1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

qmail remote queue fill-up, again

Discussion in 'Plesk for Linux - 8.x and Older' started by echeng@, Jan 15, 2006.

  1. echeng@

    echeng@ Guest

    0
     
    Hello, guys. I've done many searches here and have found solutions to the standard qmail queue filling up issue, but my queue has just recently started filling up again, and I can't track the problem down.

    A few months ago, my qmail queue started filling up quickly, and I did the following things to make it stop:

    1. apply the 127.0.0.1 / 32 mail whitelist change

    2. change all of my domains to "reject" unknown mail instead of "bouncing" it

    3. cron a nightly, selective delete of messages with subject "failure notice" in the qmail queue


    All has been smooth for several months, but mail started building up again, and my qmail queue last night was a staggering 345,000 messages! Looks like most of the messages are still failure notice messages, which is baffling.

    Any ideas on how to track down the problem this time? I just confirmed again that all my domains are set to "reject" and not "bounce."

    Also, what's an easy way to list qmail queue message information? I'm using qmHandle, which lets me selectively delete based on subject content, but when I use it to list huge queues, it just sits there. Maybe it takes a long time with so many queued messages...

    Thanks for any help you might be able to give me...
     
  2. phoenixisp

    phoenixisp Silver Pleskian

    27
    57%
    Joined:
    Feb 2, 2002
    Messages:
    840
    Likes Received:
    0
    I have had no luck with the "Reject" function so I forward the unknown emails to an account I created with no mailbox or redirect. It sends the mail to a "black hole" so to speak.
     
  3. wagnerch

    wagnerch Guest

    0
     
    More than likely one of your domains was hacked and someone is using your local mail queue to spam. I would look for unusual jobs running as the apache user. Keep in mind that some of those jobs may appear to be "httpd", but you should pay particular attention to the "ppid".

    There is a few worms running loose that exploit awstats and xmlrpc vulnerabilities. I ran across one guy who had 10~15K worth of e-mail's in his mail queue, and they were exploiting a vulnerability in xmlrpc. Installing modsecurity helps prevent alot of headaches.
     
  4. echeng@

    echeng@ Guest

    0
     
    Thanks, guys, for the help. My system was indeed compromised, and seems to be working again.

    Still, what I've done now is move to fastmail.fm mail, and have my DNS mx entries pipe mail directly there. I'm done with having server issues affect e-mail...
     
  5. echeng@

    echeng@ Guest

    0
     
    thanks. I currently use qmHandle and qmailclear.sh.

    I tried running qmHandle on 300,000 qmail messages, and ... well, it took some time. ;)
     
  6. wagnerch

    wagnerch Guest

    0
     
    Take a look at www.modsecurity.org, and then go to www.gotroot.com to download the modsecurity rules.

    It takes a bit of tweaking, but once you tune the rules it will definately help. Naturally you have to keep on it, update the rules, etc. It is hard to control the domains if your doing web hosting, and there is so many vulnerable php scripts that there is no way to keep up.

    Chad
     
  7. aheidl

    aheidl Guest

    0
     
    evil xml-rpc

    i had a similar problem on my server which caused me plenty of sleepless nights. 250k+ mailes in a few hours which all seemed to be false bounces. I could delete those with qmHandle, but this was no way the solution to sit there and keep deleting them as you watch the remote que filling up.

    apparently I found the source of all the evil to be the xml-rpc interface (php) as part of an postNuke (www.postnuke.org) installation. They did post a security warning about it and since I have disabled it I could stop the mess.

    Maybe this is usefull to someone.

    BR,

    Alex
     
  8. wagnerch

    wagnerch Guest

    0
     
    Re: evil xml-rpc

    Yep, there is a Linux.Mare worm variant floating around exploiting XML-RPC and awstats. phpAdsNew is also vulnerable. There is atleast a dozen apps using XML-RPC.
     
Loading...