September 20th, 2013, 11:06 AM
Qmail server bombarded - 300K messages in queue
I've run a mail server, with Qmail, for years. It's never been particularly problematic. At one point, I started generating so many external SMTP sessions that my ISP - Comcast - blocked my server. I implemented John Simpsons validrcptto.cdb patch and all of that was completely resolved. I would be the first to admit, however, that I'm still no wizard with an email server.
Now, after 10 years of running this thing, I'm suddenly getting thousands of emails hitting my server and - frankly - I really don't understand enough about the email protocol to know (1) why this is suddenly happening, or (2) how to stop it. My queue, this morning, had 297,000 messages in it! The emails are being sent from accounts like "firstname.lastname@example.org". My ISP is Charter and the following is an example of my logs - I've replaced my actual mail hostname with "mail.mydomain.com":
I run a number of websites for friends in business, and this is really a mess. My mail won't work because I am exceeding Charter's quota. What can I do to make this stop happening....?
@40000000523c319711825e54 starting delivery 1274526: msg 50310401 to remote email@example.com
@40000000523c319711826624 status: local 0/10 remote 50/50
@40000000523c319712cc1c64 delivery 1274524: deferral: Connected_to_18.104.22.168_but_sender_was_rejected./Remote_host_said:_452_4.1.0_<firstname.lastname@example.org>_send_quota_exceeded:_try_again_later_E2210/
Last edited by 88guy; September 20th, 2013 at 11:10 AM.
September 20th, 2013, 10:46 PM
The first question to ask yourself:
Is my server relaying restricted to a limited set of IP addresses? If not, then your server is classified as an Open Relay and someone is abusing it.
The second question to ask:
Does my server support AUTH LOGIN? If the answer is yes, then someone has hacked into one of your accounts, and is abusing it.
I am not familiar with QMail, so I cannot advise you how to check these things.
September 21st, 2013, 03:26 AM
I think that someone, very likely, cracked a fairly weak password. I changed my passwords to new, ridiculously complex forms and it stopped completely. Wow.
Originally Posted by couttsj
September 21st, 2013, 09:51 AM
People in general don't realize how easy it is to guess passwords. We don't operate a real mail server anymore, but to cut down on the number of attempts to connect to it, I have set up a fake SMTP server that rejects all email after the MAIL FROM: and logs the results. Every once in a while, it gets bombarded by a continuous stream of AUTH LOGIN attempts, even though it advertises that it does not support it in the EHLO response. Most of these attempts originate from China.