Large number of small files filling out /var/spool/exim/input directory

Hello experts,

I have newly detected that on my server, a large number of small files are excessively filling out the /var/spool/exim/input directory which had caused my disk to run out of inodes while had planty of disk space. The number of files constantly growing EVEN when exim service is stopped. I know this directory belongs to mail queue but its so strange that creating new files does not stop when exim is stopped.

Please help me to fix this strange issue.
TIA

 

Hi

Exim is continuously trying to receive mails which are intended to be sent to non-existent mail accounts on existing domains. So queue is constantly filled out by message sent to accounts not exist on the server and they are left in the queue. Currently there are more than 500,000+ messages in the queue which is growing every minute. Obviously server is under a huge spam.

How do I stop this?
Please help me ASAP!

 

How can I set this option for all domains massively at once?

 

Default Address in all accounts is already set to the option you mentioned. Stopping exim does not stop creating new files in this dir!

 

The issue is I cannot keep exim service stopped It starts by itself. I have disabled exim and eximstats in WHM->Service Manager.

 

Hi

I have configured my firewall (CSF) to allow only 100 incoming connections per 60 seconds on port 25. But when I check the count of files in /var/spool/exim/input using "ls -la | wc -l" command, I see hundreds of new files are constantly added within a very few seconds. Its more malicious than to be a large spam attack!

Please help me to investigate this issue.
TIA

 

The problem is that Exim does not discard email coming to users that does not exist. Instead, it freezes the message in the mail queue. So al large number of messages are frozen and stored in the queue. The bellow is what is logged for each incoming message:

Code:

2014-05-06 22:39:00 1WhjnX-0008RS-VB ** juana_spears@karmano.co R=virtual_aliases: No Such User Here
2014-05-06 22:39:00 1WhjnX-0008RS-VB Frozen (delivery error message)

How do I configure Exim to discard theses messages? How do I stop this attack?

 

Hi

While server is online messages are coming and become frozen and are stored there. When I clear the queue manually by rm command, it fills again within a few seconds. When I stop exim, it starts again and same happens. The only when I could find was to manually make a typo in exim.conf so it cannot start automatically. In that case queue stays free.

 

How do I see the source IP? Should I do it by viewing each file located in /var/spool/exim/input/ ?