HI Meaulnes Legler
We use this script to cleanup the mqueue When this kind of infecttions happen, You have to identify a string of text on the offending messages, It could be the ip of the sender or a line inside the subject something inside the qf File of any of the emails sent. In our cases mos of the time Viagra or mortgage was enogh to identify bad emails from good ones Replace the text IDENTIFIED_TEXT_ON_QFFILE /usr/bin/find /var/spool/mqueue/ -name 'qf*' -exec echo grep -i 'IDENTIFIED_TEXT_ON_QFFILE' {} \> /dev/null \&\& echo {} \; | sh | awk '{s=$0;sub("qf", "df", s); print "rm " $0 " " s;}' | sh Hope that helps Rodrigo O Xnet From: Blueonyx [mailto:blueonyx-boun...@mail.blueonyx.it] On Behalf Of Meaulnes Legler Sent: miércoles, 15 de junio de 2016 03:29 p. m. To: BlueOnyx General Mailing List Subject: [BlueOnyx:19721] Re: prevent user from sending e-mail in /etc/mail/access thank you Chuck, that helped indeed! there were about 16'000 files in /var/spool/mqueue, incredible! And I had to restart sendmail *immediately* after deleting them all, else the queue got populated again right away... How that happens, I wonder... I hope this will last for a while, it did it until yet. Thank you so much for your help! Meaulnes Legler ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ www.WaveWeb.ch <http://www.waveweb.ch/> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Zurich, Switzerland ~ ~ +41\0 44 260 16 60 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ On 15/06/16 17:13, Chuck Tetlow wrote: It may be mail still on the server, waiting to go out. And as soon as you enable Sendmail again - it starts flowing. Check to see what's waiting on the server to go out with the command-line command "mailq", or if its long - "mailq | more". The last line should be the number of messages waiting to go out from your server. Most servers are usually 0 - since mail goes out quickly. If there just a few - this isn't the problem. But if there are a LOT (I've seen 40,000+ on a exploited server before) - you have to get rid of them! In that case, go into /var/spool/mqueue - which is the directory mail sits in while waiting to go out. Each message is either one or two files - so there could be a LOT of files in here if there are a lot of messages in the "mailq" output. And while there could be valid customer e-mails in there - its VERY time consuming to identify which is which. So I just delete everything in that directory - risking loosing a couple of valid customer e-mails along with all the SPAM in there. Just "rm -f *" in that directory to get rid of them all, and then restart the mail services on your server. Good luck cleaning up. I know your pain!! Chuck ---------- Original Message ----------- From: Meaulnes Legler <mailto:bluel...@waveweb.ch> <bluel...@waveweb.ch> To: BlueOnyx General Mailing List <mailto:blueonyx@mail.blueonyx.it> <blueonyx@mail.blueonyx.it> Sent: Wed, 15 Jun 2016 16:43:34 +0200 Subject: [BlueOnyx:19711] prevent user from sending e-mail in /etc/mail/access > dear list > > with iptables, I have been able to stop the e-mail flooding attacking a > specific user, see previous post [BlueOnyx:19698] Re: e-mail flooding > > But that user is still sending out tons of mails if I enable it again > (unchecking «Suspend» in the GUI), thousands in a couple of hours with > subjects like: > Subject: Warning: could not send message for past 4 hours > Subject: Returned mail: see transcript for details > That user must have some virus and I'm afraid that my server will be > tagged... > > I read that I could prevent user from sending e-mail by adding these > lines to /etc/mail/access > From:ja...@legler.org REJECT # Reject user from sending mails > and restarting sendmail. But /etc/mail/access is pretty much empty: > > -------------------------------------------- > # By default we allow relaying from localhost... > Connect:localhost.localdomain RELAY > Connect:localhost RELAY > Connect:127.0.0.1 RELAY > # Cobalt Access Section Begin > > # Cobalt Access Section End > /etc/mail/access lines 1-15/15 (END) > -------------------------------------------- > > Can I do so as said above without compromising the mailer? > > Thank you and best regards > > Meaulnes Legler > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ > ~ http://www.WaveWeb.ch <http://www.waveweb.ch/> ~ > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ > ~ Zurich, Switzerland ~ > ~ +41\0 44 260 16 60 ~ > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ > > _______________________________________________ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ------- End of Original Message -------
_______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx