Re: [Exim] Frozen Messages

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [Exim] Frozen Messages
Hi Richard, on Fri, 13 Feb 2004 09:29:04 -0000 you wrote:

> I have approx. 800 message in the queue on my exim 4.30 server. The
> majority of these messages are Frozen, and I believe are being caused by
> the vast amount of spam the we recieve.
> I have tried running #/usr/sbin/exim4 -qff
> to clear the queues but it doesn't appear to help.


OK, I'm guessing you have a queue full of frozen bounces. First, do you
understand what these are? They're bounce messages that can't be
delivered. Hence, although "exim -qff" might get rid of a few odd bits, in
general you mostly still won't be able to deliver the mails (because
they're probably to non-existent recipients or similar), so they'll stay
there on your queue until they time out and are deleted.

> How can I get my queue down to a reasonable level without the risk of
> loosing valid mails?


The key is: don't address the symptoms (i.e. lots of frozen bounces in
queue), address the problem (i.e. why do you *have* all these frozen
bounces in the first place). Large quantities of frozen bounces are often
a sign that you're causing trouble not only for yourself but others.

You need to look at what the messages in your queue are, and from where
they're originating. What are they? (look at the raw files in
/var/spool/exim/input, or use Eximon to examine them). They're presumably
frozen bounces, but where are the bounces generated from?

You need to get to the bottom of why the bounces are generated in the
first place and try to avoid that if at all possible (i.e. by
SMTP-rejecting bad recipients/viruses/spam, not accepting them then
generating a bounce, as this will cause you to send "collateral spam" to
the forged senders of the stuff, as well as have huge queues of junk like
you're seeing).

Now, it looks (from your headers) like you may be forwarding messages to a
back-line Exchange server; in that case that's probably the cause of the
problem, because you'll be accepting *ALL* mails (regardless of whether
the recipient exists or not), passing them to the Exchange server, which
also accepts everything (because it's stupid), then the Sexchange server
is bouncing back stuff it doesn't like. In this case, you probably need to
use an LDAP lookup as shown in the Exim cookbook to verify recipients at
SMTP time on the Exim frontline against your Exchange user list. This will
stop mails to invalid users from ever entering your mail system. I would
guess this will cut out a lot of junk to start with.

Next, do you have any kind of spam or virus scanning on the Exim machine?
At the very least I would run all mail against a few DNS blacklists
(sbl-xbl.spamhaus.org and list.dsbl.org as a minimum) since that will cut
out huge amounts of spam, and run Clam Antivirus to stop most viruses.
Maybe run SpamAssassin too. With a bit of tweaking, you should find that
you'll have a win-win-win-win-win situation:

- you'll have lower mail volumes
- your users will get less junk
- your Exchange server won't need to be creating bounces
- you won't have queues full of crap
- you won't collateral-spam third parties


In the meantime, if there are indeed Mydoom-related bounces on your queue,
please don't try to flush them with "exim -qff"; the senders will all be
forged which means even if you do manage to clear out your queue, you'll
just be sending spam out to innocent third parties. This is exactly the
kind of thing which you'll find myself and others are trying hard to block
at the moment. Just delete them off your queue.


Tim