urgent advice required...

[4u123]

Customer sends out an email to about 60 or 70 legitimate addresses yesterday - the email included a 400k attachment.

Server load suddenly rocketed this morning and i see in the mail queue - over 1000 messages addressed to the address that sent out the email the day before - he had already received 2000 and they keep on coming. Seemingly, these are mostly delivery failures. Its almost as if the message he sent out got sent thousands of times.

I checked his account - he doesnt have boxtrapper enabled - he doesnt have an auto responder.

I deleted his account but the server was still being overloaded. I deleted all messages in the exim queue.

I tailed the exim log after this and there were hundreds of messages just saying "domain.blah is not permitted to relay through this server, maybe you havent logged into your account in the last 30 minutes or have blah blah etc"

I did an eximup --force, got some errors about var/spool/exim/some folder/a/9sd67fvxhjvg I/O error

Server load rocketed again and I rebooted.

Ive now got exim stopped - the mail queue is empty and server load is fine. I dont want to start exim again just in case.

Any advice on this would be very greatly appreciated!

 

[4u123]

Update...

I can confirm that the reason we are getting tons of bounced email for this user is because the message WAS sent out to nearly 100 recipients - many many times - all through the night. The person who sent the message used their outlook client and switched off their pc after sending the email yesterday afternoon - so whatever happend, happend on the server.

Does anyone here have any idea as to how an email could inadvertently be sent out to the same recipients over and over again - all night long ? Some kind of problem with exim ? Has anyone seen this happen b4 ?

 

[chirpy]

Now that you have exim stopped, try:

rm -Rfv /var/spool/exim/input/*

If you run MailScanner also do:

rm -Rfv /var/spool/exim_outgoing/input/*

Then restart exim.

If it continues to loop, set the senders email address to :blackhole: in /etc/valiases/domain.com and watch the exim_mainlog where you should see the looping email get dumped. Then put /etc/valiases/domain.com back as it was.

 

[4u123]

Hi Chirpy thanks for that,

As a precaution earlier, I deleted /var/spool/exim completely and reinstalled exim. The server is fine if I dont restart exim but when I do the load shoots up - its all the delivery failures and "mailbox full" messages coming back. My tactic at the moment is to wait until 10pm and just let it all come in - the account has been deleted anyway.

 

[4u123]

Any advice on how to stop the returning emails overloading the server ?

I removed the customers account for a whole day and put it back again this morning but after a couple of hours the bounces and mailbox full messages resulting from the original loop started coming back in again in their hundreds. At the time I write this, there are 11,000 messages in the mail queue which im just deleting now.

All I can do right now is remove the account again and switch off exim. Is there a way to stop the server accepting messages for that domain so that exim is not overloaded ?

 

[chirpy]

Remove the domain from /etc/localdomains and they should all be rejected.

 

[4u123]

Did that, still getting overloaded - I'm guessing because most hosts still think the domain is on our server and the traffic coming in is just too much for the server to handle, even though its rejecting the messages. The loop was going on for several hours and i think there are still 10's of thousands of mails to come back - its like a dos attack.

 

[chirpy]

The alternative would be to point to MX record for the domain to an A record for a non-existent IP, something like 127.0.0.4 might be one. The email should then fail on the senders server. It might take 24 hours to die down, though.