Spam bounces in Exim queue

[glauco]

Hi, the Exim queue in my VPS is currently being filled with thousands of bounced emails per minute. I found an old formmail script in a client's website and removed it, I am sure this was the cause of the spam, however even after deleting the whole queue (which took forever) there are still all these bounced messages being generated. They all look like this:

Headers spool file
1WQh2m-0007mQ-0w-H
mailnull 47 12
<>
1395337576 0
-ident mailnull
-received_protocol local
-body_linecount 143
-max_received_linelength 110
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1395337576
-localerror
XX
1
[email protected]

159P Received: from mailnull by server1.domain.co.uk with local (Exim 4.82)
id 1WQh2m-0007mQ-0w
for [email protected]; Thu, 20 Mar 2014 17:46:16 +0000
045 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
069F From: Mail Delivery System <[email protected]>
028T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
058I Message-Id: <[email protected]>
038 Date: Thu, 20 Mar 2014 17:46:16 +0000
Data spool file
1WQh2m-0007mQ-0w-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
Domain domain3.co.uk has exceeded the max emails per hour (375/300 (125%)) allowed. Message discarded.

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from [91.235.7.37] (port=51282 helo=91.235.7.37)
by server1.domain.co.uk with esmtpa (Exim 4.82)
(envelope-from <[email protected]>)
id 1WQh2l-0007jC-OD
for [email protected]; Thu, 20 Mar 2014 17:46:15 +0000
Message-ID: <[email protected]>
From: =?windows-1251?B?zODw4+Dw6PLg?= <[email protected]>
To: <[email protected]>
Subject: =?windows-1251?B?y/7k7Ojr4CwgxfHr6CDi+yDw5eDr/O3uIObl?=
=?windows-1251?B?6+Dl8uUg6+Xj6u4g5+Dw4OHu8uDy/CAxMs5P?=
=?windows-1251?B?zvAsIA==?=
Date: Thu, 20 Mar 2014 21:46:05 +0400

The "X-Failed-Recipients" are all different but the "envelope-from" are all the same three or four.

Is it possible that even though I have removed the cause of the outgoing spam, previously undelivered messages are still causing problems, or are these new emails being sent, which means I still have a source of spam in that account? I don't understand enough about the way Exim works to know the answer.

Thanks!

 

[cPanelMichael]

Hello

It's likely the bounces are from previously sent messages, however I recommend reviewing /var/log/exim_mainlog to see if new messages are still sending out from your server.

Thank you.

 

[glauco]

Well, thanks for telling me about that log file... I browsed to that location and found that it is a whopping 1.3 GB in size! I guess I will have to download it and open it, though I'm not sure which text program will be able to open a file that large.
Would it be safe to delete it, along with exim_mainlog.1.gz which is 183 MB?
Meanwhile, I have managed to stop the bounce messages clogging uo the mail queue by blocking the IP addresses of the three spammers (from Russia and Poland) which were showing in the logs. However, they could easily change IP addresses so I don't feel safe yet...

 

[cPanelMichael]

You could review active activity in that log with a command such as:

tail -f /var/log/exim_mainlog

Or, to see the last 500 lines, use a command such as:

tail -500 /var/log/exim_mainlog

If messages are coming from a specific email address, search it via:

exigrep [email protected] /var/log/exim_mainlog

I do not advise deleting the logs until you are able to verify the source of the SPAM. The size you mentioned is not surprising based on the amount of email sent out.

Thank you.

 

[euro-space]

You may consider running following as well:

If spamming from outside domain then you can block that domain or email id on the server
—————————
vi /etc/antivirus.exim

if $header_from: contains “[email protected]”
then
seen finish
endif
—————————

Shows number of frozen emails
—————————
exim -bpr | grep frozen | wc -l

To remove FROZEN mails from the server
—————————
exim -bp | exiqgrep -i | xargs exim -Mrm

exim -bp | awk ‘$6~”frozen” {print $3 }’ | xargs exim -Mrm

exiqgrep -z -i | xargs exim –Mrm



To display the IP and no of tries done bu the IP to send mail but rejected by the server
—————————
tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F[ '{print $2} '|awk -F] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
—————————

Shows the connections from a certain ip to the SMTP server
—————————
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
—————————

To shows the domain name and the no of emails sent by that domain
—————————
exim -bp | exiqsumm | more
—————————

Thanks to serveradminz