exim flooding my server

Yarden · Jan 6, 2009

behezrat hashem

hello..

exim is flooding my server and useing a lot of memory and cpu.
i close him and i removed all the messages on queue and start again exim..
it's again flooding..
i stopped exim again and removed all queue (new queue)

i think some user flooding with sending a lot of message because it's create big new queue after i stopped and removed old quere..

please help

floyd · Jan 6, 2009

You need a server administrator to look at your server.

will-lo · Jan 6, 2009

if mails are spammed by php script
cat one of the message in your queue, read the header part, determine which domain is causing the problem, kill the script or suspend that user.

if spam by smtp
you should be able to determine it from /var/log/exim/mainlog

good luck

floyd · Jan 6, 2009

cat one of the message in your queue, read the header part

That's a good idea but it will only work if he has a patched version of php.

Yarden · Jan 6, 2009

the log is flood with many lines like this:

Code:

2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:24:58 1LKAzL-0005ae-Fl == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx2.mail.tw.yahoo.com [203.188.197.10]: 421 Message from (62.90.136.231) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html
2009-01-06 14:25:00 1LKAzL-0005aW-2n SMTP error from remote mail server after end of data: host mx2.mail.tw.yahoo.com [203.188.197.10]: 451 Message temporarily deferred - [70]
2009-01-06 14:25:00 1LKAzL-0005aW-2n == [email protected] R=lookuphost T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host mx2.mail.tw.yahoo.com [203.188.197.10]: 451 Message temporarily deferred - [70]
2009-01-06 14:25:00 1LKAzL-0005aW-2n == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx2.mail.tw.yahoo.com [203.188.197.10]: 452 Too many recipients
2009-01-06 14:25:05 1LKAzU-0005Zn-Sy <= <> H=(msg-g09pmirpcam) [205.209.161.222] P=esmtpa A=login:admin S=3077 T="³Q¶Å°ÈÀ£ªº³Ý¤£¹L®ð¶Ü." from <> for [email protected] [email protected] [email protected] [email protected]
2009-01-06 14:25:05 1LKAzV-0005b2-BF <= <> H=(msg-g09pmirpcam) [60.218.99.18] P=esmtpa A=login:admin S=3074 T="¡¹¡¹¡¹¡¹´£¤É·~ÁZ¦Û¤v¨Ó´N¦æ¤F¡¹¡¹¡¹¡¹" from <> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-06 14:25:05 1LKAzR-0005Zv-BZ <= <> H=(msg-g09pmirpcam) [218.202.226.228] P=esmtpa A=login:admin S=3691 T="¢o¡¶¢o¬°*t¶Å¹L°ª.¶q¨*¥´³y.¯S§O±M®×¢o¡¶¢o" from <> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-06 14:25:06 1LKAzR-0005ae-Fi <= <> H=(msg-g09pmirpcam) [189.60.75.171] P=esmtpa A=login:admin S=739 T="Re:Âà±H ´î*«¤p¯µ¤è" from <> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-06 14:25:06 1LKAzS-0005b0-JN <= <> H=(msg-g09pmirpcam) [218.202.226.228] P=esmtpa A=login:admin S=768 T="¡´¡´¡´¡´¤@*Ó¤£¥²©ñ±ó§Aªº¤u§@´N¥i¼W¥[¦¬¤Jªº¤èªk¡´¡´¡´¡´¡´¡´" from <> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-06 14:25:06 1LKAzL-0005Yt-S5 <= <> H=(msg-g09pmirpcam) [210.18.175.185] P=esmtpa A=login:admin S=5446 T="§O®g¦b¸Ì*±~§Ú¨kªB¤Í§Ö¦^¨Ó¤F~§O´¡¤F" from <> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2009-01-06 14:25:06 1LKAzU-0005b8-

i have a lot of more logs with yahoo.com and msg-g09pmirpcam..

tillo · Jan 6, 2009

It seems like someone guessed your admin password and is using it's email account to relay email through your mail server. Change the password with something harder to guess.

floyd · Jan 6, 2009

Oh good. You found your answer.

A=login:admin

The user admin is sending the email.

Yarden · Jan 6, 2009

thanks!!! now i have a login flood...

Code:

2009-01-06 19:14:03 login authenticator failed for (msg-g09pmirpcam) [218.57.11.112]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:03 login authenticator failed for (msg-g09pmirpcam) [218.194.80.230]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:05 login authenticator failed for (msg-g09pmirpcam) [218.194.80.230]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:07 login authenticator failed for (msg-g09pmirpcam) [218.202.226.228]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:08 login authenticator failed for (msg-g09pmirpcam) [219.159.67.187]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:08 login authenticator failed for (msg-g09pmirpcam) [60.191.89.44]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:08 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=cpe-75-80-113-8.socal.res.rr.com [75.80.113.8] input="\r\n"
2009-01-06 19:14:11 login authenticator failed for (msg-g09pmirpcam) [218.202.226.228]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:11 login authenticator failed for (msg-g09pmirpcam) [218.202.226.228]: 535 Incorrect authentication data (set_id=admin)
2009-01-06 19:14:11 login authenticator failed for (msg-g09pmirpcam) [189.57.231.59]: 535 Incorrect authentication data (set_id=admin)

and mroe...

floyd · Jan 6, 2009

Firewall the ip's.

Yarden · Jan 6, 2009

floyd said:
Firewall the ip's.

it's different ips.. i can't do it manualy..

however the login flood it's not distrub to the server.. only flood the log file

thanks!

exim flooding my server

Yarden

Verified User

floyd

Verified User

will-lo

Verified User

floyd

Verified User

Yarden

Verified User

tillo

Verified User

floyd

Verified User

Yarden

Verified User

floyd

Verified User

Yarden

Verified User