Mail queue full of "failure notice"

jnarvaez · Unread post by **jnarvaez** » Mon Sep 24, 2007 7:43 am

Hi, I'm using qmail-scanner from ART. Everything is working fine, but sometimes I have to clean my queue manually because failure notice messages are growing up.

Sometimes I also experience high load usage on my box.

None of that domains are on my server.
Any idea how to get rid of this?

Best regards.

Unread post by **scott** » Mon Sep 24, 2007 8:05 am

those are probably just bounces back to non-existant spammer addresses. If you see thousands of those come up in a day, thats generally indicative of someone sending spam through your system.

jnarvaez · Unread post by **jnarvaez** » Mon Sep 24, 2007 11:22 am

and how could I find the spammer?

These are the messages header:

Received: (qmail 1622 invoked by uid 10043); 24 Sep 2007 17:17:22 +0200
Received: from 127.0.0.1 by lincl89.mydomain.es (envelope-from <>, uid 2522) with qmail-scanner-2.01st
(clamdscan: 0.88.6/4376. spamassassin: 3.2.3. perlscan: 2.01st.
Clear:RC:1(127.0.0.1):.
Processed in 0.044682 secs); 24 Sep 2007 15:17:22 -0000
Date: 24 Sep 2007 17:17:22 +0200
From: MAILER-DAEMON@lincl89.mydomain.es
To: jramirez@central.unicor.gov
Subject: failure notice
X-Qmail-Scanner-Message-ID: <119064704210021613@lincl89.mydomain.es>

jnarvaez · Unread post by **jnarvaez** » Mon Sep 24, 2007 11:40 am

That was looking in the mail queue in Plesk GUI, but looking in the queue files, i get more information:

Received: (qmail 15057 invoked by uid 10043); 24 Sep 2007 16:36:06 +0200
Received: from 127.0.0.1 by lincl89.mydomain.es (envelope-from <>, uid 2522) with
qmail-scanner-2.01st
(clamdscan: 0.88.6/4376. spamassassin: 3.2.3. perlscan: 2.01st.
Clear:RC:1(127.0.0.1):.
Processed in 0.068762 secs); 24 Sep 2007 14:36:06 -0000
Date: 24 Sep 2007 16:36:06 +0200
From: MAILER-DAEMON@lincl89.mydomain.es
To: yuansamoykugm@charter.com
Subject: failure notice
X-Qmail-Scanner-Message-ID: <1190644566100215048@lincl89.mydomain.es>

Hi. This is the qmail-send program at lincl89.mydomain.es.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<swhlfztuyeljnvubied@myclient.com>:
This address no longer accepts mail.

--- Below this line is a copy of the message.

Return-Path: <yuansamoykugm@charter.com>
Received: (qmail 14914 invoked by uid 10043); 24 Sep 2007 16:36:04 +0200
Received: from 24.177.235.46 by lincl89.mydomain.es (envelope-from <yuansamoykugm
@charter.com>, uid 2020) with qmail-scanner-2.01st
(clamdscan: 0.88.6/4376. spamassassin: 3.2.3. perlscan: 2.01st.
Clear:RC:0(24.177.235.46):SA:0(?/?):.
Processed in 3.166626 secs); 24 Sep 2007 14:36:04 -0000
X-Spam-Status: No, hits=? required=?
Received: from 24-177-235-046.dhcp.gnvl.sc.charter.com (HELO charter.com) (24.17
7.235.46)
by flippes.com with SMTP; 24 Sep 2007 16:35:58 +0200
Received-SPF: fail (flippes.com: SPF record at charter.com does not designate 24
.177.235.46 as permitted sender)
Received: from m1.gns.snv.thisdomainl.com ([20.73.164.1]) by mx.reskind.net with
QMQP; Tue, 25 Sep 2007 00:17:57 +1000
Received: from unknown (HELO m1.gns.snv.thisdomainl.com) (Tue, 25 Sep 2007 00:02
:50 +1000)
by mxs.perenter.com with ASMTP; Tue, 25 Sep 2007 00:02:50 +1000
Received: from unknown (HELO mx03.listsystemsf.net) (Mon, 24 Sep 2007 23:57:05 +
1000)
by group21.345mail.com with SMTP; Mon, 24 Sep 2007 23:57:05 +1000
Message-ID: <4d4401c7ff03$36b90b70$f29740e5@yuansamoykugm>
From: "Ema Willis" <yuansamoykugm@charter.com>

To: "Lashandra" <swhlfztuyeljnvubied@myclient.com>
Cc: "Michell Garrett" <xrwjajppeaascbbomqo@myclient.com>,
"Dorian Ortiz" <ytmgxbhizibhpokuwcc@myclient.com>,
"Starr" <rsgqfqhyvlnqigyqakc@myclient.com>,
"Angelia Oliver" <umtfhgrfdmhqnnulaio@myclient.com>,
"Bobbie Griffin" <ttuzjtfgvecrbqspuyc@myclient.com>,
"Ashlie Gardner" <qrvnjhjykldxorbpxhy@myclient.com>,
"Melissia Rivera" <fiwtbmibxzboxbwqzpg@myclient.com>
Subject: Can you help me with this
Date: Mon, 24 Sep 2007 23:32:47 +1000
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_41B_5788_BEC18EBE.88702B33"
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_41B_5788_BEC18EBE.88702B33
Content-Type: multipart/alternative;
boundary="----=_NextPart_929_14A9_58C29FB7.DD0196C7"

