All those qmail remote processes are sending out that spam mail you thought you got rid of. My guess is that the stuff is still in your local queue, so use qmail-qstat/qread to check and see. qmail-smtpd/tcpserver do not need to be running for outgoing mail to be sent. What you probably want to do in this case is kill qmail as quickly and safely as possible, clean up the queue, and then restart qmail. I've had to do this a couple of times when I missed a relay rule or something, so here's my step-by-step list of stuff to do. Smarter people than me can feel free to correct it :) 1) If possible, unplug the box from the network, or ifconfig down the public interface. 2) Kill qmail-smtpd. 3) Send qmail-send a TERM signal, which will make it exit ASAP. 4) kill -9 all the qmail-remote processes that you see. 5) At this point qmail should be completely stopped and you can clean out the queue. Step #4 might be a little dangerous. I'm almost certain qmail will correctly assume the process failed and defer the message normally (this way you won't lose any legit mail), but I can't seem to find where in the docs or source this is made clear. But I trust DJB to do the right thing in this case :) shag ----- Original Message ----- From: "chas" <[EMAIL PROTECTED]> To: "qmail list" <[EMAIL PROTECTED]> Sent: Sat 18 Mar 2000 14:08 Subject: Spam getting through despite closed relay; or even with no qmail-smtp running ! > I screwed up : I left my box open for a few days and > already somebody found it and started to send spam. > > So, I installed ucspi-tcp and allowed selective relaying > as described in the excellent document by Chris Johnson. > "Selective relaying with tcpserver and qmail-smtpd" > http://www.palomine.net/qmail/selectiverelay.html > > And I've tested this from the network as well as from > http://www.abuse.net/relay.html and it would appear that > relaying is not allowed. > > I just rebooted the machine and have not yet started > tcpserver and qmail-smtp, and suddenly I find dozens > of qmail-remote processes running. (see below) > > Could somebody pls tell me what is going on here ? > Have these been queued ? (I couldn't find them in > /var/qmail/queue or any of its subdirectories) > How can they still be getting through to my box > if qmail-smtp is not even running yet ? (telneting > to port 25 won't even get you a connection). And how > can I get rid of them ? > > (Oh, and if anybody knows the [EMAIL PROTECTED], pls > break his kneecaps) > > Thanks for any help b/c this is obviously not > a good thing - I'm just killing qmail-remote. > > chas > > > qmailr 10836 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 257@cra > qmailr 10853 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 274@cra > qmailr 10859 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 280@cra > qmailr 10863 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 284@cra > qmailr 10869 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 290@cra > qmailr 10875 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 296@cra > qmailr 10877 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 298@cra > qmailr 10880 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 300@cra > qmailr 10881 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 301@cra > qmailr 10882 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 302@cra > qmailr 10883 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 303@cra > qmailr 10884 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 304@cra > qmailr 10885 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 305@cra > qmailr 10886 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 306@cra > qmailr 10887 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 307@cra > qmailr 10888 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 308@cra > qmailr 10889 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 309@cra > qmailr 10890 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 311@cra > qmailr 10891 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 312@cra > qmailr 10892 0.0 0.1 788 428 p0 S 5:49AM 0:00.00 qmail-remote > crazy.ucs.com.tw [EMAIL PROTECTED] 313@cr > >
