The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hundredds of exim instances overloading server

Discussion in 'General Discussion' started by EMS, Aug 16, 2005.

  1. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    Hi,

    Just had an incident whereby the server load went crazy. I restarted the server but whenever the network cable was plugged in - 1200 exim processes spooled up followed by clamd service which takes the load up to 100% and disk access is constant.

    I got the datacenter to unplug the network cable, restart the server and stop exim - then plug it back in.

    I then logged in remoteley and made sure the exim service was stopped, it was already starting again and building up 30 or 40 processes.

    I've checked out the server and so far have been unable to find any compromised accounts or unusual files. /tmp is clean.

    If exim is restarted it happens again.

    Any ideas ?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, any relevant information should be in /var/log/exim_mainlog
     
  3. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    The mail queue had thousands of messages intended for one domin on the server. They appear to be delivery failures to a spam mesage sent with a spoofed header. They were not sent form the domain in question.

    Its still happening - i'll run a script to clear out the mail queue every 30 seconds for messages contianing the content.
     
  4. abubin

    abubin Well-Known Member

    Joined:
    Dec 7, 2004
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    you need to install some security in your exim. Most probably you are being bombarded by spams and/or dictionary attack.

    Have you installed RBL and APF (with brute force detection)?

    Also, did you disable "catch-all"?
     
  5. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    APF with BFD installed - RBL not. They were all delivery failures to spam messages. The reason the server was being overloaded is because the customer had a catchall set. once I set it to :blackhole: things eased up. We dont prevent them from using a catchall mailbox.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    APF and BFD won't do anythng about spam (unless you use the flawed exim blocker). You much better off with a dictionary attack ACL and not using :blackhole: - use :fail: instead, it's much lighter on your server resources and for many other reasons.
     
  7. elix

    elix Well-Known Member

    Joined:
    Jan 18, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Run this command to convert all domains to :fail: instead of :blackhole:.
    Code:
    perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*
    Also, I'd look at the headers in the mail queue to try to find out exactly where this coming from, and then I'd clear out the mail queue as that in itself could be causing high load.

    Good luck.

    Regards,
     
  8. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    But, wont :fail: send a reply back - where :blackhole: will simply discard the message ?
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  10. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    Ahh, thanks. I got it the wrong way round.
     
Loading...

Share This Page