EXIM Spam Issues

[andyogsc]

Hello All, maybe someone can help me.

I recently updated the server to the lastest stuff, everything works great but for some odd reason my EXIM is sending out spam emails to people but also sending it locally. So this means it is Using up ALL my cpu and slowing down the system. Once server is rebooted, the slow server has gone but after like 50 minutes it slows down again.

this is from my exim_mainlog

2006-05-26 18:16:22 1FjgrG-0004gb-5i <= [email protected] U=nobody P=local S=2551
2006-05-26 18:16:22 1FjgrF-0004gG-86 == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
2006-05-26 18:16:22 1FjgrF-0004gO-Mn <= <> R=1FjgrC-0004ec-02 U=mailnull P=local S=3658
2006-05-26 18:16:23 1FjgrF-0004gK-EI == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
2006-05-26 18:16:23 1FjgrE-0004gD-Vr => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mailin.blueyonder.co.uk [195.188.53.99]
2006-05-26 18:16:23 1FjgrE-0004gA-SM => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mailin.blueyonder.co.uk [195.188.53.99]
2006-05-26 18:16:23 1FjgrG-0004gb-5i == [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
2006-05-26 18:16:23 1FjgrE-0004fv-Qq => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mailin.blueyonder.co.uk [195.188.53.99]
2006-05-26 18:16:23 1FjgrE-0004fv-Qq Completed
2006-05-26 18:16:23 1FjgrF-0004gL-ET => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mailin.blueyonder.co.uk [195.188.53.99]
2006-05-26 18:16:23 1FjgrF-0004gL-ET Completed
2006-05-26 18:16:23 1FjgrE-0004gA-SM Completed
2006-05-26 18:16:23 1FjgrF-0004gI-Eh => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mailin.blueyonder.co.uk [195.188.53.99]
2006-05-26 18:16:23 1FjgrF-0004gI-Eh Completed
2006-05-26 18:16:23 1FjgrE-0004gD-Vr Completed
2006-05-26 18:16:23 1FjgrG-0004gf-LI <= [email protected] U=nobody P=local S=1763
2006-05-26 18:16:23 1FjgrC-0004ec-02 Completed
2006-05-26 18:16:23 1FjgrE-0004gC-TN ** [email protected] R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx.matrix.com.br [200.196.28.6]: 550 <[email protected]>: Recipient address rejected: Access denied
2006-05-26 18:16:23 1FjgrG-0004gr-RW <= [email protected] U=nobody P=local S=2545
2006-05-26 18:16:24 1FjgrF-0004gO-Mn => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mailin.blueyonder.co.uk [195.188.53.99]
2006-05-26 18:16:24 1FjgrF-0004gO-Mn Completed
2006-05-26 18:16:24 1FjgrG-0004gf-LI == alrib[email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
2006-05-26 18:16:24 1FjgrH-0004h7-UA <= <> R=1FjgrE-0004gC-TN U=mailnull P=local S=2808
2006-05-26 18:16:24 1FjgrH-0004h8-Uc <= [email protected] U=nobody P=local S=1775
2006-05-26 18:16:24 1FjgrI-0004hA-0e <= [email protected] U=nobody P=local S=2542

Here are some processes currently running on my server while slowing it down.

3455 nobody 0 1.1 1.4 spamd child
22156 root 0 1.1 0.4 /usr/sbin/exim -Mc 1Fk5OV-0005lH-Df
22161 root 0 1.1 0.4 /usr/sbin/exim -Mc 1Fk5OW-0005lN-4m
22145 root 0 0.8 0.4 /usr/sbin/exim -Mc 1Fk5OT-0005l9-KH
22164 mailnull 0 0.8 0.4 /usr/sbin/exim -Mc 1Fk5OW-0005lS-Hx
21522 root 0 0.0 0.3 /usr/sbin/exim -Mc 1Fk5KV-0005b3-Av
21533 mailnull 0 0.0 0.3 /usr/sbin/exim -Mc 1Fk5KV-0005b3-Av
22146 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1Fk5OT-0005l9-KH
22160 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1Fk5OV-0005lH-Df
22163 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1Fk5OW-0005lN-4m
22165 mailnull 0 0.0 0.2 /usr/sbin/sendmail -t -i
22166 mailnull 0 0.0 0.2 /usr/sbin/exim -t -oem -oi -f <> -E1Fk5OW-0005lS-Hx

Those are just some of what is running on the server. I feel it is something to do with eximstats as that was failling when the server booted up and was like this for 50 minutes and once it went green and was working, BOOM the server starting slowing down.

I have searched up and down the internet and can not find a answer, i have also tried others issues and tried there fixs but still it continues to happen.

I really need a soluation.... Please help i will be greatly appreicated.

Andrew Bailey

 

[AndyReed]

I recently updated the server to the lastest stuff, everything works great but for some odd reason my EXIM is sending out spam emails to people but also sending it locally. So this means it is Using up ALL my cpu and slowing down the system. Once server is rebooted, the slow server has gone but after like 50 minutes it slows down again.

How many messages are there in the queue? If you believe that there is a spammer, you need to locate the script or scripts used to deliver spam and either suspend or delete. Overall, secure and optimize your server. High server load issue has been discussed many times in these forums.

 

[andyogsc]

thats the problem i can't seem to find out who is doing it or what is doing it. How can you find out what script is doing it.

 

[dalem]

put log_selector = +all
in the top box of your Exim Configuration Editor

and tail your exim_mainlog it will tell your from which script the mail is being sent

 

[andyogsc]

how do you tail may i ask sorry.

 

[dalem]

open a ssh seesion
tail -f /var/log/exim_mainlog

or let it run for a while and grep on of the messages that end up in your Exim Mail Queue

grep message id /var/log/exim_mainlog

 

[tweakservers]

the mails appear to be sent out by some php scripts as it is owned by nobody. You may really want to look into that.