[deanhills]

Tonight when I wanted to access the VestaCP Panel of my HostUs VPS it had a 502 Bad Gateway Error in it.  Then after searching VestaCP Forum and following Skurudo's steps I accessed my VPS with SSH to try and restart VestaCP.  Before I did it, I took a directory of my VPS and found the following file in it that doesn't belong and I don't have an understanding for:

dead.letter

This is how it appeared in the directory:

-rw-r--r-- 1 root mail 16369 Jun 22 07:39 dead.letter

Is it possible to explain what it is?  I wasn't working on my VPS on 22 June. I also haven't installed mail on my VestaCP or VPS.  I only have a minimal installation of VestaCP with nginx+apache, DNS (named), fail2ban firewall, DB and remi.

I decided not to restart VestaCP until I understood what the file was about. Is it something I should worry about and how should I remove it?

---

I found this "temporary solution" by zazzybob at the link below - not quite sure what it really did except maybe the equivalent of quarantining the contents of dead.file?  My worry was that apparently the file grows.  Apparently the command below would stop it from growing.

Code: (Select All)

cat /dev/null > /var/tmp/dead.letter

Source: https://www.unix.com/49239-post2.html?s=...a56f044434

[Mashiro]

Generally a dead.letter file is created when a mail server or mail client isn't able to send out mails for some reason (server errors, non existing e-mail inboxes, etc...).

To stop it from being created you have to find the root cause.

[deanhills]

Generally a dead.letter file is created when a mail server or mail client isn't able to send out mails for some reason (server errors, non existing e-mail inboxes, etc...).

To stop it from being created you have to find the root cause.

Thanks for the explanation @"Hidden Refuge"  It's a communication happening at the root level by root to root. Still have to figure out the cause.

I'll check later tonight to see whether the file has increased in size. After my research last night I was reasonably happy that it wasn't due to VestaCP hacking and then restarted VestaCP successfully.  Everything that I worked on was perfect with great speed - wow I was impressed!  No strange files or anything.  Except I'd mentioned the dead.file to Hostus.us as well, and they then pointed me in the direction of another thread that had been posted at VestaCP about a hacking.

I feel really sorry for VestaCP as they don't seem to be able to get away from the major exploit in April.  So if someone opens a thread that his VPS has been hacked, everyone runs for cover and the VPS hosts get nervous.  I was cautious however in stopping the VestaCP panel after I had done everything I needed to do, but am almost certain this wasn't a VestaCP problem but an inexperienced and chaotic user who hadn't updated his VestaCP.  His last update predated the April fiasco.

[Mashiro]

For my experience dead.letter also appeared when I accidentally deleted a user account on a VPS that was meant to do backups. At this point I got dead.letters every day with exactly by root to root because it was a system e-mail mailing itself to tell there is an issue somewhere.

I didn't even know that the user account was made for backups. So the other server manager recreated it and dead.letter stopped appearing. It can have many reasons. Generally though it's something related to mailing.

[deanhills]

I just checked and for now the dead.letter is still the same size. What worries me much more now however - and this has never happened to be before with my VPS - during the last two days there have been 92 attempts to login my VPS. None of them by me.

---

I stopped my VestaCP when last I worked with it two days ago - so could that have been it? If VestaCP is stopped fail2ban doesn't work? I've turned Vesta back on. No record of failed login attempts in fail2ban log. So basically not a good idea to stop VestaCP service when fail2ban has been installed through VestaCP?

[Mashiro]

Did you check the content of the file? What does it even say? Sometimes the reason or cause is actually inside the dead.letter content. Feel free to post a small snippet of the content but be sure to omitt any sensitive data.

About VestaCP... https://lowendtalk.com/discussion/147476...mmediately