| Posted by Formas, 10-15-2009, 08:50 PM | | Hello Guys,
Well I have a problem here in my server with exim logs.
Yestarday I received cpanel warning email that inform /var partition with 81% spece used. SO I go to /var and I see exim_mainlog and exim_rejectlog with 2.5GB each file.
So I clearly this 2 files completly.
For my surprise, today, both logs have more than 2GB again. I could not understand what happens here??? Why this two files increase very fast???
Somebody have a suggestion to fix it???
Thanks a lot.
Formas
|
| Posted by Alistair Smith, 10-15-2009, 08:56 PM | | Check for any case of spamming in the server.
|
| Posted by Formas, 10-15-2009, 09:02 PM | | Hi
Yes, I checked it. But outgoing have not any spammer, I manage this carefully.
Ingoing seems that have not too, because IO have only 116 messages in mail queue.
===
-bash-3.2# exim -bpc
116
-bash-3.2#
===
Thanks
Formas
|
| Posted by activelobby4u, 10-15-2009, 09:12 PM | | Queue does not show the amount of emails sent. You should probably check out the emails being sent out by the domains using whm.
|
| Posted by Formas, 10-15-2009, 09:54 PM | | No No, emails that was sent from my server I control by others scripts. I know that from my server have not any spammer.
If my server received a lot of spam, I think that queue must have more that 116 messages, do you agree?? Or I am wrong???
|
| Posted by uptime365, 10-15-2009, 11:10 PM | | there must be something suspicious in the logs can you tail it a and have a further check if anything is out from ordinary
|
| Posted by senetpro, 10-16-2009, 01:35 AM | | Not necessarily, the 116 messages in queue were at a certain time. A possibility could be that spamming could have happened at a certain instance and the mails were delivered. You need to check the logs to find out any suspicious activity.
|
| Posted by plumsauce, 10-16-2009, 02:26 AM | | Have you tried reading the logs? That would settle it once and for all.
|
| Posted by web-1, 10-16-2009, 04:04 AM | | I agree, the logs are there for a reason, they actually tell you what's going on. Read them.
|
| Posted by inspiron, 10-16-2009, 09:56 AM | | Yes try to check the maillogs by using command,
#tail -f /var/log/exim_mainlog cwd
|
| Posted by Formas, 10-16-2009, 10:56 AM | | Thank you for all.
I had a look on logs and I found
256.381
entries like this:
===
-bash-3.2# cat exim_rejectlog | more
2009-10-15 23:20:24 H=look.com (www.look.com) [xxx.7.26.248] F= rejected RCPT : Sender verify failed
2009-10-15 23:20:24 H=look.com (www.look.com) [xxx.7.26.248] sender verify fail for
2009-10-15 23:20:24 H=look.com (www.look.com) [xxx.7.26.248] F= rejected RCPT : Sender verify failed
2009-10-15 23:20:24 H=look.com (www.look.com) [xxx.7.26.248] sender verify fail for
2009-10-15 23:20:24 H=look.com (www.look.com) [xxx.7.26.248] F= rejected RCPT : Sender verify failed
-bash-3.2# cat exim_rejectlog | grep www.look.com | wc -l
256381
====
|
| Posted by eth1, 10-16-2009, 02:57 PM | | Those appear to be spoofed emails coming into the server being rejected by Exim due to Sender Verification Callout feature.
Exim will perform a callout on the sender's email server to make sure the email address from which the email came exists. Since the email address was spoofed and did not exist at the sender's email server, the email was rejected.
If you see that the IP address xxx.7.26.248 in all the entries is the same then you can block it using iptables,
You can truncate the log files using the following command,
|
| Posted by web-1, 10-16-2009, 07:21 PM | | I'm pretty sure LFD would have blocked this. Install CSF firewall.
|
|
 Add to Favourites
 Print this Article
|
