Page MenuHomePhabricator
Create Task
Maniphest T408632

VRTS is spammed with bounce e-mails and is going to break
Open, MediumPublic
Actions

Assigned To
jhathaway
Authored By
Krd
Oct 28 2025, 8:09 PM
Tags
Referenced Files
F70139752: info pt.png
Nov 12 2025, 1:24 PM
F70139751: infi nl.png
Nov 12 2025, 1:24 PM
F70139750: info pl.png
Nov 12 2025, 1:24 PM
F70070832: Junk.png
Nov 10 2025, 8:44 AM
F69754786: image.png
Nov 3 2025, 10:07 AM
F68047951: Junk.png
Oct 28 2025, 8:13 PM
Subscribers
1F616EMO
Aklapper
akosiaris
Ameisenigel
elukey
Geagea
Glane23
View All 20 Subscribers

Description

There are 318k tickets in the Junk queue currently, while a normal number is around 20k.

All of them are some kind of bounces, perhaps a loop. Unable to determine this without assistance.

Ticket numbers appear to have become 17 digits instead of 16 because there have been more that 100k tickets within a day, which causes major disruption.

Observed production impacts:

  • Delay in ability for agents to log on to the system
  • Unable to contact customers / Agents not getting queue notifications (see T408967 )

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
collab: add vrts junk queue alertoperations/alertsmaster+29 -1
vrts: alert on vrts junk queue sizeoperations/alertsmaster+18 -0
spamassassin: add multi.uribl.com to deny listoperations/puppetproduction+1 -0
postfix: add rspamd network discard mapoperations/puppetproduction+41 -21
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2025, 8:09 PM
Krd added a comment.Oct 28 2025, 8:13 PM

Junk.png (368×753 px, 27 KB)

Peachey88 added projects: vrts, SRE.Oct 28 2025, 8:17 PM
jhathaway subscribed.Oct 28 2025, 8:20 PM

@Krd thanks, I'm investigating, not sure of the cause either.

jhathaway triaged this task as High priority.Oct 28 2025, 8:20 PM
Krd added a comment.Oct 28 2025, 8:23 PM
This comment was removed by Krd.
Krd added a comment.Oct 28 2025, 8:24 PM

Ir appears to me that we are accepting bounces from phishing e-mails sent with fake sender info@wikipedia.org.

Krd added a comment.Oct 28 2025, 8:26 PM

The 219.240.37.89 looks like a common factor. Can we block this source IP for SMTP as a first measure?

Raine subscribed.Oct 28 2025, 8:27 PM
Ameisenigel subscribed.Oct 28 2025, 8:35 PM
jhathaway added a comment.Oct 28 2025, 8:49 PM
In T408632#11321073, @Krd wrote:

The 219.240.37.89 looks like a common factor. Can we block this source IP for SMTP as a first measure?

done, though a proper patch still needs to be cut

Johannnes89 subscribed.Oct 28 2025, 9:22 PM
Nemoralis subscribed.Oct 28 2025, 9:37 PM
gerritbot added a comment.Oct 28 2025, 9:44 PM

Change #1199507 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/puppet@production] postfix: add rspamd network discard map

https://gerrit.wikimedia.org/r/1199507

gerritbot added a project: Patch-For-Review.Oct 28 2025, 9:44 PM
gerritbot added a comment.Oct 28 2025, 9:50 PM

Change #1199507 merged by JHathaway:

[operations/puppet@production] postfix: add rspamd network discard map

https://gerrit.wikimedia.org/r/1199507

jhathaway added a comment.Oct 28 2025, 10:21 PM

@Krd how else can I help?

Maintenance_bot removed a project: Patch-For-Review.Oct 28 2025, 10:30 PM
Quiddity subscribed.Oct 28 2025, 11:18 PM
Krd added a comment.Oct 29 2025, 6:25 AM

We need an analysis what exactly happened, and perhaps a strategy not to accept such fake bounces at all.

And we please need some monitoring that detects unusual e-mail rates and alarms SRE.

akosiaris subscribed.Oct 29 2025, 9:09 AM
LSobanski added projects: Infrastructure-Foundations, collaboration-services.Oct 29 2025, 12:52 PM
Reinhard_Kraasch subscribed.Oct 29 2025, 4:43 PM
Vermont subscribed.Nov 1 2025, 4:38 PM
Geagea subscribed.Nov 1 2025, 10:15 PM

Also one ticket in he-queue - 20251028101571634

Xaosflux subscribed.Nov 2 2025, 8:26 PM

Possibly causing T408967

LSobanski subscribed.Nov 3 2025, 10:04 AM

I just checked and the junk queue is close to 500k at this time.

