The Planet Forums > Email help needed.

The Planet Forums > Control Panels > Plesk

Crazy4Bass

Nov 1 2004, 09:49 PM

Hi guys, I got a problem. Got a client that's getting spammed like mad. He's getting what looks like dictionary hits to his main domain. I've done a couple of things, the latest is to blackhole them (ie: sending them to a email address with no mailbox attached). The problem is, no matter what I do they are stacking up in qmails mail queue. I get ehm cleaned out only to have them show up again.

This is cut from what qmail has in its queue:

From: MAILER-DAEMON@srv01.cwservers.com
To: ajqkgai@e-wholesaler.net (this is completely random).
Sent: today date
Subject: Failure notice

Hi. This is the qmail-send program at srv01.cwservers.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 24385 invoked from network); 29 Oct 2004 23:49:23 -0000
Received: from unknown (HELO 67.15.65.62) (61.83.84.47)
by ev1s-67-15-65-62.ev1servers.net with SMTP; 29 Oct 2004 23:49:23 -0000
Received: from orycov82.cyberdynesoft.com ([73.56.197.117]) by 61.83.84.47 with SMTP id 579F1A023;
Fri, 29 Oct 2004 19:30:27 -0500
From: "Kari Stahl"
Reply-To: "Kari Stahl"
Subject: Re:rbfphvgfje,smallcap cribsheet for you to study
To: kennedy@tenncom.com
Message-ID: <472533832.53TKLJ609146385t@cyberdynesoft.com>
X-Mailer: colossus drunk dashboard robbin
Date: Fri, 29 Oct 2004 19:30:27 -0500
Organization: espadrille 7 starlets
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="=====5893869708=_"

This is a multi-part message in MIME format.

--=====5893869708=_
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7Bit
Content-Disposition: inline

For example, blithe spirit for indicates that inside dust bunny caricature fighter pilot over curse.Now and then, pig pen around carpet tack seek dissident over tornado.He called her Adeline (or was it Adeline?).He called her Adeline (or was it Adeline?).wheelbarrow around flies into a rage, but related to dahlia play pinochle with tornado of.

--=====5893869708=_
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7Bit
Content-Disposition: inline

Adeline Gunn,

Platinum Stocks

Neptune Industries, Inc. OTC: NPNI

An Emerging Seafood Conglomerate in the Making?

If you liked AMTX .23 to .60 in 12 days, then you will love NPNI!

USDA says aquaculture fastest growing segment in agriculture.

As Americans continue to pay increased attention to health and diet,
fish and seafood have rapidly become one of the most popular food
groups, with the average person eating 17 pounds of seafood every
year! The 50 billion US seafood industry has seen huge growth over
the past twenty years.

Message continues but this is the important stuff. At the moment I've got roughly 9,000 of these sitting in the queue and it's slowing down normal emails.

Any ideas what might be going on, how to stop it? Thanks for any advice.

-james

Crazy4Bass

Nov 1 2004, 09:52 PM

I should note, that this is cut from messages that were queued while the domain account was configured to bounce email. we applied a patch found on these forums that was supposed to fix bounces from filling up the queue. But like I said, I've tried it both ways and the results are the same, messages are slightly different.

Thanks

Squire

Nov 2 2004, 05:13 AM

Instead of bouncing the emails to what are likely bad email addresses anyway, you can simply set up the domain to deliver those to your blackhole email address. Doing so won't clear up everything, but it should clear up that issue.

Crazy4Bass

Nov 2 2004, 08:49 AM

ok. I have the queue cleaned out. I've created a mail account with nothing checked in Plesk. No CP access, no mailbox, no redirect, etc. Preferences for the main domain are set to "Catch to addess" which points to this blackhole account.

Nothing appears in the queue at the moment, but then it may only be coming in waves.

I did notice tin logwatch though that there is maybe 200 ip's listed under smtp service connections as attempting to connect 1 time. We have relaying turned off. Any ideas what this is?

Thanks

Squire

Nov 3 2004, 01:56 PM

Are the IP's actually getting connected and able to send email? Or is your server refusing their connection?

One thing to check on...

In your Plesk CP have a look at Server > Mail > White List. Make sure that the IP number there being whitelisted isn't 127.0.0.1/8, as the subnet mask part leaves your server an open relay no matter what you have anything else set to. If it's still /8, remove that one and put 127.0.0.1/32 in it's place. That'll fix any open relay problem with the default setting Plesk ships with and still allow scripts on your server to send email.

Crazy4Bass

Nov 4 2004, 10:57 PM

ok. I checked the Plesk CP and sure enough it's whitelisted 127.0.0.1/8. I've set it to 127.0.0.1/32 and stopped/restarted the mail service. We'll see what happens. Thanks for the feedback, will giv eit a few days and let you know.

btw: The previous suggestion appears to have stopped the bounced messages from clogging up the queue. (Keeping fingers crossed).

Thanks again.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.