[BlueOnyx:19721] Re: prevent user from sending e-mail in /etc/mail/access

Meaulnes Legler bluelist at waveweb.ch
Wed Jun 15 16:29:20 -05 2016 

thank you Chuck, that helped indeed!

there were about 16'000 files in /var/spool/mqueue, incredible! And I 
had to restart sendmail *immediately* after deleting them all, else the 
queue got populated again right away... How that happens, I wonder...

I hope this will last for a while, it did it until yet.

Thank you so much for your help!

Meaulnes Legler
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ www.WaveWeb.ch <http://www.waveweb.ch/>    ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~   Zurich, Switzerland  ~
~ +41\0 44 260 16 60 ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~


On 15/06/16 17:13, Chuck Tetlow wrote:
> It may be mail still on the server, waiting to go out.  And as soon as 
> you enable Sendmail again - it starts flowing.
>
> Check to see what's waiting on the server to go out with the 
> command-line command "mailq", or if its long - "mailq | more". The 
> last line should be the number of messages waiting to go out from your 
> server.  Most servers are usually 0 - since mail goes out quickly.  If 
> there just a few - this isn't the problem.  But if there are a LOT 
> (I've seen 40,000+ on a exploited server before) - you have to get rid 
> of them!
>
> In that case, go into /var/spool/mqueue - which is the directory mail 
> sits in while waiting to go out.  Each message is either one or two 
> files - so there could be a LOT of files in here if there are a lot of 
> messages in the "mailq" output.  And while there could be valid 
> customer e-mails in there - its VERY time consuming to identify which 
> is which.  So I just delete everything in that directory - risking 
> loosing a couple of valid customer e-mails along with all the SPAM in 
> there.  Just "rm -f *" in that directory to get rid of them all, and 
> then restart the mail services on your server.
>
> Good luck cleaning up.  I know your pain!!
>
>
> Chuck
>
>
>
> *---------- Original Message -----------*
> From: Meaulnes Legler <bluelist at waveweb.ch>
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Sent: Wed, 15 Jun 2016 16:43:34 +0200
> Subject: [BlueOnyx:19711] prevent user from sending e-mail in 
> /etc/mail/access
>
> > dear list
> >
> > with iptables, I have been able to stop the e-mail flooding attacking a
> > specific user, see previous post [BlueOnyx:19698] Re: e-mail flooding
> >
> > But that user is still sending out tons of mails if I enable it again
> > (unchecking «Suspend» in the GUI), thousands in a couple of hours with
> > subjects like:
> >     Subject: Warning: could not send message for past 4 hours
> >     Subject: Returned mail: see transcript for details
> > That user must have some virus and I'm afraid that my server will be
> > tagged...
> >
> > I read that I could prevent user from sending e-mail by adding these
> > lines to /etc/mail/access
> > From:janis at legler.org     REJECT      # Reject user from sending mails
> > and restarting sendmail. But /etc/mail/access is pretty much empty:
> >
> > --------------------------------------------
> > # By default we allow relaying from localhost...
> > Connect:localhost.localdomain           RELAY
> > Connect:localhost                       RELAY
> > Connect:127.0.0.1                       RELAY
> > # Cobalt Access Section Begin
> >
> > # Cobalt Access Section End
> > /etc/mail/access lines 1-15/15 (END)
> > --------------------------------------------
> >
> > Can I do so as said above without compromising the mailer?
> >
> > Thank you and best regards
> >
> > Meaulnes Legler
> > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> > ~ http://www.WaveWeb.ch <http://www.waveweb.ch/> ~
> > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> > ~  Zurich, Switzerland  ~
> > ~  +41\0 44 260 16 60   ~
> > ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> >
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
> *------- End of Original Message -------*

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20160615/7a2480f3/attachment.html>

More information about the Blueonyx mailing list