Hi Lads, here is an updated procedure that might be a little less laboursome to clear nusiance mails from your mail queues
once you have identified the culprit mail that you want to remove for example you want to remove [email protected] for simplicty and not having to escape special characters I suggest using as much as the email address that makes it unique without including the "." so for our example here im going to search for and remove bad_emailaddress@domain (im excluding the .com in this example) the command below searches envelope ids that contain mails to /from the bad email address and then pipes the envelope id into the smtpctl remove command smtpctl show queue |grep bad_emailaddress@domain|cut -d \| -f1 |xargs -L1 smtpctl remove so the procedure for dealing with spam outbreak would be ... 1)# Turn off MTA ... this will let our mail server accept mail but it wont forward it ... smtpctl pause mta 2) less /var/log/maillog # this will let you look for the offending Source IP ... 3) edit /etc/pf.conf and replace SPAM_SRC_IP with ip of spammer block in quick on egress proto tcp from SPAM_SRC_IP 4) pfctl -nf /etc/pf.conf # check the syntax of the firewall rule set (no output is good) 5) pfctl -f /etc/pf.conf # load the rule set 6) pfctl -sr # show firewall rule set Repeat this process on all the mail servers, now there can be 1000s of mails that could result in further blacklisting so it is best to delete the spam from the mail servers do this on both servers in parallel to speed up resolution 7) smtpctl show queue # shows mails in the queue and look for patterns from or to a particular spam address eg [email protected] 8-14) search for and remove bad mails from the queue by running the following command smtpctl show queue |grep bad_emailaddress@domain|cut -d \| -f1 |xargs -L1 smtpctl remove 14) smtpctl show queue # check for more spam and repeat process 8 -13 as #required 15) once the queue only has legitimate mail you are ready to de-list your #server IP from spam lists 16) smtcptl resume mta #once you have removed the ips from the spam lists #you can restart the MTA... On Tue, Sep 1, 2015 at 1:34 PM, Tom Smyth <[email protected]> wrote: > Hi Lads, > > I have had the unfortunate experience of having a client of my ISP fill my > server queues with spam... I know I will have to increase my spam > prevention measures, but for those of you who may experience the same I > have a rough procedure for clearing down the spam in the mail queueus, > > this procedure shows an admin how to quarantine the offending client, > search for spam messages in the queue and remove the spam messages, > > > on that note it would be useful to have a way to remove all mails in a > mail queue based on sender email address, / source Ip address I have > listed a clunky approach for "'closing the barn door after the horse has > bolted" > > 1)# Turn off MTA ... this will let our mail server accept mail but it > wont > forward it ... > smtpctl pause mta > 2) less /var/log/maillog # this will let you look for the offending > Source IP ... > 3) edit /etc/pf.conf and replace SPAM_SRC_IP with ip of spammer > block in quick on egress proto tcp from SPAM_SRC_IP > 4) pfctl -nf /etc/pf.conf # check the syntax of the firewall rule > set (no output is good) > 5) pfctl -f /etc/pf.conf # load the rule set > 6) pfctl -sr # show firewall rule set > > > Repeat this process on all the mail servers, > > now there can be 1000s of mails that could result in further blacklisting > so it is best to delete the spam from the mail servers do this on both > servers > in parallel to speed up resolution > > 7) smtpctl show queue # shows mails in the queue and look for > patterns > from or to a particular spam address eg > [email protected] > > 8) smtpctl show queue |grep sourcespam@address >list_of_spam_In_queue > > 9) cut -d \| -f1 list_of_spam_In_queue >spamenvelopenumbers > # the above line puts the spam envelope numbers in a single colum text file > > 10) vi spamenvelopenumbers # edit the envelope numbers file and > #insert smtpctl remove at the start of each line to do this open the file > in vi , > a) hit esc then paste the following line > :%s/^/smtpctl remove / > > d) hit enter > 11) save the file by hiting esc and paste the following line > :wq > 12) chmod +x spamenvelopenumbers > > 13) ./spamenvelopenumbers >/dev/null # removes spam from queue but this > can take a > #while > 14) smtpctl show queue # check for more spam and repeat process 8 > -13 as > #required > 15) once the queue only has legitimate mail you are ready to de-list your > #server IP from spam lists > 16) smtcptl resume mta #once you have removed the ips from the spam > lists > #you can restart the MTA... > > > I hope this helps > > -- > Kindest regards, > Tom Smyth > > -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 --------------------------------- PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL This email contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify me by telephone or by electronic mail immediately. Any opinions expressed are those of the author, not the company's .This email does not constitute either offer or acceptance of any contractually binding agreement. Such offer or acceptance must be communicated in writing. You are requested to carry out your own virus check before opening any attachment. Thomas Smyth accepts no liability for any loss or damage which may be caused by malicious software or attachments.
