cachorroyayo
Verified User
Hello Forum,
Yesterday we had a problem in the office.
When I see the server, the server was sick in all their services, was impossible to access using root and password.
When I took the decision to reboot, the System tried to boot normally but the system was unable to do it... then the system complained claiming for fsck in single user mode.
When the system reported "MARKED CLEAN" I'd rebooted the system but when Exim process mark [OK] the systems hang it again. and the process was a made a loop.
Thinking ...The solution.
A friend of mine, suggest me to force mount / and review what is happen in the lost+found folder because when the fsck was executed the output says "lost+found" is full or no free space... false, because my server has free space.
The we decide to see the queue of exim in /var/spool/exim/input
Surprise...
/var/spool/exim/input has hundred of hundred of mails queued, but when exim tried to start it tried handle all the queued mails... a impossible mission when you are the target of spammers.
We decided to rename /var/spool/exim/input to input.old and try to restart the system but immediately 600MB queue was allocated in it.
Since this time we have the following questions:
** Exists any way to customize system_filter file to tell to exim reject or deny a mail from a logged user, because the spammer used 3 accounts perfectly logged in the system?
** Can exim, process the queue part by part when the system was a spammers target and let the system to handle the others processes and services and not by one big chunk? Because if this option were configured on my server I'm sure that my server still alive.
We do some changes in the exim.conf file:
and system_filter file:
Is widely known, that postfix has a better handle of mail queue, but exim really can do the same, I mean is not possible that when you are a target of spammer the mail queue bring down a hole system and freaking you out..
best regards.
Yesterday we had a problem in the office.
When I see the server, the server was sick in all their services, was impossible to access using root and password.
When I took the decision to reboot, the System tried to boot normally but the system was unable to do it... then the system complained claiming for fsck in single user mode.
When the system reported "MARKED CLEAN" I'd rebooted the system but when Exim process mark [OK] the systems hang it again. and the process was a made a loop.
Thinking ...The solution.
A friend of mine, suggest me to force mount / and review what is happen in the lost+found folder because when the fsck was executed the output says "lost+found" is full or no free space... false, because my server has free space.
The we decide to see the queue of exim in /var/spool/exim/input
Surprise...
/var/spool/exim/input has hundred of hundred of mails queued, but when exim tried to start it tried handle all the queued mails... a impossible mission when you are the target of spammers.
We decided to rename /var/spool/exim/input to input.old and try to restart the system but immediately 600MB queue was allocated in it.
Since this time we have the following questions:
** Exists any way to customize system_filter file to tell to exim reject or deny a mail from a logged user, because the spammer used 3 accounts perfectly logged in the system?
** Can exim, process the queue part by part when the system was a spammers target and let the system to handle the others processes and services and not by one big chunk? Because if this option were configured on my server I'm sure that my server still alive.
We do some changes in the exim.conf file:
and system_filter file:
but we want to block mails from users already logged which their accounts are used by the spammers to attack to other accounts from other domains.
Is widely known, that postfix has a better handle of mail queue, but exim really can do the same, I mean is not possible that when you are a target of spammer the mail queue bring down a hole system and freaking you out..
best regards.
