The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam bounces in Exim queue

Discussion in 'E-mail Discussions' started by glauco, Mar 20, 2014.

  1. glauco

    glauco Member

    Joined:
    Aug 26, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hi, the Exim queue in my VPS is currently being filled with thousands of bounced emails per minute. I found an old formmail script in a client's website and removed it, I am sure this was the cause of the spam, however even after deleting the whole queue (which took forever) there are still all these bounced messages being generated. They all look like this:

    Code:
    Headers spool file
    1WQh2m-0007mQ-0w-H
    mailnull 47 12
    <>
    1395337576 0
    -ident mailnull
    -received_protocol local
    -body_linecount 143
    -max_received_linelength 110
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1395337576
    -localerror
    XX
    1
    otlichnaya.idea@domain.ru
    
    159P Received: from mailnull by server1.domain.co.uk with local (Exim 4.82)
    id 1WQh2m-0007mQ-0w
    for otlichnaya.idea@mail.ru; Thu, 20 Mar 2014 17:46:16 +0000
    045 X-Failed-Recipients: les-tech.ro@domain2.ru
    029 Auto-Submitted: auto-replied
    069F From: Mail Delivery System <Mailer-Daemon@server1.domain.co.uk>
    028T To: otlichnaya.idea@mail.ru
    059 Subject: Mail delivery failed: returning message to sender
    058I Message-Id: <E1WQh2m-0007mQ-0w@server1.domain.co.uk>
    038 Date: Thu, 20 Mar 2014 17:46:16 +0000
    Data spool file
    1WQh2m-0007mQ-0w-D
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
    les-tech.ro@domain2.ru
    Domain domain3.co.uk has exceeded the max emails per hour (375/300 (125%)) allowed. Message discarded.
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <otlichnaya.idea@domain.ru>
    Received: from [91.235.7.37] (port=51282 helo=91.235.7.37)
    by server1.domain.co.uk with esmtpa (Exim 4.82)
    (envelope-from <otlichnaya.idea@domain.ru>)
    id 1WQh2l-0007jC-OD
    for les-tech.ro@domain.ru; Thu, 20 Mar 2014 17:46:15 +0000
    Message-ID: <83D941273583465C9AA30C86CCAE77CF@91.235.7.37>
    From: =?windows-1251?B?zODw4+Dw6PLg?= <otlichnaya.idea@domain.ru>
    To: <les-tech.ro@domain2.ru>
    Subject: =?windows-1251?B?y/7k7Ojr4CwgxfHr6CDi+yDw5eDr/O3uIObl?=
    =?windows-1251?B?6+Dl8uUg6+Xj6u4g5+Dw4OHu8uDy/CAxMs5P?=
    =?windows-1251?B?zvAsIA==?=
    Date: Thu, 20 Mar 2014 21:46:05 +0400
    The "X-Failed-Recipients" are all different but the "envelope-from" are all the same three or four.

    Is it possible that even though I have removed the cause of the outgoing spam, previously undelivered messages are still causing problems, or are these new emails being sent, which means I still have a source of spam in that account? I don't understand enough about the way Exim works to know the answer.

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's likely the bounces are from previously sent messages, however I recommend reviewing /var/log/exim_mainlog to see if new messages are still sending out from your server.

    Thank you.
     
  3. glauco

    glauco Member

    Joined:
    Aug 26, 2011
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Well, thanks for telling me about that log file... I browsed to that location and found that it is a whopping 1.3 GB in size! I guess I will have to download it and open it, though I'm not sure which text program will be able to open a file that large.
    Would it be safe to delete it, along with exim_mainlog.1.gz which is 183 MB?
    Meanwhile, I have managed to stop the bounce messages clogging uo the mail queue by blocking the IP addresses of the three spammers (from Russia and Poland) which were showing in the logs. However, they could easily change IP addresses so I don't feel safe yet...
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could review active activity in that log with a command such as:

    tail -f /var/log/exim_mainlog

    Or, to see the last 500 lines, use a command such as:

    tail -500 /var/log/exim_mainlog

    If messages are coming from a specific email address, search it via:

    exigrep user@domain /var/log/exim_mainlog

    I do not advise deleting the logs until you are able to verify the source of the SPAM. The size you mentioned is not surprising based on the amount of email sent out.

    Thank you.
     
  5. euro-space

    euro-space Member

    Joined:
    Mar 24, 2014
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    You may consider running following as well:

    If spamming from outside domain then you can block that domain or email id on the server
    —————————
    vi /etc/antivirus.exim

    if $header_from: contains “name@domain.com”
    then
    seen finish
    endif
    —————————

    Shows number of frozen emails
    —————————
    exim -bpr | grep frozen | wc -l

    To remove FROZEN mails from the server
    —————————
    exim -bp | exiqgrep -i | xargs exim -Mrm

    exim -bp | awk ‘$6~”frozen” {print $3 }’ | xargs exim -Mrm

    exiqgrep -z -i | xargs exim –Mrm



    To display the IP and no of tries done bu the IP to send mail but rejected by the server
    —————————
    tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F[ '{print $2} '|awk -F] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
    —————————

    Shows the connections from a certain ip to the SMTP server
    —————————
    netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
    —————————

    To shows the domain name and the no of emails sent by that domain
    —————————
    exim -bp | exiqsumm | more
    —————————

    Thanks to serveradminz
     
Loading...

Share This Page