sendmail -bpc concerns with excessive queued mail

Forgive me in advance for my lack of knowledge on this issue, but my webserver is a CentOS machine that is primarily unmanaged. My work (web-related) through SSH is limited. However, I did know a command 'sendmail -bpc' that from my understanding will show the active mail queue. Right now it's slowly rising, but sits at around 8500 - which in my mind can't be good... Are there any troubleshooting documents/manuals or helpful sites to see what those 8500 are and if there's some better way to address. Any direct suggestions or tips as far as commands in seeing what those are would be helpful as well.

My biggest concern of course is memory, and that there might be a leak or some robot/spambot taking advantage of a vulnerability.

LVL 11
level9wizardAsked:
Who is Participating?
 
level9wizardAuthor Commented:
Anyone else?
0
 
Jan SpringerCommented:
"mailq" is the command you need.

cd /var/log
grep -i "from=<" maillog | grep -i relay | more

and get the originating IP addresses.  If they're your IPs, someone within your network is infected (get the IP out of the logs).  If it's an IP off of your network and not a customer, you may be configured as an open relay.

And, if these mails are spam, then stop sendmail.  Go to the queue (typically /var/spool/mqueue), delete the spam messages from that IP (qf and df files) and start sendmail.
0
 
Jan SpringerCommented:
...and, if you're an open relay, you need to update /etc/mail/access with IPs allowed to relay and hash it.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
level9wizardAuthor Commented:
[_jesper_]>>"mailq" is the command you need.

looks like that's not installed setup on my CentOS machine, I get:
"-bash: mailq: command not found"

Any suggestions?

As an additional tid-bit, there are 100's of client sites on this server - it's not shared but our office has many clients - so perhaps having 8000+ show up using 'sendmail -bpc' is normal?
0
 
Jan SpringerCommented:
If you want the queue and don't have mailq or it is not in the path:

    sendmail -bp

I've worked servers with thousands of clients and the only time I saw that volume is when the mail server was receiving spam.

cd /var/spool/mqueue
grep "Received: " qf* > /path/to/some/file
0
 
level9wizardAuthor Commented:
_jesper_,

What will 'grep "Received: " qf* > /path/to/some/file' do?
0
 
Jan SpringerCommented:
The 'Received' line in the 'qf' files in the mail queue directory contain the IP address of the sender.
0
 
level9wizardAuthor Commented:
_jesper_,

Sorry for the delay - I'm not at my regular work station so I don't have to tools to test/troubleshoot. However, I wanted to give you an update so you know I haven't abandoned this - I will followup in a couple of days.
0
 
level9wizardAuthor Commented:
_jesper_,

What should '/path/to/some/file' be? Path to sendmail main dir?
0
 
Jan SpringerCommented:
No.

If your home directory is: /home/level9wizard, then

   /path/to/some/file is /home/level9wizard/smtp-data

'smtp-data' can be any filename.  That's just an example.  Once you generate that file, it would be easy enough to determine the offending IP address.
0
 
level9wizardAuthor Commented:
_jesper_,

Oops! At first glance I didn't notice you were writing that to a file, (I read it wrong) - and thanks for the speedy follow-up after me having left this for several days.

I don't have /var/spool/mqueue on my setup (looks like Exim, but both 'exim -epc' and 'sendmail -bpc' both produce the same count). I took a quick google but could not find where this path might also be (using CentOS as server). Any ideas?
0
 
level9wizardAuthor Commented:
Looks like this isn't getting any less filled with cobwebs... :)
0
 
level9wizardAuthor Commented:
No answer, closing for lack of activity.Looking for assistance elsewhere.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.