Around 15000 mails in spool
Problem reported by Devang Shah - March 5 at 9:48 AM
Submitted
Hi,

since evening today no regular mails are being transmitting & entire spool is filled with 15000+ mails which cant be tracked 
as nos just keep jumping from 10000 to 12000 to 14000 & back

no regular mails are relaying

we have changed password of few rogue mail ids, deleted few ids 

server is running fine since years

after this i have updated to latest SM 16.x Entp build also but still no good

please some can help us here & suggest some check 

10 Replies

Reply to Thread
0
Devang Shah Replied
0
Devang Shah Replied
surprisingly, one domain with around 300+ users seems to be having all such issue
we have changed pass for admin & many users but still its playing

we have kept throttling on, IDS is on but the issue still remains

0
Scott Forsythe Replied
What is the status of the messages in the Spool? I've seen them get stuck in "Spam Check" which indicates a problem with Cyren, RBLs, etc.
0
Devang Shah Replied
status of message in spool is "Delivery Delay" & it's stuck for more than 2 hours [in thousands]

domain is set as more than 1000 mails outgoing to be throttled & action set as Reject 

the said domain is having static IP for that domain only

We have changed password of all major users also, we are manually trying to clean spool but volume is keep mounting up

0
Gary P Replied
I agree with Scott

Had a similar issue about a year ago was due to RBL/ URIBL delays which caused the spool to back up, due to SPAM check slowing down,  look at ave time, for each. It could be that.
0
Devang Shah Replied
it seems rogue / SMTP Harvest 

sample of header of mails in spool

X-Declude-Spoolname: 121043993.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Outgoing Score [0] at 20:28:55 on 05 Mar 2019
X-Declude-Tests: Whitelisted
X-Country-Chain:
X-Declude-Code: f
X-HELO: [customer80-185.airweb.cz]
X-Identity: 185.40.80.185 | customer80-185.airweb.cz | ems2.net






0
Devang Shah Replied
we are using declude & it's marking this outgoing mails in whitelist 
0
Linda Pagillo Replied
Hi Devang. All authenticated email leaving your server is automatically whitelisted by Declude. It seems to me that you may have a compromised account that is sending these out. Declude’s Hijack component can prevent this from happening. Are you using Hijack? If not, you should turn it on for the future so it can prevent this from happening. Here are a few KB articles that explain what Hijack is and how it can help...

Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
Devang Shah Replied
OK Issue got resolved by renaming spool folder

is there a util / script available which can search legitimate / rogue mails from old spool so actual mails can be brought back in spool for relay

there was one post but the link is broken & i cant find it manually 




0
Linda Pagillo Replied
Devang, the problem here is a compromised account. Do you know which accounts are compromised? If not, you can turn on Declude Hijack and it will catch the outbound email from the compromised account and it will tell you which account(s) are compromised.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread