#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Lansing, MI
    Posts
    239
    Rep Power
    12

    Qmail server bombarded - 300K messages in queue


    I've run a mail server, with Qmail, for years. It's never been particularly problematic. At one point, I started generating so many external SMTP sessions that my ISP - Comcast - blocked my server. I implemented John Simpsons validrcptto.cdb patch and all of that was completely resolved. I would be the first to admit, however, that I'm still no wizard with an email server.

    Now, after 10 years of running this thing, I'm suddenly getting thousands of emails hitting my server and - frankly - I really don't understand enough about the email protocol to know (1) why this is suddenly happening, or (2) how to stop it. My queue, this morning, had 297,000 messages in it! The emails are being sent from accounts like "root@mail.mydomain.com". My ISP is Charter and the following is an example of my logs - I've replaced my actual mail hostname with "mail.mydomain.com":
    Code:
    @40000000523c319711825e54 starting delivery 1274526: msg 50310401 to remote sdplayer@yahoo.com
    @40000000523c319711826624 status: local 0/10 remote 50/50
    @40000000523c319712cc1c64 delivery 1274524: deferral: Connected_to_209.225.8.224_but_sender_was_rejected./Remote_host_said:_452_4.1.0_<guy@mail.mydomain.com>_send_quota_exceeded:_try_again_later_E2210/
    I run a number of websites for friends in business, and this is really a mess. My mail won't work because I am exceeding Charter's quota. What can I do to make this stop happening....?
    Last edited by 88guy; September 20th, 2013 at 12:10 PM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    The first question to ask yourself:
    Is my server relaying restricted to a limited set of IP addresses? If not, then your server is classified as an Open Relay and someone is abusing it.

    The second question to ask:
    Does my server support AUTH LOGIN? If the answer is yes, then someone has hacked into one of your accounts, and is abusing it.

    I am not familiar with QMail, so I cannot advise you how to check these things.

    J.A Coutts
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Lansing, MI
    Posts
    239
    Rep Power
    12

    Possible answer


    Originally Posted by couttsj
    The first question to ask yourself:
    Is my server relaying restricted to a limited set of IP addresses? If not, then your server is classified as an Open Relay and someone is abusing it.

    The second question to ask:
    Does my server support AUTH LOGIN? If the answer is yes, then someone has hacked into one of your accounts, and is abusing it.

    I am not familiar with QMail, so I cannot advise you how to check these things.

    J.A Coutts
    I think that someone, very likely, cracked a fairly weak password. I changed my passwords to new, ridiculously complex forms and it stopped completely. Wow.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    People in general don't realize how easy it is to guess passwords. We don't operate a real mail server anymore, but to cut down on the number of attempts to connect to it, I have set up a fake SMTP server that rejects all email after the MAIL FROM: and logs the results. Every once in a while, it gets bombarded by a continuous stream of AUTH LOGIN attempts, even though it advertises that it does not support it in the EHLO response. Most of these attempts originate from China.

    J.A. Coutts

IMN logo majestic logo threadwatch logo seochat tools logo