My sever is running mailscanner-4.56.8-1. Of late many of our customers complain that mails send To and From our server take hours to be delievered.
I tested this myself by sending test emails to and from my hotmail account which took long time to be received and delivered.
Also, in /var/log/maillog i see entries such as the one below;
"Jan 4 20:39:36 www MailScanner[8461]: New Batch: Found 17678 messages waiting "
So i understand there is about 18 thousand emails in MailScanner /var/spool/mqueue.in folder.
To test i stopped MailScanner and started Sendmail, i send an email to my hotmail id and it got delievered immediately, but when i restart MailScanner and resend the same message it took 20mins to get delievered.
- how do i improve MailScanner processing so that messages are delivered faster?
- Do i need to change the "Max Children = 5" variable in /etc/MailScanner/MailScanner.conf?
- how do i force delivery of the 18thousand emails in mqueue.in folder?
Currently, we use powerdns with mysql replication on multiple servers. This solution is kindda okay for now but I'd like to know if there is any other better solutions than powerdns.
For the last 6 months our site has been under severe brute force, syn flood attack. They keep bombarding a single URL of the server and it is xml file. They are not attacking any other URL.
We have removed the xml page from our site but still they keep on sending requests, this is for the last 6 months non stop.
The IP has been changed just to see and they are sending several thousand requests per second. The requests come from different IPS and different ranges, so you can not even block the IP’s. They seem to be coming from a legitimate IP’s.
Due to this I have had to pay for an extremely expensive server which holds 8 GB of RAM and quad core processor etc, however, even with this the server server still reaches critical level, just because these requests are eating up my resources.
Our technical team has been working on all aspects of apache server security, external modules, firewall, hardware firewall from beginning but still we are not able to stop them.
We have installed following modules.
4) mod_security
5) mod_evasive
6) Firewall
7) SYS_Cookies enabled
We have worked with the hosting company and their technical team leader, he installed the best CISCO hardware firewall and tried to stop them, but in vain.
We have checked our server to see if anything from our site is causing the request, no extra file uploaded on to the server. For example if some file has been upload or some text has been added to the file (checked if we’ve been hacked). Even though we checked for any hacks, I am still wondering if there is something we do not know about. Can a hack lead to huge amounts of traffic?
We need some help to stop these attacks. We have searched a lot and have found that sites that get attacked like this have only one option is to shut down till it stops. I really hope that will not be the case for us. Please let us know if any one has any ideas to deal with this.
Also could it be our own part of php code which can do this? We are ready to check every php file to make sure it does not have any line of code which can be dangerous?
We worked with hardware firewall company to drop a request on the spot coming for the single URL but it is getting setup.
We have antivirus running on server however if any specific antivirus or antimalware is needed, we can try that.
Following are the details I have got from my linux admin. This will help you to trace the issue in better way. Problem: Apache SYN_RECV
OS - RHEL5 kernels - 2.6.18-92.1.22.el5-x86_64 2.6.18-92.el5-x86_64
OS Type: cat /etc/issue Red Hat Enterprise Linux Server release 5.2 (Tikanga) > cat /proc/version Linux version 2.6.18-92.1.22.el5 (mockbuild@hs20-bc2-5.build.redhat.com) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) #1 SMP Fri Dec 5 09:28:22 EST 2008
Following we have done till now is mentioned below for the configurations.
############### sysctl.conf
############## # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding net.ipv4.ip_forward = 0
# Do not accept source routing net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1
# Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 # Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
# 65536 seems to be the max it will take net.ipv4.ip_conntrack_max = 1048576 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1
I am running a very successful wiki based website that has outgrown our current web host. The site runs very slow because our host says we are hitting the memory limit on the server (currently under a shard hosting plan).
Thousands of visitors per day Ten thousand page views per day (all PHP) 20GB bandwidth per month MySQL database
I'm trying to tar a folder that has 100's of thousands of files and I ensured that no files are being added or modified in that folder while the below command is being executed:
nice --adjustment=20 tar -cf users_from.tar users_from
I've tried it multiple times and it always stops before it finishes and ends up with a corrupted .tar file which gives errors when extracted and is obviously missing a lot of files. Sometimes it creates 200+ MB, sometimes 50 MB before it stops.
I also have enough RAM + swap for the operation so that can't be the cause. So is it just impossible to tar a directory with so many files and is it even possible to get a list of the files in that directory?
is there any mailscanner control panel available for cpanel? we have install mailscanner but cpanel user can play with whitelist, or disable and enable it
I am looking into implementing an antivirus/spam relay server using Postfix + MailScanner + SpamAssassin. Does anyone here have experience with this kind of solution?
