Spam? and Qmail Queue

[Peter 0017]

I have a problem with the mail queue. My server slows down to a snails pace. I go to check it and find the queue with hundreds of failure notices for various emails with no sender. I open the link to the mail and no information comes up. No bits of letter no return address just that it failed and the address. I need to track down where this is coming from and stop it. I cant say for sure its not coming from one of my clients because using a script they can email without adding the from header(Although its extremely unlikely). Not sure how to stop that but I have found a script to reject letters without proper headers, its called SPAMCONTROL. It can be found at http://www.fehcom.de/qmail/spamcontrol.html . This looks like what I want however it requires you to remake Qmail. I don’t consider this a big issue but with plesk I’m not eager to to potentially crash the cp to find out plesk's qmail requires some added configuration I hadn’t found out about. Does anyone know how to remake qmail in plesk? Are there any special instructions, procedures, or considerations I need to be aware of? Has anyone used SPAMCONTROL or something like it? Does it work?
Thanks

 

[CCHickman]

Hooo.... boy....

I've had this problem too. Are you using ART's qmail-queue-scanner by chance? I was and maintain that it's wonderful, but there are certainly some things to tweak!

Here are my tips --

#1) Applicable to 1and1 servers and poorly partitioned servers --

Is the partition that /var/qmail/mailnames is on maxed out? Find out which partition it's on by typing 'df' and checking.

I have two 1and1 servers and my older (and faster) server had a 4GB partition for MySQL and /var/ for some bizarre reason. It had filled and this was causing slowdown.

If you're running out of space, move your mailnames folder to somewhere like /home/ (since httpd and ftp are there) and make a symbolic link to it.


ln -s /home/mailnames /var/qmail/mailnames
chown root:qmail /var/qmail/mailnames

#2) Kill double bounce backs!!!!!

in /var/qmail/control/ :

echo # > doublebounceto

Just imagine, your server is rejecting mail when it's sent to addresses at domains on your server that don't exist -- such as [email protected]. Your server then bounces this to the sender which is [email protected] and guess what? It bounces.

PLESK's Qmail distro should set this up by default, but like with many things, it doesn't. I swear that SW-Soft needs to create a plug-in repo site or something open source to allow things such as this to be added.

#3) Flush your existing qmail-queue

Proceed with caution. After setting no doublebouncebacks, I totally cleared my queue.

/var/qmail/queue/

I cleared this out totally:

service qmail stop
rm mess/*/* --force
rm info/*/* --force
rm remote/*/* --force
rm local/*/* --force

You may want to check your local folders first ---

ls local/* -- as some of your users may have mail waiting to be delivered.

#4) If using ART's qmail scanner --

/var/spool/qmail-scanner (v1.0) -- I believe this was the correct path

/var/spool/qscan (v2.0)

I had to create a symbolic link in:

/var/spool/qscan/quarantine/

ln -s /var/spool/qscan/quarantine/ /var/spool/qscan/quarantine/policy

Very silly - but as the install for qmail-scanner incorrectly had these paths set (or you can modify qmail-scanner's config and remove the policy folder -- but if you want to upgrade, it might be better to just create the folders or at least create symbolic links to them.

#5) Back to the original message - "Incorrect Headers". If you're using qmail-scanner-queue, you can improve the logging by jumping to around line 1273 where you see 'g_e_h: no sender'...

(/var/qmail/bin/qmail-scanner-queue.pl)

Add in $HEADERS add at the end of the string (before the " of course) and you should see that your qmail-scanner logs will show you that the incorrect header business was caused by the bounce backs.

This is what clued me in to what the problem is.

I talked to Scott at ART about this problem and did a good amount of troubleshooting about this problem for weeks and finally solved it and my server is back to running Qmail, Spamassassin, Qmail-Scanner, and processing spam at a fraction of the CPU resources (I was at 3-4 under top, now I'm at average 0.20)


#6) You can always review your mail logs and if you notice a particular IP address sending a lot of SPAM, you can play the whack-a-rat carnival game by blocking IPs with PLESK Firewall, or manually.


-------------

Other advice - if using Spamassassin and custom rule sets, go through your rulesets and remove rulesets that are too processor intense.

Hope this points you in the right direction!

