Hi Jerome, eeek - shell scripts - I'm a pythonista ;)
Cleaning up isn't really the problem - it's understanding how these emails are actually getting submitted in the first place. Alan > Date: Tue, 16 Jun 2015 11:34:28 +0200 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [courier-users] spammer masquerading as root > > Hello, > > Here is one script I use: > > ===== purge_courier.sh > #/bin/bash > > USAGE="Usage: $0 STRING" > > if [ $# -ne 1 ] > then > echo "$USAGE" > exit 1 > fi > > /etc/init.d/courier-mta stop > cd /var/lib/courier > rgrep -l "$1" msgs/*/D* | while read DATAFILE > do > CTLFILE=`basename $DATAFILE | sed 's/^D/C/g'` > rm $DATAFILE > find msg* -name "${CTLFILE}*" | xargs --no-run-if-empty rm > echo "$DATAFILE supprime" > done > /etc/init.d/courier-mta start > exit 0 > ===== enf of purge_courier.sh > > This script is able to clean your queue using an expression. > Most of the time, I'm able to clean queues with that. > > HTH. > Jérôme Blion. > > > > > Le 2015-06-16 11:18, alan milligan a écrit : > > Hi, > > > > I've got some nasty spammer managing to send spam via my mail server > > by somehow authenticating as root (if I understand the logs > > correctly): > > Jun 15 22:56:04 hostname courierd: > > newmsg,id=000000000034D6E2.00000000557F9043.00005D5F, auth=ROOT: dns; > > User (x.x-x-x.rdns.scalabledns.com [::ffff:x.x.x.x]) > > > > My authdaemon (latest version: 0.66.2) is configured with pam and > > ldap (LOGIN auth only): but there is *no* password set for the root > > user (it's RSA identity only). It would seem quite impossible that > > this user really can be authenticated as root. > > > > Since they are authenticated, it seems I cannot simply block the IP > > via smtpaccess. > > > > This user has caused the mail server to be on a number of blacklists > > and these spam messages (along with legitimate traffic) are filling up > > mail queues with multiple failed delivery attempts. Even setting > > ESMTP_BLOCKBACKSCATTER to include authsmtp/dsn in courierd (latest > > version: 0.74.2) configuration isn't actually stopping this. > > > > Whatsmore attempting cancelmsg (and I'm getting some thousands of > > these) to flush the queue is proving pointless: because of the > > blacklisting no DSN is going to get through to the recipient (spoofed > > that it is). It would be great if there was an additional option in > > cancelmsg simply to remove the msgid from the queue - with no DSN > > processing at all. I'm having to stop courier and manually delete all > > the msgs/msgq files. > > > > Any thoughts upon how I can stop this miscreant sending mail would be > > greatly appreciated. > > > > Alan > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > courier-users mailing list > > [email protected] > > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
------------------------------------------------------------------------------
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
