The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Large number of small files filling out /var/spool/exim/input directory

Discussion in 'E-mail Discussions' started by kavos1332, Apr 29, 2014.

  1. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello experts,

    I have newly detected that on my server, a large number of small files are excessively filling out the /var/spool/exim/input directory which had caused my disk to run out of inodes while had planty of disk space. The number of files constantly growing EVEN when exim service is stopped. I know this directory belongs to mail queue but its so strange that creating new files does not stop when exim is stopped.

    Please help me to fix this strange issue.
    TIA
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Those are exim queue files. Would help for you to review their contents to see what exactly is dumping them in there.

    exim -bp (lists contents of the queue)

    exim -Mvh $message_id (shows header contents of the message in question)
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    How many messages are in your mail queue? You can review the messages in your queue via WHM if you are not comfortable with the command line:

    "WHM Home » Email » Mail Queue Manager"

    Thank you.
     
  4. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi

    Exim is continuously trying to receive mails which are intended to be sent to non-existent mail accounts on existing domains. So queue is constantly filled out by message sent to accounts not exist on the server and they are left in the queue. Currently there are more than 500,000+ messages in the queue which is growing every minute. Obviously server is under a huge spam.

    How do I stop this?
    Please help me ASAP!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should ensure the "Default Address" for your domain names is configured to "Discard with error to sender" so that the emails bounce to the senders. This is configured using the "Default Address" option in cPanel. You can search for and delete the existing messages in the mail queue with "Mail Queue Manager" in WHM.

    Thank you.
     
  6. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    How can I set this option for all domains massively at once?
     
  7. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Default Address in all accounts is already set to the option you mentioned. Stopping exim does not stop creating new files in this dir!
     
  8. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The issue is I cannot keep exim service stopped It starts by itself. I have disabled exim and eximstats in WHM->Service Manager.
     
  9. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Feel free to open a support ticket using the link in my signature. Then please paste the ticket number here so we can update this thread accordingly.
     
  10. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi

    I have configured my firewall (CSF) to allow only 100 incoming connections per 60 seconds on port 25. But when I check the count of files in /var/spool/exim/input using "ls -la | wc -l" command, I see hundreds of new files are constantly added within a very few seconds. Its more malicious than to be a large spam attack!

    Please help me to investigate this issue.
    TIA
     
  11. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Mail logs, bro.

    /var/log/exim_mainlog

    You should see what's dumping all that email into the queue.
     
  12. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The problem is that Exim does not discard email coming to users that does not exist. Instead, it freezes the message in the mail queue. So al large number of messages are frozen and stored in the queue. The bellow is what is logged for each incoming message:

    Code:
    2014-05-06 22:39:00 1WhjnX-0008RS-VB ** juana_spears@karmano.co R=virtual_aliases: No Such User Here
    2014-05-06 22:39:00 1WhjnX-0008RS-VB Frozen (delivery error message)
    
    How do I configure Exim to discard theses messages? How do I stop this attack?
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Is this happening even after the queue was cleared, or is the queue filled with messages when this happens?

    Thank you.
     
  14. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi

    While server is online messages are coming and become frozen and are stored there. When I clear the queue manually by rm command, it fills again within a few seconds. When I stop exim, it starts again and same happens. The only when I could find was to manually make a typo in exim.conf so it cannot start automatically. In that case queue stays free.
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    At this point, the best course of action in my opinion would be to investigate the source of the abusive emails. Have you tried blocking the IP addresses of the mail servers that are sending these messages with a firewall?

    Thank you.
     
  16. kavos1332

    kavos1332 Active Member

    Joined:
    Dec 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    How do I see the source IP? Should I do it by viewing each file located in /var/spool/exim/input/ ?
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Check the recent Exim activity with a command such as:

    Code:
    tail -500 /var/log/exim_mainlog
    Also, yes, you could review the actual message headers with a command such as:

    Code:
    exim -Mvh messageID
    Thank you.
     
Loading...

Share This Page