Exim ignoring "ignore and drop" setting? SPAM problem

harro

Verified User
Joined
Oct 15, 2005
Messages
178
Goodday all,

recently I had problems with large amounts spam being bounced to domain on my server (the reply-to email addresses were faked). After switching off the 'catch-all' this reduced the influx and load considerably.

Now there seems to be a renewed peak in the arrival of spam "delivery failure" notices in the /input folder of exim (to the same domain name), eventhough there is only a handful of 'allowed' email addresses on that domain!

I use the Dovecot system (v1.0 beta 8), with a /var/spool/exim.in/input for emails arriving from the world and a /var/spool/exim/input for emails that have to be sorted into maildirs.


My three questions:

1) how come these emails are passing through into the /exim/input mail folder eventhough the settings in the control panel point to "The email is dropped and completely ignored"?

The clamav and MailScanner are processing all these emails, but why? I would expect them to vbe dropped, as soon as the recipient email address is read and not accepted.

<EDIT>http://www.directadmin.com/forum/showthread.php?s=&threadid=16430 This thread explains a bit about that it is not 'allowed' to drop/ignore emails.

I wonder though, whether the alternative setting "Fail" will not send the same amount of spam that came in back to the 'spammed' server (ie. double trouble)? </EDIT>



2) How do I make Exim drop these emails, so that it does not take up precious CPU time to scan these emails, like the settings suggest.


3) What is the difference between the /exim/input and /exim/msglog folders? Both contain large numbers of emails. How do I remove the emails from /etc/msglog through the Exim program (now I fgrep for keywords and remove them like that).

Thank you for your insights! SPAM and fake-mail is seriously annoying...

Harro
 
Last edited:
Any followup? I currently have the same problem. I had to remove the mail record...
 
harro said:
recently I had problems with large amounts spam being bounced to domain on my server (the reply-to email addresses were faked). After switching off the 'catch-all' this reduced the influx and load considerably.
Always a good idea in the anti-spam fight.
Now there seems to be a renewed peak in the arrival of spam "delivery failure" notices in the /input folder of exim (to the same domain name), eventhough there is only a handful of 'allowed' email addresses on that domain!

I use the Dovecot system (v1.0 beta 8), with a /var/spool/exim.in/input for emails arriving from the world and a /var/spool/exim/input for emails that have to be sorted into maildirs.
How did you get to that setup? I've set up several servers using DA's method, and /var/spool/exim always spools all messages (though most our outgoing messages as exim generally delivers all incoming messages immediately). I've searched our standard exim.conf files and I can't find any references to /var/spool/exim.in.

So I'm not sure if you're using a standard configuration. If you're not, my answers may not apply to you.
1) how come these emails are passing through into the /exim/input mail folder eventhough the settings in the control panel point to "The email is dropped and completely ignored"?

The clamav and MailScanner are processing all these emails, but why? I would expect them to vbe dropped, as soon as the recipient email address is read and not accepted.

<EDIT>http://www.directadmin.com/forum/showthread.php?s=&threadid=16430 This thread explains a bit about that it is not 'allowed' to drop/ignore emails.

Exim routers route mail, and they don't do that until the very end. When you're setting email to be dropped, it goes to a router that drops it at the very end of processing.
I wonder though, whether the alternative setting "Fail" will not send the same amount of spam that came in back to the 'spammed' server (ie. double trouble)? </EDIT>
Fail will tell the sending server that it doesn't want the email. It doesn't send it back, because it never accepts it.
2) How do I make Exim drop these emails, so that it does not take up precious CPU time to scan these emails, like the settings suggest.
You don't drop them, you fail them. That's the right thing to do with email you don't want.
3) What is the difference between the /exim/input and /exim/msglog folders?
Files in /var/spool/exim/msglog contain logging information for each message and are named the same as the message-id.

Files in /var/spool/exim/input are named after the message-id, plus a suffix denoting whether it is the envelope header (-H) or message data (-D).
Both contain large numbers of emails. How do I remove the emails from /etc/msglog through the Exim program (now I fgrep for keywords and remove them like that).
I got those two paragraphs above from this great page.

Jeff
 
Thank you for taking the time to reply, Jeff. I find that most of the exim questions are answered by you so I feel a bit guilty asking questions that are often partially already answered but I appreciate it! (from different sources you are referred to as the exim 'guru', so I suppose it figures).

I followed the original instructions to convertng from mbox to installing Dovecot (about 8 months ago), and this made a split between the mail being processed coming in and then another instance of exim to take care of sorting the mail out together with Dovecot. I definitely didn't decide to set it up like this by myself!

In response to your comment on /msglog - does that mean that the messages in the directory /msglog (not split into -H and -D parts) are duplicates of emails in the /input directory (and can therefore always be deleted?

Fail will tell the sending server that it doesn't want the email. It doesn't send it back, because it never accepts it.

Now it's clear to me! Thank you :) I will set all 'catch-all' settings to 'fail' to avoind unnecessary load on my server.

I will work through the website you sent me - hope to figure out why there are 3000 emails in the /input dir and 1800 in the /msglog dir, that are not being processed :p I will post wise words back here when I find a course of action.

Bye,

Harro
 
harro said:
Thank you for taking the time to reply, Jeff. I find that most of the exim questions are answered by you so I feel a bit guilty asking questions that are often partially already answered but I appreciate it! (from different sources you are referred to as the exim 'guru', so I suppose it figures).
Well not from at least one poster who manages to find fault with everything I do but never offering his own work to the community.

Okay, I'm done with my rant :) .
I followed the original instructions to convertng from mbox to installing Dovecot (about 8 months ago), and this made a split between the mail being processed coming in and then another instance of exim to take care of sorting the mail out together with Dovecot.
I don't think that was the official Dovecot conversion procedure from DA, because I follow the official procedure, and it's never done that way. In fact Dovecot is a simple drop in replacement for imapd and popd, and the only differences in exim.conf should be to deliver incoming email into separate files into separate directories, instead of appending email into one monolithic file per user. That's all Dovecot does.

Are you by any chance confusing Dovecot with Mailscanner? Mailscanner may very well use two separate paths for email (I don't know, but based on what it does, it could).
I definitely didn't decide to set it up like this by myself!
Since it's non-standard, I really can't help you.
In response to your comment on /msglog - does that mean that the messages in the directory /msglog (not split into -H and -D parts) are duplicates of emails in the /input directory (and can therefore always be deleted?
No. msglog contains an important part of the queue; if you delete anything out of msglog manually you have to delete the same emails out of /input manually because they'll never be deleted automatically.
I will work through the website you sent me - hope to figure out why there are 3000 emails in the /input dir and 1800 in the /msglog dir, that are not being processed :p
The difference is about right. Not quite but close :) .

You'll find the website very helpful, and it comes with clues for figuring out exactly how many emails there are in all those, files, and lots more statistics besides.
I will post wise words back here when I find a course of action.
Great; then we can all learn.

Jeff
 
Back
Top