The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim (spam attack?) problems

Discussion in 'General Discussion' started by UAnt, Jan 19, 2005.

  1. UAnt

    UAnt Registered

    Joined:
    Jan 14, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hey all. Please excuse my first post being a cry for help, but I know there are some remarkably intelligent people here who know far more about CPanel and Exim than I do...

    I run a fairly quiet server, mail-wise it normally handles no more than 30-40 an hour. Then suddenly this morning things changed... Exim is now processing around 30,000 emails an hour, and thanks to MailScanner going over each email the load is also through the roof.

    I've had a look into the problem and unfortunately I'm stumpted. I noticed it only a few minutes after it started, but having a final-year uni exam to go to this morning I wasn't able to do much about it at the time. It's now been 5 hours and I'm concerned that something is "not quite right". If anyone knows what might be going on, I'd appreciate any and all advice!

    On one hand I think it could be some spammer using one of my addresses as a Reply-To address or some sort of Dictionary attack, on the other I'm concerned it might be something more serious. /var/log/secure shows nothing out of the ordinary.

    /var/log/exim_mainlog has about 300,000 lines of things like this:

    Code:
    2005-01-19 07:34:26 1CrF2Y-0007ph-BA Spool file 1CrF2Y-0007ph-BA-D not found
    2005-01-19 07:34:26 1CrF2Y-0007pi-C7 Spool file 1CrF2Y-0007pi-C7-D not found
    2005-01-19 07:34:26 1CrF2Y-0007pt-Ia <= <> U=mailnull P=MailScanner S=1048
    2005-01-19 07:34:26 1CrF2Y-0007pu-JV <= postmaster@calv.purelyartistic.com U=mailnull P=MailScanner S=973
    2005-01-19 07:34:26 1CrF2Y-0007pt-Ia Spool file 1CrF2Y-0007pt-Ia-D not found
    2005-01-19 07:34:26 1CrF2Y-0007pu-JV Spool file 1CrF2Y-0007pu-JV-D not found
    2005-01-19 07:34:26 1CrF2Y-0007q5-Pq <= <> U=mailnull P=MailScanner S=1048
    2005-01-19 07:34:26 1CrF2Y-0007q6-Ql <= postmaster@calv.purelyartistic.com U=mailnull P=MailScanner S=973
    2005-01-19 07:34:27 1CrF2Y-0007q5-Pq Spool file 1CrF2Y-0007q5-Pq-D not found
    2005-01-19 07:34:27 1CrF2Y-0007q6-Ql Spool file 1CrF2Y-0007q6-Ql-D not found
    2005-01-19 07:34:28 1CrF2Z-0007qI-0x <= <> U=mailnull P=MailScanner S=1048
    2005-01-19 07:34:29 1CrF2Z-0007qI-0x Spool file 1CrF2Z-0007qI-0x-D not found
    2005-01-19 07:34:29 1CrF2a-0007qJ-Jd <= postmaster@calv.purelyartistic.com U=mailnull P=MailScanner S=973
    
    ps -A

    Although I don't think I see anything out of the ordinary, maybe someone else will...

    Code:
    ps -A
      PID TTY          TIME CMD
        1 ?        00:00:13 init
        2 ?        00:00:00 keventd
        3 ?        00:00:00 kapmd
        4 ?        00:00:00 ksoftirqd/0
        7 ?        00:00:00 bdflush
        5 ?        00:00:03 kswapd
        6 ?        00:00:00 kscand
        8 ?        00:00:00 kupdated
        9 ?        00:00:00 mdrecoveryd
       13 ?        00:02:22 kjournald
       68 ?        00:00:00 khubd
      573 ?        00:00:00 kjournald
      574 ?        00:00:00 kjournald
     3248 ?        00:00:00 eth0
     3393 ?        00:01:30 syslogd
     3397 ?        00:00:00 klogd
     5157 ?        00:00:00 cupsd
     5179 ?        00:00:00 sshd
     5193 ?        00:00:00 xinetd
     5211 ?        00:00:00 chkservd
     5299 ?        00:00:00 httpd
     5303 ?        00:00:01 httpd
     5304 ?        00:00:03 httpd
     5305 ?        00:00:02 httpd
     5306 ?        00:00:01 httpd
     5307 ?        00:00:02 httpd
     5348 ?        00:00:01 named
     5355 ?        00:00:00 crond
     5407 ?        00:00:00 xfs
     5416 ?        00:00:00 atd
     5569 ?        00:00:01 httpd
     5647 ?        00:00:00 entropychat
     5652 ?        00:00:00 melange
     5672 ?        00:00:00 pure-ftpd
     5676 ?        00:00:00 pure-authd
     5698 ?        00:00:00 stunnel-4.04loc
     5723 ?        00:00:00 rhnsd
     5735 ?        00:00:00 ipalert_statd
     5762 ?        00:00:00 portsentry
     5779 tty1     00:00:00 mingetty
     5780 tty2     00:00:00 mingetty
     5781 tty3     00:00:00 mingetty
     5782 tty4     00:00:00 mingetty
     5783 tty5     00:00:00 mingetty
     5784 tty6     00:00:00 mingetty
     6036 ?        00:00:01 httpd
     6101 ?        00:00:02 httpd
     6102 ?        00:00:03 httpd
     6103 ?        00:00:02 httpd
     3280 ?        00:00:00 MailScanner
    30391 ?        00:00:00 httpd
      498 ?        00:00:01 httpd
    27750 ?        00:00:00 logrunner
    27751 ?        00:00:00 webalizer
    18300 ?        00:00:02 httpd
    27339 ?        00:03:37 MailScanner
    28245 ?        00:03:23 MailScanner
    28751 ?        00:03:14 MailScanner
    29263 ?        00:03:20 MailScanner
    30251 ?        00:03:05 MailScanner
     5464 ?        00:00:01 httpd
     5553 ?        00:00:01 httpd
     5554 ?        00:00:01 httpd
     5624 ?        00:00:01 httpd
     5625 ?        00:00:01 httpd
     5626 ?        00:00:01 httpd
     5627 ?        00:00:01 httpd
     5640 ?        00:00:01 httpd
     5642 ?        00:00:00 httpd
     6760 ?        00:00:01 pure-ftpd
     9432 ?        00:00:00 sshd
     9951 ?        00:00:00 sshd
     9993 pts/0    00:00:00 bash
    10138 pts/0    00:00:00 su
    10216 pts/0    00:00:00 bash
     2145 ?        00:00:00 logrunner
     2146 ?        00:00:00 webalizer
     3398 ?        00:00:00 cpanellogd
     3403 ?        00:00:00 cppop
     3420 ?        00:00:00 cpsrvd
    12578 ?        00:00:00 spamd
    12595 ?        00:00:00 spamd
    12609 ?        00:00:00 antirelayd
    12610 ?        00:00:00 spamd
    12612 ?        00:00:00 spamd
    12615 ?        00:00:00 spamd
    12620 ?        00:00:00 spamd
    13211 ?        00:00:00 httpd
    21262 ?        00:00:00 httpd
    23788 ?        00:00:00 httpd
    23840 ?        00:00:00 httpd
    24234 ?        00:00:00 httpd
    27575 ?        00:00:00 cpanellogd
    27576 ?        00:00:00 cpanellogd
    27578 ?        00:00:00 logrunner
    27579 ?        00:00:00 webalizer
    27694 ?        00:00:00 httpd
    28194 ?        00:00:00 httpd
     1515 ?        00:00:00 MailScanner <defunct>
     1585 ?        00:00:00 MailScanner <defunct>
     1704 ?        00:00:00 MailScanner <defunct>
     1732 ?        00:00:00 MailScanner <defunct>
     1878 ?        00:00:00 httpd
     2013 ?        00:00:00 httpd
     2178 pts/0    00:00:00 ps
     2180 ?        00:00:00 MailScanner
     2181 ?        00:00:00 exim
     2182 ?        00:00:00 exim
    top

