exim overload server

L

LowKey

Verified User
Joined
May 17, 2010
Messages
15
Hello,

Today i got issues with exim, it's keep the server with high cpu.

ps aux|grepexim
root 39858 2.5 0.3 9344 5460 ?? S 2:04AM 0:00.23 /usr/sbin/exim -q
root 37354 0.9 0.3 9344 5480 ?? S 2:04AM 0:00.23 /usr/sbin/exim -q
root 3760 0.0 0.2 9156 4060 ?? I 10:06AM 0:29.54 /usr/sbin/exim -q
root 7007 0.0 0.3 9344 5436 ?? S 2:03AM 0:00.17 /usr/sbin/exim -q
mail 7607 0.0 0.3 9344 5448 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
mail 7735 0.0 0.3 9344 5448 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
root 9372 0.0 0.2 9156 4060 ?? S 2:00AM 0:00.12 /usr/sbin/exim -q
root 13328 0.0 0.3 9344 5400 ?? I 2:03AM 0:00.09 /usr/sbin/exim -q
root 14729 0.0 0.3 9344 5480 ?? I 2:03AM 0:00.26 /usr/sbin/exim -q
mail 18972 0.0 0.3 9344 5656 ?? I 2:03AM 0:00.01 /usr/sbin/exim -q
root 20772 0.0 0.3 9344 5444 ?? I 2:03AM 0:00.17 /usr/sbin/exim -q
mail 21627 0.0 0.3 9344 5540 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
mail 22019 0.0 0.3 9344 5536 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
root 24543 0.0 0.3 9344 5456 ?? I 2:03AM 0:00.20 /usr/sbin/exim -q
mail 25593 0.0 0.3 9344 5528 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
mail 28034 0.0 0.3 9344 5524 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
mail 28369 0.0 0.3 9344 5524 ?? I 2:03AM 0:00.00 /usr/sbin/exim -q
mail 39123 0.0 0.3 9344 5540 ?? S 2:04AM 0:00.00 /usr/sbin/exim -q
mail 40584 0.0 0.3 9344 5536 ?? S 2:04AM 0:00.00 /usr/sbin/exim -q
mail 41169 0.0 0.3 9344 5540 ?? S 2:04AM 0:00.00 /usr/sbin/exim -q
root 50125 0.0 0.3 9344 5620 ?? I 2:01AM 0:00.30 /usr/sbin/exim -q
mail 51555 0.0 0.3 9344 5732 ?? S 2:01AM 0:00.01 /usr/sbin/exim -q
root 64465 0.0 0.2 9156 4056 ?? I 2:07PM 0:19.08 /usr/sbin/exim -q
root 68526 0.0 0.2 9156 4060 ?? I 11:07AM 0:27.30 /usr/sbin/exim -q
mail 70767 0.0 0.1 7108 2804 ?? Is Sun12AM 0:01.53 /usr/sbin/exim -bd -q1h -oP /var/run/exim.pid
root 79376 0.0 0.2 9156 4060 ?? I 1:00AM 0:00.79 /usr/sbin/exim -q
root 86166 0.0 0.2 9156 4060 ?? I 12:07PM 0:11.90 /usr/sbin/exim -q
root 92213 0.0 0.2 9156 4056 ?? S 1:07PM 0:32.92 /usr/sbin/exim -q
root 92478 0.0 0.2 9156 4060 ?? I 12:00AM 0:01.13 /usr/sbin/exim -q

And here /var/log/exim/mainlog

2010-12-06 02:06:00 1PYFuj-00091p-2J SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4047: host mx1.hotmail.com [65.54.188.94]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-06 02:06:00 1PYFuj-00091p-2J == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4047: host mx1.hotmail.com [65.54.188.94]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-06 02:06:00 1PYFuj-00091p-2J == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4047: host mx1.hotmail.com [65.54.188.94]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-06 02:06:00 1PYFuj-00091p-2J == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4047: host mx1.hotmail.com [65.54.188.94]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-06 02:06:00 1POtGT-000B6N-SP SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=7865: host mx2.hotmail.com [65.55.92.168]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-06 02:06:01 1POtGT-000B6N-SP SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=7865: host mx2.hotmail.com [65.55.37.72]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.

