Sample Procedure and commands for clearing Spam from your mail queues

Tue, 01 Sep 2015 10:22:41 -0700 

Hi Lads,

I have had the unfortunate experience of having a client of my ISP fill my
server queues with spam... I know I will have to increase my spam
prevention measures, but for those of you who may experience the same I
have a rough procedure for clearing down the spam in the mail queueus,

this procedure shows an admin how to quarantine the offending client,
search for spam messages in the queue and remove the spam messages,


on that note it would be useful to have a way to remove all mails in a mail
queue based on sender email address,  / source Ip address  I have listed a
clunky approach for "'closing the barn door after the horse has bolted"

1)#  Turn off MTA ... this will let our mail server accept mail but it wont
   forward it ...
smtpctl pause mta
2) less /var/log/maillog       # this will let you look for the offending
   Source IP ...
3) edit /etc/pf.conf and replace SPAM_SRC_IP with ip of spammer
block in quick on egress proto tcp from SPAM_SRC_IP
4) pfctl -nf /etc/pf.conf        # check the syntax of the firewall rule
  set  (no output is good)
5) pfctl -f /etc/pf.conf          # load the rule set
6) pfctl -sr                           # show firewall rule set


Repeat this process on all the mail servers,

now there can be 1000s of mails that could result in further blacklisting
so it is best to delete the spam from the mail servers do this on both
servers
 in parallel to speed up resolution

7) smtpctl show queue       # shows mails in the queue and look for
patterns
              from or to a particular spam address  eg
[email protected]

8) smtpctl show queue |grep sourcespam@address >list_of_spam_In_queue

9)  cut -d \| -f1 list_of_spam_In_queue >spamenvelopenumbers
# the above line puts the spam envelope numbers in a single colum text file

10) vi spamenvelopenumbers    # edit the envelope numbers file and
#insert smtpctl remove at the start of each line  to do this open the file
in vi ,
a) hit esc then paste the following line
:%s/^/smtpctl remove  /

d) hit enter
11) save the file  by hiting esc and paste the following line
:wq
12) chmod +x spamenvelopenumbers

13) ./spamenvelopenumbers  >/dev/null  # removes spam from queue but this
can take a
    #while
14) smtpctl show queue       # check for more spam and repeat process 8 -13
as
    #required
15) once the queue only has legitimate mail you are ready to de-list your
    #server IP  from spam lists
16) smtcptl resume mta      #once you have removed the ips from the spam
lists
    #you can restart the MTA...


I hope this helps

-- 
Kindest regards,
Tom Smyth

Reply via email to