Large number of small files filling out /var/spool/exim/input directory

[kavos1332]

Hello experts,

I have newly detected that on my server, a large number of small files are excessively filling out the /var/spool/exim/input directory which had caused my disk to run out of inodes while had planty of disk space. The number of files constantly growing EVEN when exim service is stopped. I know this directory belongs to mail queue but its so strange that creating new files does not stop when exim is stopped.

Please help me to fix this strange issue.
TIA

 

[vanessa]

Those are exim queue files. Would help for you to review their contents to see what exactly is dumping them in there.

exim -bp (lists contents of the queue)

exim -Mvh $message_id (shows header contents of the message in question)

 

[cPanelMichael]

Hello

How many messages are in your mail queue? You can review the messages in your queue via WHM if you are not comfortable with the command line:

"WHM Home » Email » Mail Queue Manager"

Thank you.

 

[kavos1332]

Hi

Exim is continuously trying to receive mails which are intended to be sent to non-existent mail accounts on existing domains. So queue is constantly filled out by message sent to accounts not exist on the server and they are left in the queue. Currently there are more than 500,000+ messages in the queue which is growing every minute. Obviously server is under a huge spam.

How do I stop this?
Please help me ASAP!

 

[cPanelMichael]

You should ensure the "Default Address" for your domain names is configured to "Discard with error to sender" so that the emails bounce to the senders. This is configured using the "Default Address" option in cPanel. You can search for and delete the existing messages in the mail queue with "Mail Queue Manager" in WHM.

Thank you.

 

[kavos1332]

How can I set this option for all domains massively at once?

 

[kavos1332]

Default Address in all accounts is already set to the option you mentioned. Stopping exim does not stop creating new files in this dir!

 

[kavos1332]

The issue is I cannot keep exim service stopped It starts by itself. I have disabled exim and eximstats in WHM->Service Manager.

 

[cPanelPeter]

Hello,

Feel free to open a support ticket using the link in my signature. Then please paste the ticket number here so we can update this thread accordingly.

 

[kavos1332]

Hi

I have configured my firewall (CSF) to allow only 100 incoming connections per 60 seconds on port 25. But when I check the count of files in /var/spool/exim/input using "ls -la | wc -l" command, I see hundreds of new files are constantly added within a very few seconds. Its more malicious than to be a large spam attack!

Please help me to investigate this issue.
TIA

 

[vanessa]

Mail logs, bro.

/var/log/exim_mainlog

You should see what's dumping all that email into the queue.

 

[kavos1332]

Mail logs, bro.

/var/log/exim_mainlog

You should see what's dumping all that email into the queue.

The problem is that Exim does not discard email coming to users that does not exist. Instead, it freezes the message in the mail queue. So al large number of messages are frozen and stored in the queue. The bellow is what is logged for each incoming message:

2014-05-06 22:39:00 1WhjnX-0008RS-VB ** [email protected] R=virtual_aliases: No Such User Here
2014-05-06 22:39:00 1WhjnX-0008RS-VB Frozen (delivery error message)

How do I configure Exim to discard theses messages? How do I stop this attack?

 

[cPanelMichael]

How do I configure Exim to discard theses messages? How do I stop this attack?

Is this happening even after the queue was cleared, or is the queue filled with messages when this happens?

Thank you.

 

[kavos1332]

Hi

While server is online messages are coming and become frozen and are stored there. When I clear the queue manually by rm command, it fills again within a few seconds. When I stop exim, it starts again and same happens. The only when I could find was to manually make a typo in exim.conf so it cannot start automatically. In that case queue stays free.

 

[cPanelMichael]

At this point, the best course of action in my opinion would be to investigate the source of the abusive emails. Have you tried blocking the IP addresses of the mail servers that are sending these messages with a firewall?

Thank you.

 

[kavos1332]

How do I see the source IP? Should I do it by viewing each file located in /var/spool/exim/input/ ?

 

[cPanelMichael]

Check the recent Exim activity with a command such as:

tail -500 /var/log/exim_mainlog

Also, yes, you could review the actual message headers with a command such as:

exim -Mvh messageID

Thank you.