[BlueOnyx:19722] Re: prevent user from sending e-mail in /etc/mail/access

Rodrigo Ordoñez Licona rodrigo at xnet.mx
Wed Jun 15 18:27:07 -05 2016 

HI Meaulnes Legler 

 

We use this script to cleanup the mqueue When this kind of infecttions
happen,

 

You have to identify a string of text on the offending messages, It could be
the ip of the sender or a line inside the subject something inside the qf
File of any of the emails sent. In our cases mos of the time Viagra or
mortgage was enogh to identify bad emails from good ones



Replace the text IDENTIFIED_TEXT_ON_QFFILE


/usr/bin/find /var/spool/mqueue/ -name 'qf*' -exec echo grep -i
'IDENTIFIED_TEXT_ON_QFFILE' {} \> /dev/null \&\& echo {} \; | sh | awk
'{s=$0;sub("qf", "df", s); print "rm " $0 " " s;}' | sh

 

 

Hope that helps

 

 

Rodrigo O
Xnet

 

From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
Meaulnes Legler
Sent: miércoles, 15 de junio de 2016 03:29 p. m.
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:19721] Re: prevent user from sending e-mail in
/etc/mail/access

 

thank you Chuck, that helped indeed!

there were about 16'000 files in /var/spool/mqueue, incredible! And I had to
restart sendmail *immediately* after deleting them all, else the queue got
populated again right away... How that happens, I wonder...

I hope this will last for a while, it did it until yet.

Thank you so much for your help!

Meaulnes Legler
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
~   www.WaveWeb.ch <http://www.waveweb.ch/>     ~ 
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
~   Zurich, Switzerland  ~ 
~ +41\0 44 260 16 60 ~ 
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 



On 15/06/16 17:13, Chuck Tetlow wrote:

It may be mail still on the server, waiting to go out.  And as soon as you
enable Sendmail again - it starts flowing. 

Check to see what's waiting on the server to go out with the command-line
command "mailq", or if its long - "mailq | more".  The last line should be
the number of messages waiting to go out from your server.  Most servers are
usually 0 - since mail goes out quickly.  If there just a few - this isn't
the problem.  But if there are a LOT (I've seen 40,000+ on a exploited
server before) - you have to get rid of them! 

In that case, go into /var/spool/mqueue - which is the directory mail sits
in while waiting to go out.  Each message is either one or two files - so
there could be a LOT of files in here if there are a lot of messages in the
"mailq" output.  And while there could be valid customer e-mails in there -
its VERY time consuming to identify which is which.  So I just delete
everything in that directory - risking loosing a couple of valid customer
e-mails along with all the SPAM in there.  Just "rm -f *" in that directory
to get rid of them all, and then restart the mail services on your server. 

Good luck cleaning up.  I know your pain!! 


Chuck 



---------- Original Message ----------- 
From: Meaulnes Legler  <mailto:bluelist at waveweb.ch> <bluelist at waveweb.ch> 
To: BlueOnyx General Mailing List  <mailto:blueonyx at mail.blueonyx.it>
<blueonyx at mail.blueonyx.it> 
Sent: Wed, 15 Jun 2016 16:43:34 +0200 
Subject: [BlueOnyx:19711] prevent user from sending e-mail in
/etc/mail/access 

> dear list 
> 
> with iptables, I have been able to stop the e-mail flooding attacking a 
> specific user, see previous post [BlueOnyx:19698] Re: e-mail flooding 
> 
> But that user is still sending out tons of mails if I enable it again 
> (unchecking «Suspend» in the GUI), thousands in a couple of hours with 
> subjects like: 
>     Subject: Warning: could not send message for past 4 hours 
>     Subject: Returned mail: see transcript for details 
> That user must have some virus and I'm afraid that my server will be 
> tagged... 
> 
> I read that I could prevent user from sending e-mail by adding these 
> lines to /etc/mail/access 
>     From:janis at legler.org     REJECT      # Reject user from sending mails

> and restarting sendmail. But /etc/mail/access is pretty much empty: 
> 
> -------------------------------------------- 
> # By default we allow relaying from localhost... 
> Connect:localhost.localdomain           RELAY 
> Connect:localhost                       RELAY 
> Connect:127.0.0.1                       RELAY 
> # Cobalt Access Section Begin 
> 
> # Cobalt Access Section End 
> /etc/mail/access lines 1-15/15 (END) 
> -------------------------------------------- 
> 
> Can I do so as said above without compromising the mailer? 
> 
> Thank you and best regards 
> 
> Meaulnes Legler 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
> ~ http://www.WaveWeb.ch <http://www.waveweb.ch/>  ~ 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
> ~  Zurich, Switzerland  ~ 
> ~  +41\0 44 260 16 60   ~ 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at mail.blueonyx.it 
> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message ------- 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20160615/8adbdb35/attachment.html>

More information about the Blueonyx mailing list