Large number of small files filling out /var/spool/exim/input directory

kavos1332

• April 29, 2014 15:58

Hello experts, I have newly detected that on my server, a large number of small files are excessively filling out the /var/spool/exim/input directory which had caused my disk to run out of inodes while had planty of disk space. The number of files constantly growing EVEN when exim service is stopped. I know this directory belongs to mail queue but its so strange that creating new files does not stop when exim is stopped. Please help me to fix this strange issue. TIA

• 

  vanessa

  • April 29, 2014 21:14

  Those are exim queue files. Would help for you to review their contents to see what exactly is dumping them in there. exim -bp (lists contents of the queue) exim -Mvh $message_id (shows header contents of the message in question)

  0
• 

  cPanelMichael

  • April 30, 2014 14:38

  Hello :) How many messages are in your mail queue? You can review the messages in your queue via WHM if you are not comfortable with the command line: "WHM Home " Email " Mail Queue Manager" Thank you.

  0
• 

  kavos1332

  • April 30, 2014 18:19

  Hi Exim is continuously trying to receive mails which are intended to be sent to non-existent mail accounts on existing domains. So queue is constantly filled out by message sent to accounts not exist on the server and they are left in the queue. Currently there are more than 500,000+ messages in the queue which is growing every minute. Obviously server is under a huge spam. How do I stop this? Please help me ASAP!

  0
• 

  cPanelMichael

  • April 30, 2014 18:59

  You should ensure the "Default Address" for your domain names is configured to "Discard with error to sender" so that the emails bounce to the senders. This is configured using the "Default Address" option in cPanel. You can search for and delete the existing messages in the mail queue with "Mail Queue Manager" in WHM. Thank you.

  0
• 

  kavos1332

  • April 30, 2014 20:07

  How can I set this option for all domains massively at once?

  0
• 

  kavos1332

  • April 30, 2014 20:25

  Default Address in all accounts is already set to the option you mentioned. Stopping exim does not stop creating new files in this dir!

  0
• 

  kavos1332

  • April 30, 2014 21:37

  The issue is I cannot keep exim service stopped It starts by itself. I have disabled exim and eximstats in WHM->Service Manager.

  0
• 

  cPanelPeter cPanel Staff

  • May 01, 2014 14:23

  Hello, Feel free to open a support ticket using the link in my signature. Then please paste the ticket number here so we can update this thread accordingly.

  0
• 

  kavos1332

  • May 04, 2014 19:14

  Hi I have configured my firewall (CSF) to allow only 100 incoming connections per 60 seconds on port 25. But when I check the count of files in /var/spool/exim/input using "ls -la | wc -l" command, I see hundreds of new files are constantly added within a very few seconds. Its more malicious than to be a large spam attack! Please help me to investigate this issue. TIA

  0
• 

  vanessa

  • May 04, 2014 19:34

  Mail logs, bro. /var/log/exim_mainlog You should see what's dumping all that email into the queue.

  0
• 

  kavos1332

  • May 06, 2014 18:13

  [quote="vanessa, post: 1636671">Mail logs, bro. /var/log/exim_mainlog You should see what's dumping all that email into the queue.
  The problem is that Exim does not discard email coming to users that does not exist. Instead, it freezes the message in the mail queue. So al large number of messages are frozen and stored in the queue. The bellow is what is logged for each incoming message: 2014-05-06 22:39:00 1WhjnX-0008RS-VB ** juana_spears@karmano.co R=virtual_aliases: No Such User Here 2014-05-06 22:39:00 1WhjnX-0008RS-VB Frozen (delivery error message)
  How do I configure Exim to discard theses messages? How do I stop this attack?

  0
• 

  cPanelMichael

  • May 06, 2014 18:58

  [quote="kavos1332, post: 1638491">How do I configure Exim to discard theses messages? How do I stop this attack?
  Is this happening even after the queue was cleared, or is the queue filled with messages when this happens? Thank you.

  0
• 

  kavos1332

  • May 06, 2014 19:30

  Hi While server is online messages are coming and become frozen and are stored there. When I clear the queue manually by rm command, it fills again within a few seconds. When I stop exim, it starts again and same happens. The only when I could find was to manually make a typo in exim.conf so it cannot start automatically. In that case queue stays free.

  0
• 

  cPanelMichael

  • May 07, 2014 15:04

  At this point, the best course of action in my opinion would be to investigate the source of the abusive emails. Have you tried blocking the IP addresses of the mail servers that are sending these messages with a firewall? Thank you.

  0
• 

  kavos1332

  • May 07, 2014 18:08

  How do I see the source IP? Should I do it by viewing each file located in /var/spool/exim/input/ ?

  0
• 

  cPanelMichael

  • May 07, 2014 19:41

  Check the recent Exim activity with a command such as: tail -500 /var/log/exim_mainlog
  Also, yes, you could review the actual message headers with a command such as: exim -Mvh messageID
  Thank you.

  0

Please sign in to leave a comment.