Large number of small files filling out /var/spool/exim/input directory

kavos1332

Active Member
Dec 17, 2012
40
0
6
cPanel Access Level
Root Administrator
Hello experts,

I have newly detected that on my server, a large number of small files are excessively filling out the /var/spool/exim/input directory which had caused my disk to run out of inodes while had planty of disk space. The number of files constantly growing EVEN when exim service is stopped. I know this directory belongs to mail queue but its so strange that creating new files does not stop when exim is stopped.

Please help me to fix this strange issue.
TIA
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

How many messages are in your mail queue? You can review the messages in your queue via WHM if you are not comfortable with the command line:

"WHM Home » Email » Mail Queue Manager"

Thank you.
 

kavos1332

Active Member
Dec 17, 2012
40
0
6
cPanel Access Level
Root Administrator
Hi

Exim is continuously trying to receive mails which are intended to be sent to non-existent mail accounts on existing domains. So queue is constantly filled out by message sent to accounts not exist on the server and they are left in the queue. Currently there are more than 500,000+ messages in the queue which is growing every minute. Obviously server is under a huge spam.

How do I stop this?
Please help me ASAP!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
You should ensure the "Default Address" for your domain names is configured to "Discard with error to sender" so that the emails bounce to the senders. This is configured using the "Default Address" option in cPanel. You can search for and delete the existing messages in the mail queue with "Mail Queue Manager" in WHM.

Thank you.
 

cPanelPeter

Technical Analyst III
Staff member
Sep 23, 2013
575
21
143
cPanel Access Level
Root Administrator
Twitter
Hello,

Feel free to open a support ticket using the link in my signature. Then please paste the ticket number here so we can update this thread accordingly.
 

kavos1332

Active Member
Dec 17, 2012
40
0
6
cPanel Access Level
Root Administrator
Hi

I have configured my firewall (CSF) to allow only 100 incoming connections per 60 seconds on port 25. But when I check the count of files in /var/spool/exim/input using "ls -la | wc -l" command, I see hundreds of new files are constantly added within a very few seconds. Its more malicious than to be a large spam attack!

Please help me to investigate this issue.
TIA
 

kavos1332

Active Member
Dec 17, 2012
40
0
6
cPanel Access Level
Root Administrator
Mail logs, bro.

/var/log/exim_mainlog

You should see what's dumping all that email into the queue.
The problem is that Exim does not discard email coming to users that does not exist. Instead, it freezes the message in the mail queue. So al large number of messages are frozen and stored in the queue. The bellow is what is logged for each incoming message:

Code:
2014-05-06 22:39:00 1WhjnX-0008RS-VB ** [email protected] R=virtual_aliases: No Such User Here
2014-05-06 22:39:00 1WhjnX-0008RS-VB Frozen (delivery error message)
How do I configure Exim to discard theses messages? How do I stop this attack?
 

kavos1332

Active Member
Dec 17, 2012
40
0
6
cPanel Access Level
Root Administrator
Hi

While server is online messages are coming and become frozen and are stored there. When I clear the queue manually by rm command, it fills again within a few seconds. When I stop exim, it starts again and same happens. The only when I could find was to manually make a typo in exim.conf so it cannot start automatically. In that case queue stays free.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
At this point, the best course of action in my opinion would be to investigate the source of the abusive emails. Have you tried blocking the IP addresses of the mail servers that are sending these messages with a firewall?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Check the recent Exim activity with a command such as:

Code:
tail -500 /var/log/exim_mainlog
Also, yes, you could review the actual message headers with a command such as:

Code:
exim -Mvh messageID
Thank you.