HELP!! Spammer or sendmail gone crazy.

[techark]

I have some one or somethign on a server gone nuts and exim and sendmail are going wild server load has shot from and avg.5 to 20.0 I have had to turn exim off in the service manager to get it back under control.

I can't trace the PID to see where it is coming from they die off and spawn another one before I can get it. Anyone got any ideas how to find the culpert?

 

[Annette]

Usually, there will be bounced or undeliverable messages in such runs. Check /var/spool/exim/input, pick out some *-D messages, and have a look at their contents. With any luck, there will be a reference in there to a domain on the box that will give you your culprit. You can then check under their /home for a spammish type script or just a plain poorly behaving mailing list script. If there isn't anything in the details of a selection of the items in the spooler, there are other ways to track down someone abusing the system, but that's the place the start.

 

[techark]

How do I pick one out they are flying by so fast it is blur going by the screen. This thing is sending mail.

 

[CGarson]

This happened to one of my servers. There's a process module in WHM that shows the command...

 

[techark]

Found the problem

Autoresponder sending to a full mailbox that was sending it back so it got in a loop.

Geezz what a day this has been, first Apache gets eaten, then accounts are getting setup on an IP address not even on my server and then an autoresponder goes wild.

If anything else happens I am going to turn my servers off and go to bed. ;-)