LSobanski added a comment.Nov 3 2025, 10:07 AM

Here's the increase in disk space and inode usage since October 27th:

image.png (224×428 px, 17 KB)

Glane23 subscribed.Nov 3 2025, 1:39 PM
Xaosflux added a subtask: T408967: VRTS outbound emails not working.Nov 3 2025, 2:06 PM
Xaosflux updated the task description. (Show Details)
Xaosflux added a comment.Nov 3 2025, 2:17 PM

Following up on progress at #wikimedia-sre ; expected resource is not yet on shift. Let's give them some time before next escalation.

jhathaway claimed this task.Nov 3 2025, 2:41 PM
gerritbot added a comment.Nov 3 2025, 3:08 PM

Change #1201083 had a related patch set uploaded (by AOkoth; author: AOkoth):

[operations/puppet@production] spamassassin: add multi.uribl.com to deny list

https://gerrit.wikimedia.org/r/1201083

gerritbot added a project: Patch-For-Review.Nov 3 2025, 3:08 PM
gerritbot added a comment.Nov 3 2025, 3:21 PM

Change #1201087 had a related patch set uploaded (by AOkoth; author: AOkoth):

[operations/alerts@master] vrts: alert on vrts junk queue size

https://gerrit.wikimedia.org/r/1201087

Nemoralis unsubscribed.Nov 3 2025, 3:41 PM
jhathaway added a comment.Nov 3 2025, 4:12 PM

@Krd I see the junk mail queue is now at 600k, how can I help clear it out, I saw some of the scheduled jobs were run, but that does not seem to be enough. Also feel free to contact me on IRC for some real time triaging.

Krd added a comment.Nov 3 2025, 5:44 PM

I think the focus should be to determine if the queue size is the cause of the impact or not. I.e. if there is another issue. The queue size itself is no issue as long as it stops growing.

gerritbot added a comment.Nov 3 2025, 6:28 PM

Change #1201083 merged by AOkoth:

[operations/puppet@production] spamassassin: add multi.uribl.com to deny list

https://gerrit.wikimedia.org/r/1201083

Superpes15 subscribed.Nov 3 2025, 7:21 PM
jhathaway added a comment.EditedNov 4 2025, 4:52 AM

After some analysis today, I think the cause of the bounces were as follows:

  1. Spammers set their Return-Path to info@wikimedia.org, which caused their bounce traffic to hit the info queue
  2. VRTS bounce traffic was redirected to the Junk queue
  3. VRTS users who monitored the Junk queue received so many emails that their email service providers rate limited their inboxes.
  4. The rate limiting of VRTS users caused more bounces to be created, which were also sent to Junk, amplifying the problem.

Steps taken:

  1. Created a new bounces queue and modified the filters to direct bounces to that queue
  2. Created two Generic Agent jobs to clean out existing bounces in Junk, "Delete postmaster@ in Junk" and "Delete MAILER-DAEMON backscatter in Junk" running every 5 minutes
  3. Removed bounces from the outbound queue
Novem_Linguae subscribed.Nov 4 2025, 5:16 AM
1F616EMO subscribed.EditedNov 4 2025, 5:32 AM
In T408632#11338645, @jhathaway wrote:

Spammers set their Return-Path to info@wikimedia.org, which caused their bounce traffic to hit the info queue

If that’s the case, shouldn’t we just refuse bouncing to/bounces from suspicious addresses?

Geagea added a comment.Nov 4 2025, 6:42 AM

Thanks, I think that the delay of mails from VRT solved. I've got my notifications at once.

LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.Nov 4 2025, 9:59 AM
Xaosflux added a comment.Nov 4 2025, 10:07 AM

Perhaps the junk queue should not be allowed to send agent notifications?

Krd added a comment.Nov 4 2025, 10:47 AM

If I checked correctly, nobody is subscribed to the Junk queue, so no notifications for that should have been created.
If there were any, I think that should be investigated further.

jhathaway added a comment.Nov 4 2025, 3:08 PM
In T408632#11339222, @Krd wrote:

If I checked correctly, nobody is subscribed to the Junk queue, so no notifications for that should have been created.
If there were any, I think that should be investigated further.

The one account, which has caused quite a bit of the backscatter, because their account is being rate limited, appears to be subscribed to the Junk queue, as well as 78 other queues. Given their mail is not reaching them, is their a procedure for disabling their account?

Arnoldokoth mentioned this in T409189: Free up inodes on vrts1003.Nov 4 2025, 3:09 PM
Krd added a comment.Nov 4 2025, 3:36 PM

Please provide in private who that is and how you found the information.

jhathaway added a comment.Nov 4 2025, 3:44 PM
In T408632#11340504, @Krd wrote:

Please provide in private who that is and how you found the information.

Shared via a private paste.

Krd added a comment.EditedNov 4 2025, 3:54 PM

It appears my previous query must have been wrong. Please stand by an hour or two.

Krd added a comment.Nov 4 2025, 5:25 PM

I have unsubscribed the mentioned user. This appears to be the only one, and I will monitor this from now on. It makes no sense to get copies of thousands of spams messages each day.

jhathaway added a comment.Nov 4 2025, 5:27 PM
In T408632#11341245, @Krd wrote:

I have unsubscribed the mentioned user. This appears to be the only one, and I will monitor this from now on. It makes no sense to get copies of thousands of spams messages each day.

