Re: [exim] Serious Problems .. over 100,000 messages in the …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Cardwell
Date:  
À: Exim Users List
Sujet: Re: [exim] Serious Problems .. over 100,000 messages in the queue
Andrew Rosolino wrote:

> For some reason our queue has over 100,000 e-mail messages in at and they are
> as old as 48 days!!!
> I have these variables set:
> deliver_queue_load_max = 10
> auto_thaw = 1d
> ignore_bounce_errors_after = 2d
> timeout_frozen_after = 2d
>
> There is also a bigger problem.. most of those e-mails are all SPAM being
> sent from our server =(.. we are being badly abused!!!
>
> I have it set to delete SPAM messages and not deliver them but its not even
> deleting it.. I am using SpamAssasin by the way.. here is some headers
>
> Return-path: <nehpkbarnettsot@???>
> Received: from host83-206-dynamic.6-87-r.retail.telecomitalia.it
> ([87.6.206.83] helo=pcpiero)
>     by alpha2.shiftcode.com with esmtp (Exim 4.66)
>     (envelope-from <nehpkbarnettsot@???>)
>     id 1I15hM-0000EF-IO
>     for admin@???; Wed, 20 Jun 2007 15:18:37 -0400
> Received: from 67.28.113.14 (HELO mxvm3.mail.yahoo.com)
>      by cashmakerclicks.com with esmtp (;+P/J4/36A=: (:H1)
>      id R6,A-/-K(8G:0-L5
>      for admin@???; Wed, 20 Jun 2007 19:18:36 -0100
> Date:    Wed, 20 Jun 2007 19:18:36 -0100
> From:    "Timmy Key" <nehpkbarnettsot@???>
> X-Mailer: The Bat! (v3.71.14) Educational
> X-Priority: 3 (Normal)
> Message-ID: <943854241.15530397833888@???>
> To: admin@???
> Subject: Summer is almost here, be ready
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>   boundary="----------DAD329AD3293293"
> X-Spam: Not detected
> X-Spam-Subject: ***SPAM*** Summer is almost here, be ready
> X-Spam-Status: Yes, score=26.4
> X-Spam-Score: 264
> X-Spam-Bar: ++++++++++++++++++++++++++
> X-Spam-Report: Spam detection software, running on the system
> "alpha2.shiftcode.com", has
>     identified this incoming email as possible spam.  The original message
>     has been attached to this so you can view it (if it isn't spam) or label
>     similar future email.  If you have any questions, see
>     the administrator of that system for details.
>     Content preview:  Profit by your chance! – 4n4trim – The up-to-the-moment
> and
>     most exciting product for weighty people is now available – As told on
> Oprah
>     Can you retain all the times when you plead to yourself to do any thing for
>     being saved from this horrible number of lbs? Happily, now no major
> sacrifice
>     is demanded. With 4n4trim, the ground-breaking, you can get healthier mode
>     of life and a really slender figure. Notice what people say to us! [...] 
>     Content analysis details:   (26.4 points, 10.0 required)
>     pts rule name              description
>     ---- ----------------------
> --------------------------------------------------
>     3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
>     [score: 1.0000]
>     4.3 RCVD_FORGED_WROTE2     RCVD_FORGED_WROTE2
>     2.8 RCVD_BAD_ID            RCVD_BAD_ID
>     2.5 RCVD_FORGED_WROTE      Forged 'Received' header found ('wrote:' spam)
>     0.0 HS_INDEX_PARAM         URI: Link contains a common tracker pattern.
>     0.0 HTML_MESSAGE           BODY: HTML included in message
>     1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76 chars
>     1.9 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL blocklist
>     [URIs: promfore.com]
>     1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL blocklist
>     [URIs: promfore.com]
>     1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL blocklist
>     [URIs: promfore.com]
>     1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL blocklist
>     [URIs: promfore.com]
>     0.5 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL blocklist
>     [URIs: promfore.com]
>     1.1 URIBL_RHS_DOB          Contains an URI of a new domain (Day Old Bread)
>     [URIs: promfore.com]
>     0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
>     [87.6.206.83 listed in zen.spamhaus.org]
>     0.9 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
> address
>     [87.6.206.83 listed in dnsbl.sorbs.net]
>     1.5 URIBL_SBL              Contains an URL listed in the SBL blocklist
>     [URIs: promfore.com]
>     0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
>     dynamic-looking rDNS
>     0.5 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
> X-Spam-Flag: YES

>
> alpha2.shiftcode.com is our server.. how can we stop this from happening =(


Interestingly enough, this message was caught by clamav because of the
SaneSecurity signature:

Email.Hdr.Sanesecurity.07041201

root@clayman:~# grep Email.Hdr.Sanesecurity.07041201
/var/lib/clamav/scam.ndb
Email.Hdr.Sanesecurity.07041201:4:*:582d4d61696c65723a205468652042617421*582d5370616d3a204e6f74206465746563746564*416e617472696d

root@clayman:~# perl -e 'foreach( @ARGV ){s/([a-fA-F0-9]{2})/chr(hex
$1)/eg;print "$_\n";}' 582d4d61696c65723a205468652042617421
582d5370616d3a204e6f74206465746563746564 416e617472696d
X-Mailer: The Bat!
X-Spam: Not detected
4n4trim

I've obfuscated the word "4n4trim" at several places in this email with
'4' instead of 'A' to prevent it triggering the sanesecurity sig again.

I wonder how many other people never saw your message. That's the first
"false positive" I've seen from their sigs. Anyway, back to the matter
at hand. That particular email is on your queue because you relay for
admin@???:

root@clayman:~# telnet alpha2.shiftcode.com 25
Trying 74.53.5.197...
Connected to alpha2.shiftcode.com.
Escape character is '^]'.
220 --
EHLO mailout.grepular.com
250-alpha2.shiftcode.com Hello mailout.grepular.com [91.186.24.33]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
MAIL FROM:<>
250 OK
RCPT TO:<admin@???>
250 Accepted
RCPT TO:<random@???>
550-The mail server could not deliver mail to random@???. The
account
550-or domain may not exist, they may be blacklisted, or missing the
proper dns
550 entries.

As for why you relay mail for that address, I couldn't tell you without
seeing your config... Please show us it.

Mike