Home / server / Questions / 364284
In Process
jeroen
Asked: 2012-02-28 14:40:09 +0800 CST

User account automatically filling up with dead.letter file

  • 772

I have one user account on a server with about 400 accounts that is filling up automatically. The dead.letter file in the users home directory automatically grows until the account is full (about 10 - 40 Mb per day). The user is using Microsoft Outlook to send and receive mail.

What can be causing this and how can I avoid it from happening?

Right now I have an emergency cron-job to delete the file but I would like "real" solution.

Edit: The server version is Red Hat Enterprise Linux ES release 4 (Nahant Update 4)

Edit 2: It seems mainly spam and I see different mailer headings (from php to Outlook Express) and a frequent appearing header is [email protected]

Update: I have asked the hosting provider where I use that dedicated server to look into the problem as well, as it's their Control Panel that could be a cause of the problem.

redhat outlook rhel4 user-accounts

3 Answers

  1. Does that user have a web content tree being served by a web server of this system?

    Check their content tree for a CGI or something that handles GET/POST submissions. My guess is they have some standard web software installed -- a page layout tool, or something like WordPress. Some 3rd party/ies is using some security hole in that web software to try to send mail out from this system. Their exploit isn't working correctly, or at least not always, and so some/all of the outgoing mail is failing; the local mail transport agent is putting the mail in the user's dead.letter.

    I'm out on limb here... but that's where I would look first.

    • 3

  2. Here's a script you could run against the dead.letter file and maybe catch the process creating it.

    #! /bin/bash

if [ $# -eq 0 ]; then
        echo "Syntax: $(basename $0) <file_to_watch>"
        exit 1
fi

FILE_TO_WATCH=$1
LOGFILE=/var/tmp/$(basename $0).$(date +"%Y-%m-%d").log
SLEEP_DELAY=5

if [ ! -e $LOGFILE ]; then
        echo -e "DATE                   COMMAND     PID      USER   FD      TYPE     DEVICE SIZE/OFF       NODE NAME" > $LOGFILE
fi

echo "Starting lsof tail job with PID $$"
echo "lsof output will be appended to $LOGFILE"

while true; do
        if [ -e $FILE_TO_WATCH ]; then
                lsof $FILE_TO_WATCH | sed 1d | sed -e "s/^/$(date +"%Y-%d-%m %H:%M:%S    ")/" >> $LOGFILE 2>/dev/null
                sleep $SLEEP_DELAY
        fi
done

    Feel free to change the variables to make the delay more aggressive for example. If you want to launch it as a background job, just call it like this:

    nohup script.sh /path/to/dead.letter &

    The script will echo the PID it uses for your convenience so you can kill it.

    EDIT: As per your comment, it looks like the file is not held opened by a process long enough for you to be able to catch it. Another thing you could try is to set the immutable flag on the dead.letter file in hope that it will generate errors in /var/log/messages or another log. Immutables files can't be changed even by root.

    Follow these steps:

    # rm -f dead.letter
# touch dead.letter
# chattr +i dead.letter
# lsattr dead.letter
----i---------- dead.letter

    Then try to touch it again with root. You'll get this:

    touch: cannot touch `dead.letter': Permission denied

    This confirms you did it right.

    • 2

  3. If I remember correctly, I had a case where this was caused by a broken cron script many years ago, so check the users crontab.

    • 1