[BlueOnyx:19737] Re: prevent user from sending e-mail in /etc/mail/access

[Meaulnes Legler]

On 16/06/16 01:27, Rodrigo Ordoñez Licona wrote:
>
> HI Meaulnes Legler
>
> We use this script to cleanup the mqueue When this kind of infecttions 
> happen,
>
> You have to identify a string of text on the offending messages, It 
> could be the ip of the sender or a line inside the subject something 
> inside the qf File of any of the emails sent. In our cases mos of the 
> time Viagra or mortgage was enogh to identify bad emails from good ones
>
> /usr/bin/find /var/spool/mqueue/ -name 'qf*' -exec echo grep -i 
> /'IDENTIFIED_TEXT_ON_QFFILE'/ {} \> /dev/null \&\& echo {} \; | sh | 
> awk '{s=$0;sub("qf", "df", s); print "rm " $0 " " s;}' | sh
>
> Hope that helps
>
> Rodrigo O
>
it did, indeed. I'm waiting a while, then will set up that script as a 
cron job and enable the account again. Let's see if that works.

I'm wondering why iptables doesn't block that incoming mail with the 
spoofed address. I wrote a script that digs out all IPs in 
/var/logs/maillog that had the spoofed address entry (about 5'000!) and 
DROPped them in iptables. Maybe I have to drop IP blocks instead of 
single entries, but that needs a more refined script...

Thank you and best regards

Meaulnes Legler
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~  www.WaveWeb.ch  ~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ Zurich, Switzerland ~
~ tel: +41 44 2601660 ~



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20160619/93ece692/attachment.html>