The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I have 6000 msgs in mail queue

Discussion in 'E-mail Discussions' started by fivecubed, Mar 31, 2006.

  1. fivecubed

    fivecubed Registered

    Joined:
    Mar 31, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I am new to managing a server and i have an unreal amount of messages in the whm mail queue.

    The majority of them are asoutlined below.

    Does anyone know how to tell who is sending them or how to stop these from being sent?





    1FPIbO-0006ya-H7-H
    root 0 0
    <aban_fred@yahoo.co.uk>
    1143807582 0
    -helo_name localhost
    -host_address 127.0.0.1.36297
    -host_name localhost
    -interface_address 127.0.0.1.25
    -received_protocol smtp
    -body_linecount 16
    XX
    1
    sonashilpa@yahoo.com

    166P Received: from localhost ([127.0.0.1])
    by server.fivecubed.com with smtp (Exim 4.52)
    id 1FPIbO-0006ya-H7
    for sonashilpa@yahoo.com; Fri, 31 Mar 2006 05:19:42 -0700
    025T To: sonashilpa@yahoo.com
    028F From: aban_fred@yahoo.co.uk
    032R Reply-to: aban_fred@yahoo.co.uk
    027 X-Mailer: Quick Mailer 2.0
    048 Subject: DEAR JAIN, I NEED YOUR URGENT RESPONSE
    025 Content-type: text/plain



    Dear Jain,

    I am Barrister Aban Fred, I am personal Attorney to late Mr.Mathew Jain,a national of your country, who used to work with Ashanti Gold Development Company in Ghana, Herein after shall be referred to as my client.On the 21st of April 2000, my client, his wife And their three children were involved in a car accident along Kumasi express road, all occupants of the vehicle unfortunately lost there lives, since then I have made several enquiries to locate any of my clients extended relatives this has also proved unsuccessful. After these several unsuccessfulattempts, Idecided to track any person who can assist me to get this consignment out from the security company,hence I got your contact via the Internet.

    I have contacted you to assist in repartrating the money left behind by my client before it get confisicated or declared unserviceable by the Security company where this huge deposits were lodged. Particularly,the Security company, where the deceased had an amount valued US$18.5 Milloin US Dollars conclead in box deposited with them as family"TREASURE"for safety, has issued me a notice to provide the next of kin or have the consignment sized within a short period of time.Since I have been unsuccesfull in locating the relatives for over 2 years now I seek your consent to present you as the next of kin of the deceased so that the proceeds of this amount of {US$18.5 Million Us Dollars)can be paid to you and then you and me can share the money,70% to me and 30% to you I have all necessary legal documents that can be usedto back upany claim we may make, all I require is your honest co-operation to enable us see this deal through.

    I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law. Please reach me on this my private phone no: 00233 244 819070. to enable us discuss further.

    Faithfully Yours,
    Barrister Aban Fred, esq
     
  2. WEB-PROS

    WEB-PROS Well-Known Member

    Joined:
    Feb 19, 2006
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    You need to find the script that is sending these out, you need to look in mail logs or maybe it shows in the mail queque what account they come from.

    Hope that helps.
     
  3. ullalla

    ullalla Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    check fior mail logs

    Hi fivecubed,

    You need to check for mail logs,

    fire this command : tail -f /var/log/exim_mainlog

    Kind Regards,
    Ullalla
     
  4. k1w1

    k1w1 Registered

    Joined:
    Jun 23, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Having recently suffered from a rogue script that an unscruplous spammer/hacker took advantage of that spewed 1000's of emails per hour I attempted to stem the flow but it was a frustrating and time consuming effort.

    I really recommend doing what I did and employ the services of http://www.configserver.com to locate and kill the offending script(s) and harden the server to ensure that (as far as possible) such things cannot happen again, and if they do then decent reporting will make it easier to fix.

    The 'guys' at configserver.com charge very reasonable prices, are very good at what they do and are the only external company I have provided my root login details to. I trust them implicitly and found them to be the most knowledgeable and professional people to entrust your server to.

    Hope this helps
     
  5. fivecubed

    fivecubed Registered

    Joined:
    Mar 31, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I ran

    tail -f /var/log/exim_mainlog


    but this is the same data i can see in the mail queue when i click on a message.

    And I do not see where I can find the user who is logged in and using the mail server to send the message.


    Does anyone know where to find that info?

    I looked at the processes currently running and i didnt find a cgi script running so its not that.
     
  6. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    hmmmf - mail issues ...

    tail -f /var/log/exim_mainlog should allow you to read the mail logs as they happen...
    another option

    Login to WHM
    then click on the Email link
    then click on View Relayers (this is not a sure solution - but can sometimes help)

    The link for a paid service to do this from Chirpy is http://www.configserver.com/cp/exploit.html

    You may also wish to visit this link from the forums for some additional assistance
    http://forums.cpanel.net/showthread.php?t=41026&highlight=clean+mail+queue

    best wishes
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    hostmedic and WEB-PROS suggestions are good. It is very hard to imagine 6,000 messages delivered through a server. Hope your server is not blacklisted by ISPs such as AOL.
     
  8. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    sorry Andy...

    Sorry Andy --- forgot to mention you in a few of my last posts...
    you are one of the good guys out there as well...

    I agree - he may want to first get the issue resolved and then check with his provider to see what can be done to get a new primary ip...

    (if you have more than 1 you may want to make a few changes on your system as to what IP is your primary... also once fixed change your server hostname as well as set your PTR {or have your DC do this} to your new server hostname.


    Best wishes. . .
     
  9. gamerunner2

    gamerunner2 Member

    Joined:
    Jul 24, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    ok this is very very simple,i think i know how this script works because i wrote one that dose just that but insted of months my test script sends it in minutes,i used PHP for this and possibly so did this guy,if this server you got has a forum software or a guest book software he may be writing a php script that is local and puting it into a place where the script can execute,and since
    PHP has the "mail" option,he might be using your sendmail to do this,to either send it to you or send it to someone else and if its from or to root he is using that in the to or reply feild..and sometimes can send it seconds minutes week months,so it can be coming from local
     
  10. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    WHM option

    you should also run into whm and set the limit for the # of emails a user may send out as well - just in case.

    I have found a few scripts doing damage in the past.

    Just this past week had a client try to send over 2500 emails via phplist.
    We ended up seeing the offender pretty quickly - and were able to stop the issue in its tracks...

    Sometimes clients will want a $8.95 account and wish to abuse it with sending out 2500 emails a day ...

    what a world (ok off my soap box)
     
  11. ahbao

    ahbao Member

    Joined:
    Mar 4, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    try ps -auxfww to see any funny script running, kill the process if necessary

    also check your /tmp and /dev/shm for hidden script or folder , spam script might be copied there.

    if there isn't many client on the server, delete the email queue directly, I remember I saw 1 script on this board where it can delete email queue base on the subject or content

    you can also temporarily disable email sent by nobody in the cpanel setting
     

Share This Page