-0005fF-R8 Completed
2006-06-23 12:37:27 1FtRY8-0007s9-Ux ob-mail-com.mr.outblaze.com [64.71.166.196]
: Connection timed out
2006-06-23 12:37:27 1FsdX0-0000sf-MR ob-mail-com.mr.outblaze.com [64.71.166.197]
: Connection timed out
2006-06-23 12:37:34 H=(acmecompany.com) [213.16.62.47] F=<[email protected]
mpany.com> rejected RCPT <[email protected]>:
2006-06-23 12:37:34 unexpected disconnection while reading SMTP command from (ac
mecompany.com) [213.16.62.47]
2006-06-23 12:37:34 1FsdX0-0000sf-MR ** [email protected] <Velasquez
[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail se
rver after RCPT TO:<[email protected]>: host ob-mail-com.mr.outblaze
.com [64.71.166.196]: 550 <>: No thank you rejected: Account Unavailable: Possib
le Forgery
2006-06-23 12:37:35 1FsdbM-00010Q-MC ** [email protected] <Dickins
[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mai
l server after RCPT TO:<[email protected]>: host ob-mail-com.mr.ou
tblaze.com [64.71.166.196]: 550 <>: No thank you rejected: Account Unavailable:
Possible Forgery
2006-06-23 12:37:35 1FsdX0-0000sf-MR Spool file is locked (another process is ha
ndling this message)
2006-06-23 12:37:35 1FsdX0-0000sf-MR Frozen (delivery error message)
2006-06-23 12:37:36 1FsdbM-00010Q-MC Frozen (delivery error message)
2006-06-23 12:37:36 1Fta1y-0007BJ-V7 Unfrozen by forced delivery
2006-06-23 12:37:47 1Fta1y-0007BJ-V7 ** [email protected] R=lookuphost T=re
mote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]
net>: host gateway-r.comcast.net [204.127.198.26]: 551 not our customer
2006-06-23 12:37:47 1Fta1y-0007BJ-V7 Frozen (delivery error message)
2006-06-23 12:37:48 1FtWyk-0004UF-Ga Unfrozen by forced delivery
2006-06-23 12:37:49 1FtWyk-0004UF-Ga ** [email protected] <[email protected]
arthlink.net> R=lookuphost T=remote_smtp: SMTP error from remote mail server aft
er RCPT TO:<[email protected]>: host mxi.earthlink.net [209.86.93.155]:
550 [email protected] unknown
2006-06-23 12:37:49 1FsxsE-0006JS-6o Message is frozen
2006-06-23 12:37:49 1FtWyk-0004UF-Ga Frozen (delivery error message)
2006-06-23 12:37:50 1FtWyk-0004UB-10 Unfrozen by forced delivery
2006-06-23 12:37:50 1FtWyk-0004UB-10 ** [email protected] <[email protected]
link.net> R=lookuphost T=remote_smtp: SMTP error from remote mail server after R
CPT TO:<[email protected]>: host mxg.earthlink.net [209.86.93.153]: 550 Do
[email protected] unknown
2006-06-23 12:37:50 1FtWyk-0004UB-10 Frozen (delivery error message)
2006-06-23 12:37:50 1FsxsE-0006JS-6o Message is frozen
2006-06-23 12:37:51 1FsXjk-0004d5-82 mail.0451.com [202.97.230.80]: Connection r
efused
2006-06-23 12:38:17 no host name found for IP address 222.73.10.74
2006-06-23 12:38:17 H=(system.mail) [222.73.10.74] F=<[email protected]> rejecte
d RCPT <[email protected]>: Message rejected because (system.mail) [222
.73.10.74] is blacklisted at cbl.abuseat.org see Blocked - see http://cbl.abusea
t.org/lookup.cgi?ip=222.73.10.74
2006-06-23 12:38:17 unexpected disconnection while reading SMTP command from (sy
stem.mail) [222.73.10.74]
2006-06-23 12:38:18 H=(com) [217.132.114.7] sender verify fail for <[email protected]>: un
routeable mail domain "com"
2006-06-23 12:38:18 H=(com) [217.132.114.7] F=<[email protected]> rejected RCPT <977407556
[email protected]>: Sender verify failed
2006-06-23 12:38:18 unexpected disconnection while reading SMTP command from (co
m) [217.132.114.7]
2006-06-23 12:38:36 1FsXjk-0004d5-82 mail.0451.com [202.97.230.81]: Connection t
imed out
2006-06-23 12:38:36 1FsXjk-0004d5-82 == [email protected] R=lookuphost T=remo
te_smtp defer (110): Connection timed out
2006-06-23 12:38:37 1FtWyl-0004UP-DZ Unfrozen by forced delivery
2006-06-23 12:38:38 1FtWyl-0004UP-DZ ** [email protected] <Burrisdec
[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail se
rver after RCPT TO:<[email protected]>: host mxe.earthlink.net [209.
86.93.239]: 550 [email protected] unknown
2006-06-23 12:38:38 1FtWyl-0004UP-DZ Frozen (delivery error message)
2006-06-23 12:38:38 1FtgEX-0002Kv-II Unfrozen by forced delivery
2006-06-23 12:38:42 1FtgEX-0002Kv-II ** [email protected] R=lookuphost T=remote_
smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host
mx.lax.untd.com [64.136.28.83]: 550 [email protected] is not a valid user
2006-06-23 12:38:42 1FtgEX-0002Kv-II Frozen (delivery error message)
2006-06-23 12:38:42 1FsEZX-0007cc-Ih Unfrozen by forced delivery
2006-06-23 12:38:45 1FsEZX-0007cc-Ih ** [email protected] R=lookuphost T=remote_
smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host
mx01.schlund.de [212.227.15.150]: 550 <[email protected]>: invalid address
2006-06-23 12:38:45 1FsEZX-0007cc-Ih Frozen (delivery error message)
2006-06-23 12:38:45 1Fs6EX-0003Ab-Fw Unfrozen by forced delivery
2006-06-23 12:38:46 1Fs6EX-0003Ab-Fw ** [email protected] R=lookuphost T=remo
te_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>
: host mail.bellsouth.com [139.76.165.130]: 550 Mailbox unavailable or access de
nied - <[email protected]>
2006-06-23 12:38:46 1Fs6EX-0003Ab-Fw Frozen (delivery error message)
2006-06-23 12:39:05 1FtpcX-0006s2-E5 <= [email protected] H=(BASEMENT.6ws4oq.
org) [71.126.0.71] P=esmtp S=1770
2006-06-23 12:39:06 H=(BASEMENT.6ws4oq.org) [71.126.0.71] sender verify fail for
<[email protected]>: unrouteable mail domain "tiscalinet.itducdv"
2006-06-23 12:39:06 H=(BASEMENT.6ws4oq.org) [71.126.0.71] F=<[email protected]
ducdv> rejected RCPT <[email protected]>: Sender verify failed
2006-06-23 12:39:06 1FtpcX-0006s2-E5 => absolute <[email protected]>
R=localuser T=local_delivery
2006-06-23 12:39:06 1FtpcX-0006s2-E5 Completed
2006-06-23 12:39:06 unexpected disconnection while reading SMTP command from (BA
SEMENT.6ws4oq.org) [71.126.0.71]
2006-06-23 12:39:11 H=(tcaim.com) [66.216.92.26] F=<> rejected RCPT <[email protected]
textiles.com>:
2006-06-23 12:39:11 1Ftpcc-0006tB-B9 <= [email protected] H=(BASEMENT) [71.126.0.71]
P=esmtp S=1733
2006-06-23 12:39:12 1Ftpcc-0006tB-B9 => absolute <[email protected]> R
=localuser T=local_delivery
2006-06-23 12:39:12 1Ftpcc-0006tB-B9 Completed
2006-06-23 12:39:32 1FtmHZ-0005fd-A0 ad.funnel.revenuedirect.com.akadns.net [66.
150.161.56]: Connection timed out
2006-06-23 12:39:41 no host name found for IP address 211.41.101.170
2006-06-23 12:39:41 H=(emea.progress.com) [211.41.101.170] F=<[email protected]
ogress.com> rejected RCPT <[email protected]>: Message
rejected because (emea.progress.com) [211.41.101.170] is blacklisted at bl.spam
cop.net see Blocked - see http://www.spamcop.net/bl.shtml?211.41.101.170
2006-06-23 12:39:41 unexpected disconnection while reading SMTP command from (em
ea.progress.com) [211.41.101.170]
2006-06-23 12:39:43 1Ftpd9-00070o-Ey <= [email protected] H=cpe-68-206-52-120.h
ouston.res.rr.com (KEVIN) [68.206.52.120] P=esmtpa A=fixed_login:[email protected]
com S=4495
2006-06-23 12:39:46 1Ftpd9-00070o-Ey => jferris <[email protected]> R=boxtrape
r_autowhitelist T=boxtrapper_autowhitelist
2006-06-23 12:39:47 1Ftpd9-00070o-Ey => [email protected] R=lookuphost T=remot
e_smtp H=mail.pnwsoft.com [207.244.158.170]
2006-06-23 12:39:47 1Ftpd9-00070o-Ey Completed
2006-06-23 12:39:48 H=(dsl.dynamic81214201227.ttnet.net.tr) [81.214.201.227] F=<
[email protected]> rejected RCPT <[email protected]>:
2006-06-23 12:39:50 H=(jimsmithrealty.com) [83.38.49.251] F=<[email protected]
alty.com> rejected RCPT <[email protected]>:
2006-06-23 12:39:51 unexpected disconnection while reading SMTP command from (ji
msmithrealty.com) [83.38.49.251]
2006-06-23 12:39:54 1Fsdab-000101-FG SMTP timeout while connected to ob-mail-com
.mr.outblaze.com [64.71.166.194] after initial connection: Connection timed out
2006-06-23 12:40:06 1FtpdV-0007BG-Vl <= [email protected] H=(ug-out-1314.goo
gle.com) [66.249.92.175] P=esmtp S=1497 id=cfa653490606231040v1e330aa9m6083a5474
[email protected]

 

[yufool]

Prm

not a permanent fix, but I configured PRM to kill the exim process. Is there a better solution?

 

[Anishts]

Try This

Hello,

Can you do

1.
# exim -bpc --------> will give toatal no of messages in exim mailqueue

2
# exim -bp ----------> it will give the staus of mail like frozen, <> for mail delivery failed (returned)

If there are lot of frozen or returned mails use this command to remove that mails.

# exim -bp | awk '/frozen|<>/ {if ($2 ~ /^1F/) print $2; else print $3}' |xargs exim -Mrm

or put it as a script in /etc/cron.daily as eximqueclean ( chmod 755) like this
#!/bin/sh
/usr/sbin/exim -bp | awk '/frozen|<>/ {if ($2 ~ /^1F/) print $2; else print $3}' |xargs exim -Mrm > /dev/null 2>&1

Then serach "exim mail queue script" to find lot of scripts to manage mailqueue in this forum []

 

[yufool]

removed RBL in exim ACL

I removed the RBL in the Exim ACL configuration editor for the following and it works fine. A new Cpanel update possibly caused it.

dnslists = bl.spamcop.net : \
sbl.spamhaus.org : \
list.dsbl.org : \
cbl.abuseat.org : \
relays.ordb.org