Great, thanks, it would be great if there was an admin toggle to disable subscribing, but I didn't see one.

jhathaway added a comment.Nov 4 2025, 7:50 PM

@Krd we are still receiving bounces for that user as their email rate is still too high. Do they need to subscribe to the 77 remaining queues? Could we perhaps unsubscribe them from all, and pop them a note to resubscribe?

Krd added a comment.Nov 5 2025, 5:43 AM

My personal opinion is that we should disable notifications completely, but this perhaps isn't consensus.

I will do as requested for the mentioned user.

Xaosflux mentioned this in T409135: VRT queue index shows incorrect value.Nov 5 2025, 4:21 PM
Krd added a comment.Nov 10 2025, 8:44 AM

The bounces queue is at 292k now, and increasing. Please have a look.

Krd added a comment.Nov 10 2025, 8:44 AM

Junk.png (368×753 px, 23 KB)

jcrespo subscribed.Nov 10 2025, 12:38 PM

We are working on it, alarm notified us.

elukey subscribed.Nov 10 2025, 1:01 PM

I am really really ignorant about postfix so please bear with me :)

I ran:

elukey@mx-in1001:~$ for queue in $(sudo postqueue -j | jq -r ' select(.recipients[0].address == "info@wikipedia.org") | select(.recipients[1].address == null) | .queue_id'); do sudo postcat -q $queue | grep log_client_address| cut -d "=" -f 2; done > T408632_info_wikipedia_org.log

With some bash sort/uniq there seem to be two IPs causing most of the spam to info@wikipedia.org, so my next step would be to block them via puppet private.

Arnoldokoth added a project: WMF-NDA.Nov 10 2025, 1:10 PM
Arnoldokoth removed a project: WMF-NDA.
Stashbot added a comment.Nov 10 2025, 1:11 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-10T13:11:44Z] <elukey> restart postfix on mx-in2001 to apply an IP ban - T408632

Stashbot added a comment.Nov 10 2025, 1:12 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-10T13:12:24Z] <elukey> restart postfix on mx-in1001 to apply an IP ban - T408632

elukey added a comment.Nov 10 2025, 1:27 PM

Judging from the metrics it seems to me that the queues stopped growing, and they are slowly getting processed. Let's wait a bit more to see if the mitigation worked as expected.

I have no idea how to create cleanup jobs like Jesse indicated in T408632#11338645.

elukey added a comment.Nov 10 2025, 2:31 PM

Looks like we are back in acceptable ranges again! Please let me know if anything is missing.

LSobanski closed subtask T409135: VRT queue index shows incorrect value as Resolved.Nov 10 2025, 3:41 PM
Geagea added a comment.Nov 10 2025, 7:36 PM

Now again VRT number - 17 digits
20251110103208628
20251110103208173

Josve05a subscribed.Nov 10 2025, 9:09 PM
LSobanski closed subtask T408967: VRTS outbound emails not working as Resolved.Nov 12 2025, 1:05 PM
LSobanski added a comment.Nov 12 2025, 1:07 PM

I just checked and the junk queue is at a reasonable size.

We still need to look into a long term solution for problems like this one.

Geagea added a comment.Nov 12 2025, 1:24 PM

see

info pl.png (236×750 px, 11 KB)

infi nl.png (223×826 px, 11 KB)

info pt.png (315×728 px, 17 KB)

Krd added a comment.Nov 12 2025, 3:09 PM

Numbers appear correct.

Geagea added a comment.Nov 12 2025, 3:12 PM

how
pl 5/4 --> 2/1
pt 109/108 --> 11/10
nl - my mistake

Krd added a comment.Nov 12 2025, 4:10 PM

There is a subqueue which counts for the headline but not for the queue view.

Geagea added a comment.Nov 12 2025, 4:19 PM

my immersion was that it's not ok. But if it's ok then we done.

jhathaway lowered the priority of this task from High to Medium.Nov 17 2025, 3:37 PM
gerritbot added a comment.Nov 21 2025, 6:36 PM

Change #1201087 merged by jenkins-bot:

[operations/alerts@master] vrts: alert on vrts junk queue size

https://gerrit.wikimedia.org/r/1201087

Maintenance_bot removed a project: Patch-For-Review.Nov 21 2025, 7:30 PM
gerritbot added a comment.Dec 11 2025, 3:15 PM

Change #1217548 had a related patch set uploaded (by AOkoth; author: AOkoth):

[operations/alerts@master] collab: add vrts junk queue alert

https://gerrit.wikimedia.org/r/1217548

gerritbot added a project: Patch-For-Review.Dec 11 2025, 3:15 PM
gerritbot added a comment.Dec 15 2025, 7:09 AM

Change #1217548 merged by jenkins-bot:

[operations/alerts@master] collab: add vrts junk queue alert

https://gerrit.wikimedia.org/r/1217548

Maintenance_bot removed a project: Patch-For-Review.Dec 15 2025, 7:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits