Exim - runaway CPU resourses!

jcsolutions

Well-Known Member
Nov 4, 2002
184
0
166
Canada
PLEASE HELP!

Ok, I've been searching through all postings mentioning "exim", both here and at the rackshack forums. I've found *many* posts about exim running very high (50+) cpu loads. However, there doesn't seem to be a fix for this?!

My server has gone wild over the last couple days with loads as high as 96! As I write this, I'm at 68.

Here is a sample from top:

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
4560 root 16 0 2560 2560 2076 R 3.7 0.2 0:00 sendmail
4562 root 16 0 2556 2556 2076 R 3.7 0.2 0:00 sendmail
1980 root 16 0 2564 2092 2084 R 2.7 0.2 0:18 sendmail
2094 root 16 0 2564 2092 2084 R 2.7 0.2 0:15 sendmail
2140 root 16 0 2564 2364 2084 R 2.7 0.2 0:13 sendmail
2511 root 16 0 2560 2560 2084 R 2.7 0.2 0:14 sendmail
3123 root 16 0 2568 2568 2084 R 2.7 0.2 0:10 sendmail
3226 root 16 0 2564 2564 2084 R 2.7 0.2 0:09 sendmail
3324 root 16 0 2564 2564 2084 R 2.7 0.2 0:09 sendmail
3961 root 16 0 2568 2568 2084 R 2.7 0.2 0:04 sendmail
4396 root 16 0 2568 2568 2084 R 2.7 0.2 0:00 sendmail
4459 root 16 0 2560 2560 2084 R 2.7 0.2 0:01 sendmail
4470 root 16 0 2568 2568 2084 R 2.7 0.2 0:00 sendmail
4480 root 16 0 2564 2564 2084 R 2.7 0.2 0:01 sendmail
4484 root 16 0 2568 2568 2084 R 2.7 0.2 0:01 sendmail
4510 root 16 0 2560 2560 2084 R 2.7 0.2 0:00 sendmail
4514 root 16 0 2564 2564 2084 R 2.7 0.2 0:00 sendmail
4519 root 16 0 2568 2568 2084 R 2.7 0.2 0:00 sendmail
4523 root 16 0 2560 2560 2084 R 2.7 0.2 0:00 sendmail
4527 root 16 0 2564 2564 2084 R 2.7 0.2 0:00 sendmail
4529 root 16 0 2560 2560 2084 R 2.7 0.2 0:00 sendmail
4554 root 16 0 2564 2564 2084 R 2.7 0.2 0:00 sendmail
4556 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
4558 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
4571 root 16 0 2560 2560 2076 R 2.7 0.2 0:00 sendmail
4573 root 16 0 2560 2560 2076 R 2.7 0.2 0:00 sendmail
4576 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
4578 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
1673 root 16 0 2560 2436 2084 R 2.5 0.2 0:21 sendmail
1678 root 16 0 2564 2096 2084 R 2.5 0.2 0:21 sendmail
2748 nobody 12 0 144M 17M 4188 S 2.5 1.8 0:00 httpd
27040 mysql 14 0 16720 7336 1112 S 1.7 0.7 0:44 mysqld
6 root 10 0 0 0 0 SW 0.9 0.0 782:06 kscand
4590 root 13 0 2496 2496 2028 S 0.7 0.2 0:00 exim

When I check the exim_mainlog, it appears all the mail in my queue is trying to be sent (currently over 1200 messages). The messages appear to be the usual mix of legitimate and spam emails and are being sent to users on my system.

I'm running Cpanel 6.4.2-S75 on RedHat 7.3 with 2.4GHz CPU and 1GB DDR RAM.

Any and all help/suggestions are sincerely appreciated!

cPanel.net Support Ticket Number:
 

FWC

Well-Known Member
May 13, 2002
354
0
316
Ontario, Canada
You may be getting mail bombed. Find the offending IP and block them with your firewall or iptables.

cPanel.net Support Ticket Number:
 

jcsolutions

Well-Known Member
Nov 4, 2002
184
0
166
Canada
How do I tell if I'm being mail bomed and how do I find the IP? I've checked the access_log, but there doesn't seem to be anything there. I've checked exim_mainlog, but it doesn't appear to be anything funny. just the mails being sent from my queue.

Sorry, I'm still learning, but I'm doing the best I can. Thanks.

cPanel.net Support Ticket Number:
 

FWC

Well-Known Member
May 13, 2002
354
0
316
Ontario, Canada
Actually, it's more likely somebody on your server ran a huge mailing list or has a program running away. Go into WHM and look at some of them in the queue and see who is sending out so much mail.

cPanel.net Support Ticket Number:
 

jcsolutions

Well-Known Member
Nov 4, 2002
184
0
166
Canada
After checking the queue, it appears 2 domains on my server are getting spammed like crazy (receiving, not sending - mail bombed?). How can I get the IP address of the person responsible so I can ban them?

cPanel.net Support Ticket Number:
 

tAzMaNiAc

Well-Known Member
Feb 16, 2003
558
0
166
Sachse, TX
Originally posted by jcsolutions
After checking the queue, it appears 2 domains on my server are getting spammed like crazy (receiving, not sending - mail bombed?). How can I get the IP address of the person responsible so I can ban them?

cPanel.net Support Ticket Number:
Can't you see the IP in the logs? i.e. exim_mainlog or.... something of that like?

or, open one of the mailboxes being spammed, look for the originator IP in the headers.....?

Brenden

cPanel.net Support Ticket Number:
 

jcsolutions

Well-Known Member
Nov 4, 2002
184
0
166
Canada
exim_mainlog doesn't really tell me much. For sure no IP addresses listed. If there is another log file that might give the IPs, I'd appreciate knowing.

It's difficult to narrow down who sent spam just by looking at the message headers. They could be using a fake IP or a different domain. Even though I don't like to, for now I have used this option and added what is hopefully the spamming domain to /etc/spammers. We'll see if this helps.

cPanel.net Support Ticket Number:
 

FWC

Well-Known Member
May 13, 2002
354
0
316
Ontario, Canada
Originally posted by jcsolutions
exim_mainlog doesn't really tell me much. For sure no IP addresses listed. If there is another log file that might give the IPs, I'd appreciate knowing.
What version of Exim are you running? You can turn on all sorts of reporting features in Exim 4 that will get the spammers IP, and then some, in exim_mainlog. Find this:
Code:
hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost
hostlist auth_relay_hosts = *
Immediately under it add this and you'll get some new logging.
Code:
log_selector = \ 
+address_rewrite \
+all_parents \ 
+arguments \ 
+connection_reject \ 
+delay_delivery \ 
+delivery_size \
+dnslist_defer \ 
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \ 
+received_sender \ 
+received_recipients \ 
+retry_defer \
+sender_on_delivery \
+size_reject \ 
+skip_delivery \ 
+smtp_confirmation \ 
+smtp_connection \ 
+smtp_protocol_error \ 
+smtp_syntax_error \ 
+subject \ 
+tls_cipher \
+tls_peerdn \
 

jcsolutions

Well-Known Member
Nov 4, 2002
184
0
166
Canada
FWC, what exactly does all that code do? I'm not seeing a difference in exim_mainlog.

(Sorry for the delay. I missed this post.)

cPanel.net Support Ticket Number:
 

FWC

Well-Known Member
May 13, 2002
354
0
316
Ontario, Canada
Originally posted by jcsolutions
FWC, what exactly does all that code do? I'm not seeing a difference in exim_mainlog.

(Sorry for the delay. I missed this post.)
I got so much more info in exim_mainlog I ended up removing the code. :)