The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim - runaway CPU resourses!

Discussion in 'General Discussion' started by jcsolutions, Jul 8, 2003.

  1. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    PLEASE HELP!

    Ok, I've been searching through all postings mentioning "exim", both here and at the rackshack forums. I've found *many* posts about exim running very high (50+) cpu loads. However, there doesn't seem to be a fix for this?!

    My server has gone wild over the last couple days with loads as high as 96! As I write this, I'm at 68.

    Here is a sample from top:

    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
    4560 root 16 0 2560 2560 2076 R 3.7 0.2 0:00 sendmail
    4562 root 16 0 2556 2556 2076 R 3.7 0.2 0:00 sendmail
    1980 root 16 0 2564 2092 2084 R 2.7 0.2 0:18 sendmail
    2094 root 16 0 2564 2092 2084 R 2.7 0.2 0:15 sendmail
    2140 root 16 0 2564 2364 2084 R 2.7 0.2 0:13 sendmail
    2511 root 16 0 2560 2560 2084 R 2.7 0.2 0:14 sendmail
    3123 root 16 0 2568 2568 2084 R 2.7 0.2 0:10 sendmail
    3226 root 16 0 2564 2564 2084 R 2.7 0.2 0:09 sendmail
    3324 root 16 0 2564 2564 2084 R 2.7 0.2 0:09 sendmail
    3961 root 16 0 2568 2568 2084 R 2.7 0.2 0:04 sendmail
    4396 root 16 0 2568 2568 2084 R 2.7 0.2 0:00 sendmail
    4459 root 16 0 2560 2560 2084 R 2.7 0.2 0:01 sendmail
    4470 root 16 0 2568 2568 2084 R 2.7 0.2 0:00 sendmail
    4480 root 16 0 2564 2564 2084 R 2.7 0.2 0:01 sendmail
    4484 root 16 0 2568 2568 2084 R 2.7 0.2 0:01 sendmail
    4510 root 16 0 2560 2560 2084 R 2.7 0.2 0:00 sendmail
    4514 root 16 0 2564 2564 2084 R 2.7 0.2 0:00 sendmail
    4519 root 16 0 2568 2568 2084 R 2.7 0.2 0:00 sendmail
    4523 root 16 0 2560 2560 2084 R 2.7 0.2 0:00 sendmail
    4527 root 16 0 2564 2564 2084 R 2.7 0.2 0:00 sendmail
    4529 root 16 0 2560 2560 2084 R 2.7 0.2 0:00 sendmail
    4554 root 16 0 2564 2564 2084 R 2.7 0.2 0:00 sendmail
    4556 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
    4558 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
    4571 root 16 0 2560 2560 2076 R 2.7 0.2 0:00 sendmail
    4573 root 16 0 2560 2560 2076 R 2.7 0.2 0:00 sendmail
    4576 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
    4578 root 16 0 2556 2556 2076 R 2.7 0.2 0:00 sendmail
    1673 root 16 0 2560 2436 2084 R 2.5 0.2 0:21 sendmail
    1678 root 16 0 2564 2096 2084 R 2.5 0.2 0:21 sendmail
    2748 nobody 12 0 144M 17M 4188 S 2.5 1.8 0:00 httpd
    27040 mysql 14 0 16720 7336 1112 S 1.7 0.7 0:44 mysqld
    6 root 10 0 0 0 0 SW 0.9 0.0 782:06 kscand
    4590 root 13 0 2496 2496 2028 S 0.7 0.2 0:00 exim

    When I check the exim_mainlog, it appears all the mail in my queue is trying to be sent (currently over 1200 messages). The messages appear to be the usual mix of legitimate and spam emails and are being sent to users on my system.

    I'm running Cpanel 6.4.2-S75 on RedHat 7.3 with 2.4GHz CPU and 1GB DDR RAM.

    Any and all help/suggestions are sincerely appreciated!

    cPanel.net Support Ticket Number:
     
  2. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    You may be getting mail bombed. Find the offending IP and block them with your firewall or iptables.

    cPanel.net Support Ticket Number:
     
  3. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    How do I tell if I'm being mail bomed and how do I find the IP? I've checked the access_log, but there doesn't seem to be anything there. I've checked exim_mainlog, but it doesn't appear to be anything funny. just the mails being sent from my queue.

    Sorry, I'm still learning, but I'm doing the best I can. Thanks.

    cPanel.net Support Ticket Number:
     
  4. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Actually, it's more likely somebody on your server ran a huge mailing list or has a program running away. Go into WHM and look at some of them in the queue and see who is sending out so much mail.

    cPanel.net Support Ticket Number:
     
  5. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    After checking the queue, it appears 2 domains on my server are getting spammed like crazy (receiving, not sending - mail bombed?). How can I get the IP address of the person responsible so I can ban them?

    cPanel.net Support Ticket Number:
     
  6. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Can't you see the IP in the logs? i.e. exim_mainlog or.... something of that like?

    or, open one of the mailboxes being spammed, look for the originator IP in the headers.....?

    Brenden

    cPanel.net Support Ticket Number:
     
  7. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    exim_mainlog doesn't really tell me much. For sure no IP addresses listed. If there is another log file that might give the IPs, I'd appreciate knowing.

    It's difficult to narrow down who sent spam just by looking at the message headers. They could be using a fake IP or a different domain. Even though I don't like to, for now I have used this option and added what is hopefully the spamming domain to /etc/spammers. We'll see if this helps.

    cPanel.net Support Ticket Number:
     
  8. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    What version of Exim are you running? You can turn on all sorts of reporting features in Exim 4 that will get the spammers IP, and then some, in exim_mainlog. Find this:
    Code:
    hostlist relay_hosts = lsearch;/etc/relayhosts : \
        localhost
    hostlist auth_relay_hosts = *
    Immediately under it add this and you'll get some new logging.
    Code:
    log_selector = \ 
    +address_rewrite \
    +all_parents \ 
    +arguments \ 
    +connection_reject \ 
    +delay_delivery \ 
    +delivery_size \
    +dnslist_defer \ 
    +incoming_interface \
    +incoming_port \
    +lost_incoming_connection \
    +queue_run \ 
    +received_sender \ 
    +received_recipients \ 
    +retry_defer \
    +sender_on_delivery \
    +size_reject \ 
    +skip_delivery \ 
    +smtp_confirmation \ 
    +smtp_connection \ 
    +smtp_protocol_error \ 
    +smtp_syntax_error \ 
    +subject \ 
    +tls_cipher \
    +tls_peerdn \
     
  9. jcsolutions

    jcsolutions Well-Known Member

    Joined:
    Nov 4, 2002
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    FWC, what exactly does all that code do? I'm not seeing a difference in exim_mainlog.

    (Sorry for the delay. I missed this post.)

    cPanel.net Support Ticket Number:
     
  10. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    I got so much more info in exim_mainlog I ended up removing the code. :)
     
Loading...

Share This Page