I think that is spammer

Please advice,

Thank you
 
Yes, looks like spam. Identify the account thats spamming (the queue may indicate some ideas), shut it down, then clear the queue.
 
And of course if you haven't switched yet to the latest SpamBlocker-powered exim.conf file, Version 4 (here), it's possibly backscatter.

Jeff
 
Exim Process

Hello,

I still got exim's process issues

I do tail -f /var/log/exim/maillog

i got


2010-12-07 22:57:31 1PYUKd-0005LT-5h == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4049: host mx3.hotmail.com [65.54.188.110]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-07 22:57:31 1PYUKd-0005LT-5h SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4049: host mx1.hotmail.com [65.54.188.110]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-07 22:57:31 1PYUKd-0005LT-5h SMTP error from remote mail server after initial connection: host smtp-la04.lausd.net [204.108.65.184]: 450 try again later
2010-12-07 22:57:31 1PYUKd-0005LT-5h == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host smtp-la04.lausd.net [204.108.65.184]: 450 try again later
2010-12-07 22:57:31 1PYUKd-0005LT-5h SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4049: host mx1.hotmail.com [65.55.37.72]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-07 22:57:31 1PYUKd-0005LT-5h == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=4049: host mx1.hotmail.com [65.55.37.72]: 421 RP-001 Unfortunately, some messages from 64.32.11.194 weren't sent. Please try again. We have limits for how many messages can be sent per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
2010-12-07 22:57:32 1PYUKd-0005LT-5h => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3029 H=wkbw.i-evolve.net [72.237.212.73] C="250 2.6.0 message accepted (knc2c8)"

That always give that error message.

how to stop this or banned this ?

Please advice

Thank you
 
Somebody is sending spam from your server.

1. It can be bounce messages: to solve, do not include original body into bounce massages.
2. It can be email forwarders or catch-all function using by one of your clients. Check it out. It'd better to deny using of catch-all function at all.
3. It can be a spamming PHP/PERL/other script.

Use exigrep <SEARCH_STRING> /var/log/exim/mainlog to learn more about a certain message.

e.g.

Code: 
exigrep 1PYUKd-0005LT-5h /var/log/exim/mainlog
 
Also good chance that there are rejected messages. But there is also a good chance that still outgoing mail is in the mailqueue, especially since hotmail has limits on the amount possible to be send to them.:)
Look and see if you find one with header info. Maybe you can find where the spamming is coming from.

Another option is to use CSF/LFD firewall. You could set it up so mail can only be send by smtp. This way you get a bunch of error notices about mail not be able to be send and you quickly see which one is causing the problem.
Block that account and then set csf/lfd to the mode that phpmail can be send again.
 
Don't forget there may still be backscatter spam in your queue. I'd recommend deleting everything in the queue that looks like spam; see if it builds up again.

Jeff
 
Solved

jlasman said:
Don't forget there may still be backscatter spam in your queue. I'd recommend deleting everything in the queue that looks like spam; see if it builds up again.

Jeff
Click to expand...

Yes, you are right. now it's working again with no issues after

i do

find /var/spool/exim/input -type f -exec rm -f {} +

i removing all queue , and start back the exim .

Problem resolved.

Thank you for helping me.
 
Your problem is not resolved. You did a workaround to stop the spam for the time being.
However you did not find the cause of the spam.
So it could well be you're back again tonight or tomorrow having the same problem.;)
 
If the spam was backscatter spam, then, if LowKey has updated to the latest version of the SpamBlocker powered exim.conf file, version 4, as he says in post #5 of this thread, then the problem could be solved. The best way to tell is to search the queues regularly to see if the amount of email in the queue begins to rise again.

Jeff
 
You must log in or register to reply here.
Back
Top