What kind of rough performance in messages/hour or messages/day could I expect from a server like this:
PowerEdge 2950 2x QuadCore Xeon E5320 (1.8GHz) 8GB RAM 4x 146GB 15,000rpm SAS in RAID 10
I've downloaded and installed MailScanner using: [url]
Now.. can anyone tell me a good "how to" to configure MailScanner to avoid a resource hog and to ensure email can work ok and stop incoming spam as well?
For the last 5 days, exim has been retrying to resend email to a recipent every 1 millisecond.
As result, logs are huge, and load is being affected.
So I'd like to know how can I set/configure exim to ingore sending to any email I'd tell it.
I mean is there any config file I can look into, to set a ignore list, or even how to have it so that it retries sending every 1 hour, instead of every 1 millisecond.
Recently installed MailScanner using chirpy's script. Everything is fine.. but the big problem is that the load average is very high after installed this software.
Server is RedHat ES 4 + cPanel - Dual Xeon CPU 3.20GHz x 4 procs. 2 GB RAM with high e-mail traffic.
Can anyone give me some tips to configure MailScanner to stop spam and avoid a high load average?
Maybe you can tell me what variables are u using in the config file..
I am having problem with a server. On all sites on the server start appearing core.xxxx files that in result fill server. Quotas were disabled because some people had issues logging in on because of error.
Quote:
Sorry for the inconvenience!
The filesystem mounted at /home/*** on this server is running out of disk space. cPanel operations have been temporarily suspended to prevent something bad from happening.
Please ask your system admin to remove any files not in use on that partition.
how to remove all of them so they dont appear again, on some sites there are thousands of core.xxxx files and weigh over 60GB.
My main goal was stopping incomingo spam.. and MailScanner is doing a great work on that.. but, it is taking too much time extracting and scanning attachments... does anyone know how to disable scanning the attachments ?
I was trying to install mailscanner on a cpanel box using chirpy's script [url], followed every step, until this:
Code: [root@server.yourbox.com:~]perl mscpanel.pl -i Unable to open spam.scanning.rules for reading: file or directory doesnt exist at mscpanel.pl line 115. On the 115 line i found this:
Code: open (IN, "</usr/mailscanner/etc/rules/spam.scanning.rules") or die "Unable to open spam.scanning.rules for reading: $!"; The file /usr/mailscanner/etc/rules/spam.scanning.rules just doesnt exists... maybe chirpy's script is not working well installing everything its needed..
Sep 4 19:11:11 debian sm-mta[25383]: l84FYDPw016811: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. We're absolutely unable to track or find out who is sending it or how to stop this.
So I'm wondering if it is possible to prevent sendmail from sending to:
lsean.ezweb.ne.jp, OR docomo.ne.jp, OR softbank.ne.jp
/var/mail/vhostswww logs are not showing helpful info at all. Eg:
Code: --l84GRnX5029819.1188924137/debian--
Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-2022-JP Mime-Version: 1.0 From: hanako.@docomo.ne.jp Subject: To: a_j.n-y_bluespider-tattoo@softbank.ne.jp Message-Id: <200709041410.l84EA0Fh007971@debian> Date: Tue, 4 Sep 2007 16:10:00 +0200 Tue, 4 Sep 2007 16:10:00 +0200 by debian (8.13.4/8.13.4/Submit) id l84EA0Fh007971; Received: (from vhostswww@localhost) for ; Tue, 4 Sep 2007 16:10:00 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EA0jk007973 Received: from debian (localhost [127.0.0.1]) Return-Path:
<<< 503 No recipients specified 550 5.1.1 ... User unknown <<< 550 Invalid recipient: >>> DATA ... while talking to mx.softbank.ne.jp.: ----- Transcript of session follows -----
(reason: 550 Invalid recipient: )
----- The following addresses had permanent fatal errors -----
from localhost [127.0.0.1] The original message was received at Tue, 4 Sep 2007 16:10:00 +0200
--l84GRnX5029819.1188924137/debian
This is a MIME-encapsulated message
Auto-Submitted: auto-generated (failure) Subject: Returned mail: see transcript for details boundary="l84GRnX5029819.1188924137/debian" Content-Type: multipart/report; report-type=delivery-status; MIME-Version: 1.0 To: Message-Id: <200709041642.l84GRnX5029819@debian> From: Mail Delivery Subsystem Date: Tue, 4 Sep 2007 18:42:17 +0200 Tue, 4 Sep 2007 18:42:17 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX5029819; Received: from localhost (localhost) Return-Path: From MAILER-DAEMON Tue Sep 4 18:42:17 2007
--l84GRnX4029819.1188924135/debian--
Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-2022-JP Mime-Version: 1.0 From: hanako.@docomo.ne.jp Subject: To: a_j.n-y_bluespider-tattoo@softbank.ne.jp Message-Id: <200709041411.l84EB8CS011861@debian> Date: Tue, 4 Sep 2007 16:11:08 +0200 Tue, 4 Sep 2007 16:11:08 +0200 by debian (8.13.4/8.13.4/Submit) id l84EB8CS011861; Received: (from vhostswww@localhost) for ; Tue, 4 Sep 2007 16:11:09 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EB8f6011862 Received: from debian (localhost [127.0.0.1]) Return-Path:
<<< 503 No recipients specified 550 5.1.1 ... User unknown <<< 550 Invalid recipient: >>> DATA ... while talking to mx.softbank.ne.jp.: ----- Transcript of session follows -----
(reason: 550 Invalid recipient: )
----- The following addresses had permanent fatal errors -----
from localhost [127.0.0.1] The original message was received at Tue, 4 Sep 2007 16:11:09 +0200
--l84GRnX4029819.1188924135/debian
This is a MIME-encapsulated message
Auto-Submitted: auto-generated (failure) Subject: Returned mail: see transcript for details boundary="l84GRnX4029819.1188924135/debian" Content-Type: multipart/report; report-type=delivery-status; MIME-Version: 1.0 To: Message-Id: <200709041642.l84GRnX4029819@debian> From: Mail Delivery Subsystem Date: Tue, 4 Sep 2007 18:42:15 +0200 Tue, 4 Sep 2007 18:42:15 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX4029819; Received: from localhost (localhost) Return-Path: From MAILER-DAEMON Tue Sep 4 18:42:15 2007
--l84GRnX3029819.1188924134/debian-- How would I solve this problem as it's making our server load skyhigh 24/7.
Additional info about system: > Debian Linux, latest kernel > Sendmail (we've tried postfix, exim, with same results) > Non cPanel system.
recently my mails are not been sent to hotmail and live users from the forum
I just checked by sending a test mail to my hotmail account but the mail wasn't recd. so
I checked the mail queue manager in WHM and the hotmail related mails were not traced.
how I can overcome this problem, I can send mail to hotmail if they are bouncing but when I don't find in the queue , what can I mail about them , when they ask an error id
I sent mass mail from vBulletin forum and I want to see status of those mails via ssh. I mean, I need to see how many mails is sent well, how many of them are still sending e.t.c
I have a bare minimal server which I want to move WHMCS over to. However, how do I setup e-mails so I can setill PIPE them into the system? The e-mail server would be hosted on the main server still.
I installed litespeed but now I can't send mails, I didn't got any error but mails are not delivered. My ip is not listed at spamhaus or something like that. Before, with apache it worked fine
I have a test server from which I can send out emails.. but I am unable to receive emails although I can connect and login to the pop3 server locally (telnet localhost 110)
How can I investigate this issue to find the problem and fix it
I'm having a problem with mails on my server. I configured csf and ddos deflate to send a mail to "root" when some ip is blocked. I made .forward in /root dir with my mail but I still don't recieve an email when an ip is blocked by csf or ddos deflate
Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br> from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br> flawless customer support. New discounts and special offers ! <br> </a> [url] --------------------------------------------
Eventhough, I did not setup any signatures. Plesk server with spamguardian running.
One of my e-mail addresses - steve@acme.ie - is regularly marked as spam. My mail server is not blacklisted. My e-mails are always plaintext, and only sometimes have URLs in them.
Looking at my mail server health everything looks ok except for what I assume are reverse DNS entries for my domain. So I'm guessing this is the problem.
So...
1. Do I need to ask my hosting company (I have a dedicated server with the planet) to set up reverse DNS entries for all my domains, or can I do this manually? Note I use my own DNS server, I do not use the hosting company's DNS server.
2. Will it be a problem that all my domains (dublinjobs.ie, acme.ie, etc.) use the same IP?
well we are reseller with some dozens of site... we use squirell mail for mails for all the sites hosted with us..or the cpanel...
the problem lately is that our sites mail.............all sites hosted with us are getting hundreds of spams every day..mails of all sites seems similar...
even if we create a new site in our account..a brand new site starts getting hundreds of spam mails..
so it has made things very difficult...
most of mail seems normal with normal names and normal subject like hello... so it is making things very difficult .. we feel that ip of server has been targeted by spammers..