PDA

View Full Version : What is @ var/spool/mqueue ???



Alejandro
11-28-2003, 12:08 PM
Hello,

Does anyone know what contains all the bunch of files found @ var/spool/mqueue ??? I have 50mb of I-dont-know-what in there. By its contents it seems like a kind of mail log but some others looks like mails waiting to be delivered, the point is that about 120 files looks like too much for me (in that account I just have about 7 mail accts and only 2 are used frequently) is it normal??/

thnks...

wildjokerdesign
11-28-2003, 12:47 PM
I belive it is mail waiting to be delivered. I have never had that much in it before but then I don't send out alot of mail. Do you have a newsletter you mail or something similiar?

Alejandro
11-28-2003, 02:42 PM
No, I dont have any... but I have about 20 mail aliases there... I opened some more files and I found strage things: one file seems like a webpage without sender, recipient or anything that make it seem like a mail, is like if someone maked a page and uploaded it, some others looks like spam trying to be sent by my server and about the half looks like this:

554 5.3.0 forward: no home
554 - Mailbox quota exceeded by (user)
554 5.0.0 Service unavailable
554 5.3.0 forward: no home

Do you think there may be a problem if I just delete all those files???

FZ
11-28-2003, 02:52 PM
There shouldn't be a problem if you delete the files. What you can do is move them all out of that folder to some other temporary location, make sure everything (e.g. mail) is working properly, and then delete the files permanently.

wildjokerdesign
11-28-2003, 02:59 PM
It sounds as if something is not right I would also contact WestHost and have them look at it. Like Fayez said if you move them to a temp file first you could delete them that will also give you something to show WestHost. When contact them you can tell them where you moved them to so they can take a look at them.

Alejandro
11-28-2003, 06:39 PM
Yep, that would be the best thing... I already contacted them I'll reply again when an answer is given. THANK YOU

jalal
11-29-2003, 09:05 AM
They are most likely stuck mails. Especially if you are using procmail to bounce the spam.
Try typing:
$ mailq
and this will list the files that are queued or failed. It should match the list of the files in the directory. In the directory the filenames starting with a 'q' are the header files and the ones starting with a 'd' are the data files, there should be a pair for each email.

If the list matches, and if there are no emails which you need to take care of (mailq will list the addresses that failed) you can safely delete all the files in the directory.

Alejandro
11-29-2003, 08:39 PM
Thank you Jalal.

Yes, the "q" and "d" files match, about 70 files each, but when I type mailq I get only 18 requests. Also I have 20 files starting with an "x" wich seems to be those mails rejected by mailbox quota. WH support answered me that

"I have reviewed your access logs and the other typical trouble spots, and I don't see anything off-hand that might have caused that number of messages to go through your mail queue"

and also they told me that

"The only other thing that could cause problems like this are scripts that are not secure. cgiemail, formmail (older versions of formmail, anyways), and others can sometimes be hacked. You might review the scripts that are in your cgi-bin and see if there are any that you don't need (that you placed there), and remove them"

I'm almost sure that I have set the formmail security settings but sounds like this probably is the problem in my case. I'll erase all those files and see if new files arrive.

Alejandro
01-02-2004, 07:22 PM
I had this problem about a month ago, I deleted all the files there, but rightnow I have countless files there using 384 mb!!! uh! This is not a heavy-use acccount, anyone has an idea about it??? It seems like if someone were trying to send emails trough my account, the emails doesn't leave the server but stays in the mqueue.... :(

wildjokerdesign
01-03-2004, 07:13 AM
Are you still using formmail? It sounds like someone knows it is there and is using it to send out spam that can't be delivered thus it stays on your server. If you can do without formmail for awhile you could try removeing the script for a time and see if that helps the situation. If you can't do with out it try renameing the formmail script and make the changes to the forms that call it to what ever you change the name to. This may help if they are using a robot to access the script but is not foolproof.

The best solution would be to use a diffrent script other then formmail it is just to unsecure. I know it can be a headache to make the change and learn a new script. There are tons out there to choose from and WestHost offers an alternative that even gives you some extra options.

jalal
01-03-2004, 09:54 AM
Shawn, I'm curious why you consider formmail to be insecure? If it is the latest version and is configured properly, it should be quite secure. I've used it on dozens of sites without problem. And I don't bother to rename it.
And a look into the logs show that there are daily attempts to access the script (all of which fail).

Alejandro
01-03-2004, 02:22 PM
I already had removed all the form mail versions I had there (about 3, because they where in different languages) and left olnly 1, the newest... I'll remove that one too and install the one found at

http://nms-cgi.sourceforge.net/

and see what happends...

There is also some info about why formmail is unsecure... someone in this forum recommended that script but I don't remember who...

thanks

jalal
01-03-2004, 02:48 PM
Yeah, I use NMSFormmail usually (not for security reasons, but because its more configurable and you can get the email address out of the HTML page and out of sight).

But Matt's formmail has the advantage of being around for nearly a decade and checked in tens of thousands of installations.

wildjokerdesign
01-03-2004, 05:11 PM
Jalal,

I was just trying to make sure that it was not the old Formmail from way back. When WestHost first used it the script did not check for reffers and such so it was pretty easy to hack into. I know that WestHost did updates on them at one time but if the script had been moved or altered the update did not happen. I had that with some of mine that had hacked to get the address off the HTML page.

I thought also that Alenjandro may not have it configured correctly (no insult intended) and figured getting rid of the script might be the easy fix. Sorry Alenjandro I was being lazy. I should have asked you if it was a current version and how you had it configured. If you have the one from NMS you should be fine.

jalal
01-04-2004, 03:06 AM
Hi Shawn

Just trying to stop the spreading of FUD. I consider that Westhost's installation is secure and spreading the word that they are providing users with an insecure installation is, IMHO, not a good thing to be doing unless you have good reason to do it.

All my sites (transferred and new) seem to have the secure (V1.92) version of formmail installed...

I pay Westhost good money to provide me and my customers a safe and secure web-hosting service and if I feel that they are not providing that then, yes, we should bring it to everyones attention, but in this case I think you may be a little off base.

Alejandro
01-05-2004, 09:41 PM
Yes, at first sight NMSFormmail seems long to configure and if you're busy then you turns to keep your old formmail but actually it is a better script in that way, it helps to keep out of sight your email adress entirely and if seen with calm it isn't complex at all.

I agree with Shawn about that if you have an old account and the script had been moved it didn't got updated so it is a security issue that we should be aware of. In another account I made a copy of the script and the original is updated and the copy is not.

The curious thing is that the problem I'm having is in a newer account with an updated script. BTW 3 days ago I removed all the form to mail scripts and guess what: I have about 90 files in var/spool/mqueue, 20 of them are 900k each. It seems like a bouncing email. I forgot: my postmaster account has only 1mb of quota, I'm setting it to unlimited to see if those are mails that could not be delivered to the postmaster, even so, I don't like having all those mails bouncing. I'll see what happends and I'll post here what if was in case someone finds this same problem in their account.

jalal
01-06-2004, 01:45 AM
Can't you look at the files and see what they are? They are just ordinary text files...