------=_NextPart_929_14A9_58C29FB7.DD0196C7
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Five bottle years;--and an "overluxurious dog home"-- and quit "someone h=
e had trusted had deceived shaved him" --had decei "Put refuse lighted it=
as you like. To me the great cause of our muddles stupid and mistakes se=
ems to page lie in the mental di "But it's not annoy on manager after the=
scissors way to anywhere."

....

I have messages for several domains on my box...

Unread post by **scott** » Tue Sep 25, 2007 9:58 am

thats spam to you, and those are bounces back to the non-existant spammer address.

jnarvaez · Unread post by **jnarvaez** » Tue Sep 25, 2007 1:47 pm

scott wrote:thats spam to you, and those are bounces back to the non-existant spammer address.

is it possible to detect that spam and don't bounce it back?

thank you for your help scoot!

Galactic Zero · Tue Sep 25, 2007 5:42 pm

download qmHandle and you can delete all failure notices with the command qmHandle -Sfailure

Works like a charm.

jnarvaez · Unread post by **jnarvaez** » Wed Sep 26, 2007 4:16 am

and would it be a good idea put it in cron.daily?

breun · Unread post by **breun** » Wed Sep 26, 2007 4:44 am

Galactic Zero wrote:download qmHandle and you can delete all failure notices with the command qmHandle -Sfailure

Works like a charm.

Or yum install qmhandle (ART has a package available) and run qmhandle.pl -Sfailure. Note that this removes *all* messages that have the word 'failure' in their subject from the queue.

These messages should also disappear from the queue after a week, but if you have a lot of these you might want to clear them out once in a while. Another way around this is to disable sending these messages in the first place, but there are issues with that also (people not knowing their message wasn't delivered, because it went into a black hole because they made a typo in the address). A rock and a hard place.

Also qmqtool is a nice qmail queue management tool (more options than qmHandle), but that one isn't packaged by ART.

dkuntz · Unread post by **dkuntz** » Wed Sep 26, 2007 8:46 am

Is there an easier way to stop failure notices from being generated, or other bounces at all, other than recompiling qmail from scratch using the faq from spamcop, etc?

Our queue tends to get so large that it pretty much kills all deliveries to the next level of mail server (we are using Project Gamera)

breun · Unread post by **breun** » Wed Sep 26, 2007 8:55 am

No need to recompile anything, there's an option in Plesk: Domain -> Mail -> Preferences -> Mail to nonexistent user: Reject.

Update: Oh wait, you're not using Plesk, but Project Gamera. Hmm, don't know about that one.

Unread post by **scott** » Wed Sep 26, 2007 9:35 am

You dont want to run qmhandle via cron on a PG box. It can cause duplicates in the queue. The tcpserver/supervise scripts design is a little overly aggressive in the way it handles the service. I find that I have to svc-stop it in the &, and killall qmail-remote, then run qmhandle.

qmail-remove *may* handle this better, but I havent played with it that much. Another thing you can do is bump up concurrencyremote, unlike the plesk qmail you are not limited to 200 concurrent connections. You can easily bump that up to 1000 without effecting performance on the system.

dkuntz · Unread post by **dkuntz** » Thu Sep 27, 2007 10:03 am

Ok, thanks.

Right now I actually do have qmhandle -S'failure notice' set to run via cron, which hasnt caused any dupes. We do have a rather interesting mail setup here though. 6 PG boxes which do initial filtering with some commercial filters, passes on to 12 more machines which do the final filter/quarentining, before finally being redirected to the actual customer's mail server.

Upping the Concurancyremote to 500 fixed most things for us, as I had set the smtpd to accept 200 incoming, but the outgoing w/ qmail-smtp was still defaulting to 20. At one point we had 2 servers with over 1.5 million messages in the queue each. Currently, our 6 PG systems (load ballanced) are processing 2.3 million messages a day, without any more problems (since I upp'd the concurancy that is).

Unread post by **scott** » Thu Sep 27, 2007 4:00 pm

Neat! Those are some impressive stats. My most high end one is running about 500,000 a day through it. Ive got concurrencyremote set to 1000, and inbound to 40. Right now I just purge the queue manually every few days, which is rarely more than a few thousand messages. Ive got a lot of potential solutions for it, either by modifying qmail, or using an alternate tool to do it. Just havent had the time to put into it lately.

Griffith · Unread post by **Griffith** » Sat Sep 29, 2007 5:11 am

dkuntz / atomic:
if your running so many PG servers, is it then possible to use greylisting? Incase yes, how would set that up?