big problem!

jnarvaez · Unread post by **jnarvaez** » Tue Jan 16, 2007 8:20 am

Hi, I'm having one big problem today, the load in my server is about 50.
And most process are from qscan, I look in my qmail queue and I think I found the problem.

I have this:

Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:01 PM 00:04:50 723 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:56 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:55 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:55 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:55 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:55 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:55 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:49 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:48 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:48 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:48 718 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:47 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:47 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:47 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:47 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:46 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:46 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:46 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:46 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:46 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:46 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:44 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:44 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:43 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:42 718 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:42 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:42 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:42 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:05 PM 00:00:42 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:41 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:41 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:41 718 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:41 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:41 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:41 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:40 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:40 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:40 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:39 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:39 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:39 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:39 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:38 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:38 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:38 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:37 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:37 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:37 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:37 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:36 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:36 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:36 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:36 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:35 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:35 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:35 716 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:35 718 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:34 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:34 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:34 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:34 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:33 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:32 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:32 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:31 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:31 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:31 716 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:30 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:30 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:30 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:30 719 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:29 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:29 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:29 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:28 717 bytes
Re: Delivery Status Notification (Failure) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:28 719 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:28 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:28 717 bytes
Re: Delivery Status Notification (Delay) my@domain.com postmaster@hermes.hvdc.ca Ene 16, 2007 01:06 PM 00:00:28 717 bytes

I deleted all the queue, and blacklisted hermes.hvdc.ca but the queue is growing up again.

Any idea what can I do?

Best regards.

Unread post by **scott** » Tue Jan 16, 2007 8:29 am

sounds like someone is spamming through your system

jnarvaez · Unread post by **jnarvaez** » Tue Jan 16, 2007 8:42 am

how can i block this?

Unread post by **scott** » Tue Jan 16, 2007 8:51 am

You've got to find out how their doing it first, either through a web app, compromised account, or whitelisted IP. Start by looking through your logs.

jnarvaez · Unread post by **jnarvaez** » Tue Jan 16, 2007 9:08 am

i have ton of lines like this in my /usr/local/psa/var/log/maillog:

Jan 16 13:55:11 lincl89 qmail-scanner[2904]: Clear:RC:1(127.0.0.1): 0.119325 375 soporte@mydomain.com postmaster@hermes.hvdc.ca Re:_Delivery_Status_Notification_(Delay) <20070116125510.2903.qmail@lincl89.mydomain.com> 1168952111.2916-0.lincl89.mydomain.com:38

nothing strange in /var/spool/qscan/qmail-queue.log

any idea?

jnarvaez · Unread post by **jnarvaez** » Tue Jan 16, 2007 9:21 am

each message contain this:

Received: (qmail 24711 invoked by uid 10043); 16 Jan 2007 14:01:11 +0100
Received: from 127.0.0.1 by lincl89.mydomain.com (envelope-from <soporte@mydomain.com>, uid 0) with qmail-scanner-2.01st
(clamdscan: 0.88.6/2455. spamassassin: 3.1.7. perlscan: 2.01st.
Clear:RC:1(127.0.0.1):.
Processed in 0.252376 secs); 16 Jan 2007 13:01:11 -0000
Date: 16 Jan 2007 14:01:09 +0100
Message-ID: <20070116130109.24655.qmail@lincl89.mydomain.com>
To: postmaster@hermes.hvdc.ca
Subject: Re: Delivery Status Notification (Delay)
From: soporte@mydomain.com
Reply-To: soporte@mydomain.com
Content-Transfer-Encoding: 8bit
X-Mailer: PHP/5.0.5
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Unread post by **scott** » Tue Jan 16, 2007 10:20 am

What user has the UID 10043 on your system?

jnarvaez · Unread post by **jnarvaez** » Tue Jan 16, 2007 11:49 am

qscand

10043:102:Qmail-Scanner Account:/var/spool/qscan:/bin/false

I think I found the problem, disabling Plesk Help Desk everything is working fine now.