Originally posted by Peter 0017
I have a problem with the mail queue. My server slows down to a snails pace. I go to check it and find the queue with hundreds of failure notices for various emails with no sender. I open the link to the mail and no information comes up. No bits of letter no return address just that it failed and the address. I need to track down where this is coming from and stop it. I cant say for sure its not coming from one of my clients because using a script they can email without adding the from header(Although its extremely unlikely). Not sure how to stop that but I have found a script to reject letters without proper headers, its called SPAMCONTROL. It can be found at http://www.fehcom.de/qmail/spamcontrol.html . This looks like what I want however it requires you to remake Qmail. I don’t consider this a big issue but with plesk I’m not eager to to potentially crash the cp to find out plesk's qmail requires some added configuration I hadn’t found out about. Does anyone know how to remake qmail in plesk? Are there any special instructions, procedures, or considerations I need to be aware of? Has anyone used SPAMCONTROL or something like it? Does it work?
Thanks

 

[CCHickman]

Another Tip...

Take a look at the IP addresses from e-mail senders sending you spam...

Then run them through:

http://www.dnsstuff.com/tools/whois.ch?ip= 59.157.43.27

Then in /etc/xinetd.d/psa_smtp

You can block IP ranges. Another user posted this tip a while back. After running DNS Stuff's lookup of who an IP is - if you find the spam coming from Romania, Russia, Japan, or another country that you don't mind completely rejecting IP ranges from, by all means block them and save yourself the CPU time!

--

service smtp
{
socket_type = stream
protocol = tcp
wait = no

no_access = 61.28.0.0/18
no_access = 86.120.0.0/13
no_access = 61.32.0.0/13
no_access = 61.40.0.0/14
no_access = 61.48.0.0/13
no_access = 61.72.0.0/13
no_access = 61.80.0.0/13
no_access = 61.96.0.0/12
no_access = 61.128.0.0/10
no_access = 61.232.0.0/14
no_access = 61.236.0.0/15
no_access = 61.240.0.0/14
no_access = 61.248.0.0/13
no_access = 128.134.0.0/16
no_access = 129.254.0.0/16
no_access = 132.16.0.0/16
no_access = 134.75.0.0/16
no_access = 137.68.0.0/16
no_access = 141.223.0.0/16
no_access = 143.248.0.0/16
no_access = 147.6.0.0/16
no_access = 147.43.0.0/16
no_access = 147.46.0.0/15
no_access = 150.150.0.0/16
no_access = 150.183.0.0/16
no_access = 150.197.0.0/16
no_access = 152.99.0.0/16
no_access = 152.149.0.0/16
no_access = 154.10.0.0/16
no_access = 155.230.0.0/16
no_access = 156.147.0.0/16
no_access = 157.197.0.0/16
no_access = 158.44.0.0/16
no_access = 159.226.0.0/16
no_access = 161.122.0.0/16
no_access = 161.207.0.0/16
no_access = 162.105.0.0/16
no_access = 163.152.0.0/16
no_access = 163.180.0.0/16
no_access = 163.239.0.0/16
no_access = 164.124.0.0/15
no_access = 165.132.0.0/15
no_access = 165.141.0.0/16
no_access = 165.186.0.0/16
no_access = 165.194.0.0/16
no_access = 165.213.0.0/16
no_access = 165.229.0.0/16
no_access = 165.243.0.0/16
no_access = 165.244.0.0/16
no_access = 165.246.0.0/16
no_access = 166.79.0.0/16
no_access = 166.103.0.0/16
no_access = 166.104.0.0/16
no_access = 166.111.0.0/16
no_access = 166.125.0.0/16
no_access = 167.139.0.0/16
no_access = 168.78.0.0/16
no_access = 168.115.0.0/16
no_access = 168.126.0.0/16
no_access = 168.131.0.0/16
no_access = 168.154.0.0/16
no_access = 168.160.0.0/16
no_access = 168.188.0.0/16
no_access = 168.219.0.0/16
no_access = 168.248.0.0/16
no_access = 169.140.0.0/16
no_access = 192.5.90.0/24
no_access = 192.83.122.0/24
no_access = 192.100.2.0/24
no_access = 218.236.0.0/16

disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmai$
}

 

[ray201]

Hi,

I also have the problem with my qmail server filling up with failure notices. This slows down the normal email flow.

Is there any way to stop qmail from sending bounce messages at all? So if someone sends spam or whatever to a non-existing recipient qmail just ignores the email...

This would make my day a lot easier

Cheers

 

[CCHickman]

I'm not too certain, although I would not suggest that functionality at all.

According to ART, he's currently testing out a version of qmail-scanner (for project Gamera - not sure if it's for PLESK servers) that includes checking of valid recipient addresses before scanning. This would be unbelievably valuable.

And then there's my 2c - PLESK should offer this sort of thing =)

 

[ewtech]

Hi;
I think you can try this,
http://eng.ewtech.com.tw/
May be can solve your problem.
Thanks!

 

[ewtech]

Hi;
I think you can try this,
http://eng.ewtech.com.tw/
May be can solve your problem.
Thanks!