root sending several emails a minute -- can't find out why and who's doing it

Question

I can't seem to figure out why root is sending out several emails every minute. I would like it to stop because I am making out my ability to send emails every 24 hours (over 5k a day).

First thing I have done is trying to forward root email to an external account to maybe get more detail about the emails being sent. This is not what I need to accomplish, just showing you I tried it. Anyways I can't get it to work, the emails do not forward.

[Email Forwarding]

I tried

Edit: /etc/aliases and added `root: myemail@email.com

Edit: /root/.forward and added my email

Both methods didn't forward the emails.

[Cron Jobs]

The next thing I thought and read was that crond was sending the emails due to my cronjobs. Yes, I do have cron jobs that run every minute so I thought this could be the issue.

I tried

Editing /etc/crontab and changing the values

MAILTO=root to MAILTO= as well as I tried MAILTO=""

I also manually changed all the cron jobs to run once an hour to see if they stop, they did not and yet continued.

I also stopped my crond daemon, but root keeps sending mail.

Here is a email example Delivery Report from WHM; I can't see anything that helps.

Here is also what my mailog file looks like and again I can't see anything.

Can anyone point me in the right direction to find out why root is sending emails to root every minute several times?

Answer 1

This is a debugging process not a solution.

First of all you should probably determine which Mail Transport Agent you're using. For example, sendmail, exim4, postfix, msmtp, or one of the several others. Looking in /etc/init.d or running ps -ef may shed light on this.

Having determined you're using exim4 the interesting places to look are the main delivery logfile /var/log/exim4/mainlog and the spool directory /var/spool/exim4/input. (For sendmail, at least, the equivalent spool directory is /var/spool/mqueue.) Messages for exim4 are transiently stored in the spool directory split as header and body:

1cC1ss-0002rV-Pw-D    # Data (message body)
1cC1ss-0002rV-Pw-H    # Headers
1cC1ss-0002rV-Pw-J    # Job control (may not be present)

The obvious /var/log/mail.log won't contain messages from exim4 (although it will for true sendmail). In your case it only contains messages from dovecot, which is an IMAP server, and so of little relevance in this situation.

It's probably worth switching off the MTA temporarily so that it doesn't attempt to process the queue:

service exim4 stop

And it's definitely worth removing the forwarding for root that you've added. Otherwise a bounce will get returned to root, which will forward it offsite, generating a non-delivery bounce, which will get returned to root, which will forward it offsite, generating a non-delivery bounce, which will continue ad infinitum.

Ignoring transport delivery issues (frozen messages, non-delivery bounces, etc), hopefully the content of the remaining messages will help shed light on the sender process or true cause of the error.

Answer 2

There are errors or warnings being generated by your system. To see what is causing the problem go to WHM's "Mail Queue Manager". There you will see messages sent from root to root. Click the "Actions" button on the far right column to view the message. That will show you the error or warning that you need to remedy.