Messages with no sender

P

philmcdonnell

Verified User
Joined
Jan 6, 2004
Messages
181
Location
New York
Hello All,

How can I get the server to not accept emails without a sender address?

I have a bunch of emails that are frozen in the mail queue without a sender address, they have <> instead...

Is there a way to stop this? Is there any reason why I wouldn't want to stop it?

Thanks,
Phil
 
andyreed said:
Do you have SpamBlocker and SpamAssassin on your server? These two applications will minimize the amount of spam sent to your server.
Click to expand...

Yes both are installed and working. I have SB 2 not 3 yet. I got hit with about 30,000 emails on Friday all of which got frozen in the queue and all had no valid ID's so I can't delete them, etc. I had to manually delete the directory input and msglog in order to get rid of them.

As you can imagine with all those emails in the queue it took my server to its knees...

I really need to know if there is anyway to stop receipt of messages without a sender... I thought there is a setting in exim.conf or somewhere that says to not accept email from invalid senders or something like that.

I am going to do more research tonight on it...

Thanks,
Phil
 
philmcdonnell said:
I got hit with about 30,000 emails on Friday all of which got frozen in the queue and all had no valid ID's so I can't delete them, etc. I had to manually delete the directory input and msglog in order to get rid of them.
Click to expand...
30,000 email messages :eek:
Do you have clients with large mailing lists? If not, it is likely that you have in-house spammer.
 
Why does it happen? Probably because RFCs require you accept email with null senders, so MAILER-DAEMON can get to you. I had to make a lot of changes to SpamBlocker to to block only the bad guys.

Actually the spam is most likely coming from china, probably from addresses in the 125.110.0.0/16 netblock.

First update to Dovecot if you haven't done so already, as SpamBlocker 3.1-beta only runs with Dovecot.

Then update to SpamBlocker 3.1-beta (see the SpamBlocker subforums here), installing carefully, and checking every instance of the word EDIT in the exim.conf file to make sure it'll run on your system.

Among other things, the SpamBlocker 3.1-beta blocks based on subnets, and it blocks on them for all domains, not just for those listed in use_rbl_domains. Which is critical for this attack.

Don't forget to restart exim when you've installed a new exim.conf file.

So add 125.110.0.0/16 as the top line of you /etc/virtual/bad_sender_hosts file (note this only works for SpamBlocker 3.1-beta).

While you can delete all frozen messages in the queue, it's going to take hours while your machine is overloaded.

What we did (yes, we know it's a rather heavy hammer, but we did it anyway; getting the server running was important):

1. turn off exim from the control panel.

2. Then killall -9 all the still running exim process from the command line.

3. rename the /var/log/exim/input file to /var/log/exim/input.bad

4. rename the /var/log/exim/msglog file to /var/log/exim/msglog.bad

5. Create new files at /var/log/exim/input and at /var/log/exim/msglog

6. chmod and chown them to match the directories you've renamed

7. restart exim from the control panel

8. kill those to old directories this way:
Code: 
rm -Rf /var/spool/exim/input /var/spool/exim/msglog
It'll take a VERY long time but it will eventually get done.

9. From a different shell window, watch your server load go from hundreds to under 1.0 in a matter of minutes.

Note I'm not responsible for mistakes in posts; either mine in writing them or yours in following them. I am responsible for work I do for you under contract; please feel free to write or call me to discuss having me do some or all of this for you.

Jeff
 
You must log in or register to reply here.
Back
Top