| Posted by zinga, 09-08-2008, 10:53 PM | | Hi,
Does anyone know the cause of this?
I get this just after restarting the sendmail process.
Here's a few lines from ps aux
I've had a look through the senmail config files but can't really find much. I've tried playing with any "max child" values, but they don't seem to have any effect.
Does anyone have any ideas?
Thanks a lot
|
| Posted by lamerfreak, 09-08-2008, 11:13 PM | | mailq ?
Are you supposed to be sending that many messages to hinet.net?
|
| Posted by zinga, 09-09-2008, 01:59 AM | | No, I haven't been intending to send any messages (maybe my forum intended to send one message and it got multiplied or something?).
I tried "mailq", but nothing gets displayed (have to stop it with Ctrl+C).
I found that the processes stay there after stopping sendmail, so I killed all the sendmail processes and started sendmail again. There isn't as many processes now, however the number appears to be growing quite fast (at least they're not to the same recipient now).
Currently there's 109 instances.
Thanks a lot for the reply
|
| Posted by lamerfreak, 09-09-2008, 08:14 AM | | Looks like a queue's built up somehow. mailq's probably overwhelmed trying to put together all of the entries.
First, look for a vulnerability, or someone generating a lot of traffic for it somehow (hitting a registration page or similar for mail confirmation?).
Then... maybe see about clearing the mail manually. I think /var/spool/mqueue normally with sendmail. Might lose some valid mail though.
|
| Posted by zinga, 09-09-2008, 08:54 AM | | Looks like you hit the spot there. ls /var/spool/mqueue basically freezes. du /var/spool/mqueue -s gives over 4GB of stuff :O
Anyways, deleted everything. However, whenever I start the sendmail server, the queue seems to grow rapidly again. ps aux pretty much gives the same list (ie "hinet.net"). Obviously, the forum isn't generating this out of normal operation.
Opening up a file in the /var/spool/mqueue folder looks something like this (I've replaced the server's IP address with {IP})
Here's another example:
Do you have any idea what this could be?
Oh, and thanks a lot for the help so far lamerfreak
|
| Posted by lamerfreak, 09-09-2008, 09:27 AM | | mqueue would be outbound I believe, so something's generating the mail... it looks like it's directed at Taiwan/etc from those emails and hinet.com earlier, so perhaps look at web access logs for IPs in the range hitting you? I bet something would stick out.
Or, do you allow submission or anything? Perhaps someone guessed/hacked an account for relay?
|
| Posted by zinga, 09-11-2008, 04:46 AM | | Thanks a lot With your pointers, I did some investigation.
I stopped the webserver but still got mail. So I investigated the relaying possibility.
Turns out my mail server was acting as an open relay (surprised that's set by default for sendmail... weird). Anyways, I've stopped it being a relay and everything's back to normal.
Many thanks again for your help lamerfreak!
|
| Posted by lamerfreak, 09-11-2008, 09:27 AM | | I don't think that's a default in any current versions of Sendmail, but I could be wrong.
I'd still keep an eye on it, because something's strange if it 'all of a sudden' started getting bombed like that. Also, be pro-active in searching out any blacklists you might be on and submitting for removal. You might have delivery problems for a while.
|
|
 Add to Favourites
 Print this Article
|