    Code:
     09:11:25  up  6:59,  1 user,  load average: 3.61, 3.56, 3.55
    105 processes: 92 sleeping, 5 running, 5 zombie, 3 stopped
    CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle
               total   50.5%    0.0%   44.2%   0.0%     0.0%    5.2%    0.0%
    Mem:   505400k av,  464524k used,   40876k free,       0k shrd,   38056k buff
                        346644k actv,   16748k in_d,    6548k in_c
    Swap: 1052248k av,    3960k used, 1048288k free                  291568k cached
    
      PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
    28245 mailnull  25   0 14796  14M   972 R     6.3  2.9   5:54   0 MailScanner
    29263 mailnull  25   0 14848  14M   972 S     6.3  2.9   6:30   0 MailScanner
    30251 mailnull  25   0 14740  14M   972 S     5.2  2.9   5:35   0 MailScanner
     3393 root      16   0   260  260   176 R     2.1  0.0   1:47   0 syslogd
       13 root      15   0     0    0     0 SW    1.0  0.0   2:49   0 kjournald
     3718 nobody    15   0  3660 3636  1360 S     1.0  0.7   0:01   0 httpd
    16750 root      15   0  1180 1180   924 R     1.0  0.2   0:00   0 top
    18977 mailnull  25   0     0    0     0 Z     1.0  0.0   0:00   0 MailScanner <
    18994 mailnull  25   0     0    0     0 Z     1.0  0.0   0:00   0 MailScanner <
    18996 mailnull  25   0     0    0     0 Z     1.0  0.0   0:00   0 clamav-wrappe
    19000 root      25   0    16   16     0 R     1.0  0.0   0:00   0 exim
        1 root      24   0   140  140    72 S     0.0  0.0   0:14   0 init
        2 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 keventd
        3 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kapmd
        4 root      34  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd/0
        7 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 bdflush
        5 root      15   0     0    0     0 SW    0.0  0.0   0:04   0 kswapd
        6 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kscand
        8 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kupdated
        9 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 mdrecoveryd
       68 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 khubd
      573 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
      574 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
     3248 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 eth0
     5299 root      15   0  2760 2756   484 S     0.0  0.5   0:00   0 httpd
    
    [...]
    
    What particularly concerns me is that the box appears to have been rebooted about the same time this started. Unless someone at my datacentre rebooted it without my knowledge I don't understand how this can be - the machine is fairly secure and I'm the only person with the account details. Oh, and MySQL won't start, not sure how (or if) that's related. The server has been absolutely rock solid for the past year, so I don't know how that could have suddenly changed...

    Running RHE w/ CPanel (Stable Release). Manual updates only.
    Exim w/ MailScanner

    Thanks! :)

    Edit: And just in case it's of any use, here's some snippets from WHM's Mail Statistics page

    Code:
    Messages received per hour (each dot is 589 messages)
    -----------------------------------------------------
    
    03-04   1930 ...
    04-05  26717 .............................................
    05-06  29473 ..................................................
    06-07  28786 ................................................
    07-08  28998 .................................................
    08-09   9283 ...............
    
    
    Top 50 sending hosts by message count
    -------------------------------------
    
     125187      121MB   local
    
    Top 50 local senders by message count
    -------------------------------------
    
     124776      120MB   mailnull
    
     
    #1 UAnt, Jan 19, 2005
    Last edited: Jan 19, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Hi,

    I'll contact you about this to see if I can help. It could well be a looping email or a problem with the MailScanner/Exim configuration.
     
Loading...

Share This Page