The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Filling /var/spool/exim/

Discussion in 'General Discussion' started by dolay, Apr 2, 2005.

  1. dolay

    dolay Member

    Joined:
    Apr 28, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    The disk is being repeatedily filled by files in
    /var/spool/exim/input
    /var/spool/exim/scan

    Eg. [/var/spool/exim]# du -h --max-depth 1 |grep G
    1.6G ./input
    2.9G ./scan
    4.5G

    They get filled even if there are only 10 e-mails in the Exim mail queue.
    In addition, Exim is producing very high load and memory consumption at same time.

    (This might be connected with the following - 2 days ago, a large number ~30K of spam e-mails got queued in mail queue because of filters not leting them in; they were deleted).

    Tried:
    - emptying mail queue
    - reinstalling Exim and reseting it to defaults.

    Anyone has a similiar problem or a solution?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Looks like you have a hacker on the server as /scan is not a valid subdirectory for /var/spool/exim/ - I would bet that they're logs from server port scanning or DDOS tools form the evidence here.

    You need to get to the bottom of what the files within the directories actually are if they're not email header and data files and check your server over for root and/or user compromises and clean it up.
     
  3. dolay

    dolay Member

    Joined:
    Apr 28, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for the reply.

    /var/spool/exim/scan on my system
    contains directories with names of the e-mail ID.
    Those folders contain eml files.

    [/var/spool/exim/scan/1DHeKd-0008SA-Ik]# ll
    total 13244
    drwxr-x--- 2 mailnull mail 4096 Apr 2 08:50 ./
    drwxr-x--- 22 mailnull mail 12288 Apr 2 09:03 ../
    -rw-rw-rw- 1 mailnull mail 13524696 Apr 2 08:52 1DHeKd-0008SA-Ik.eml

    /var/spool/exim now circulates between 496M and 798M every few seconds.
    Those e-mail IDs do not appear in Mail Queue.

    I've checked them and most are from
    " Received: from web31604.mail.mud.yahoo.com ([68.142.198.150]). "

    This made me even more confused.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Ah, I guess the scan/ subdir is something to do with the clamavconnector and its not tidying up after itself?
     
  5. dolay

    dolay Member

    Joined:
    Apr 28, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    It is highly possible.

    After uninstalling ClamAVconnector, reinstalling Exim, and changing all default :blackhole: to :fail: the situation is stable.
    On the other hand, there is no anti-virus protection now.

    I'm still seeking for a better salution on forums.
     
  6. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    For a solid all-round mail setup, I'd highly recommend Chirpy's $35 MailScanner package.

    That would get you the virus protection you need and its nice and stable. Admittedly its not a free option but by far the best $35 you'll ever spend.
     
Loading...

Share This Page