Spam bounces in Exim queue
Hi, the Exim queue in my VPS is currently being filled with thousands of bounced emails per minute. I found an old formmail script in a client's website and removed it, I am sure this was the cause of the spam, however even after deleting the whole queue (which took forever) there are still all these bounced messages being generated. They all look like this:
The "X-Failed-Recipients" are all different but the "envelope-from" are all the same three or four. Is it possible that even though I have removed the cause of the outgoing spam, previously undelivered messages are still causing problems, or are these new emails being sent, which means I still have a source of spam in that account? I don't understand enough about the way Exim works to know the answer. Thanks!
Headers spool file
1WQh2m-0007mQ-0w-H
mailnull 47 12
<>
1395337576 0
-ident mailnull
-received_protocol local
-body_linecount 143
-max_received_linelength 110
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1395337576
-localerror
XX
1
otlichnaya.idea@domain.ru
159P Received: from mailnull by server1.domain.co.uk with local (Exim 4.82)
id 1WQh2m-0007mQ-0w
for otlichnaya.idea@mail.ru; Thu, 20 Mar 2014 17:46:16 +0000
045 X-Failed-Recipients: les-tech.ro@domain2.ru
029 Auto-Submitted: auto-replied
069F From: Mail Delivery System
028T To: otlichnaya.idea@mail.ru
059 Subject: Mail delivery failed: returning message to sender
058I Message-Id:
038 Date: Thu, 20 Mar 2014 17:46:16 +0000
Data spool file
1WQh2m-0007mQ-0w-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
les-tech.ro@domain2.ru
Domain domain3.co.uk has exceeded the max emails per hour (375/300 (125%)) allowed. Message discarded.
------ This is a copy of the message, including all the headers. ------
Return-path:
Received: from [91.235.7.37] (port=51282 helo=91.235.7.37)
by server1.domain.co.uk with esmtpa (Exim 4.82)
(envelope-from )
id 1WQh2l-0007jC-OD
for les-tech.ro@domain.ru; Thu, 20 Mar 2014 17:46:15 +0000
Message-ID: <83D941273583465C9AA30C86CCAE77CF@91.235.7.37>
From: =?windows-1251?B?zODw4+Dw6PLg?=
To:
Subject: =?windows-1251?B?y/7k7Ojr4CwgxfHr6CDi+yDw5eDr/O3uIObl?=
=?windows-1251?B?6+Dl8uUg6+Xj6u4g5+Dw4OHu8uDy/CAxMs5P?=
=?windows-1251?B?zvAsIA==?=
Date: Thu, 20 Mar 2014 21:46:05 +0400The "X-Failed-Recipients" are all different but the "envelope-from" are all the same three or four. Is it possible that even though I have removed the cause of the outgoing spam, previously undelivered messages are still causing problems, or are these new emails being sent, which means I still have a source of spam in that account? I don't understand enough about the way Exim works to know the answer. Thanks!
-
Hello :) It's likely the bounces are from previously sent messages, however I recommend reviewing /var/log/exim_mainlog to see if new messages are still sending out from your server. Thank you. 0 -
Well, thanks for telling me about that log file... I browsed to that location and found that it is a whopping 1.3 GB in size! I guess I will have to download it and open it, though I'm not sure which text program will be able to open a file that large. Would it be safe to delete it, along with exim_mainlog.1.gz which is 183 MB? Meanwhile, I have managed to stop the bounce messages clogging uo the mail queue by blocking the IP addresses of the three spammers (from Russia and Poland) which were showing in the logs. However, they could easily change IP addresses so I don't feel safe yet... 0 -
You could review active activity in that log with a command such as: tail -f /var/log/exim_mainlog Or, to see the last 500 lines, use a command such as: tail -500 /var/log/exim_mainlog If messages are coming from a specific email address, search it via: exigrep user@domain /var/log/exim_mainlog I do not advise deleting the logs until you are able to verify the source of the SPAM. The size you mentioned is not surprising based on the amount of email sent out. Thank you. 0 -
You may consider running following as well: If spamming from outside domain then you can block that domain or email id on the server """ vi /etc/antivirus.exim if $header_from: contains "name@domain.com" then seen finish endif """ Shows number of frozen emails """ exim -bpr | grep frozen | wc -l To remove FROZEN mails from the server """ exim -bp | exiqgrep -i | xargs exim -Mrm exim -bp | awk "$6~"frozen" {print $3 }" | xargs exim -Mrm exiqgrep -z -i | xargs exim "Mrm To display the IP and no of tries done bu the IP to send mail but rejected by the server """ tail -3000 /var/log/exim_mainlog |grep "rejected RCPT" |awk "{print$4}"|awk -F[ '{print $2} '|awk -F] "{print $1} "|sort | uniq -c | sort -k 1 -nr | head -n 5 """ Shows the connections from a certain ip to the SMTP server """ netstat -plan|grep :25|awk {"print $5?}|cut -d: -f 1|sort|uniq -c|sort -nk 1 """ To shows the domain name and the no of emails sent by that domain """ exim -bp | exiqsumm | more """ Thanks to serveradminz 0
Please sign in to leave a comment.
Comments
4 comments