<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=ES-MX link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>HI </span>Meaulnes Legler<span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <span lang=EN-US><o:p></o:p></span></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We use this script to cleanup the mqueue When this kind of infecttions happen,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You have to identify a string of text on the offending messages, It could be the ip of the sender or a line inside the subject something inside the qf File of any of the emails sent. In our cases mos of the time Viagra or mortgage was enogh to identify bad emails from good ones<br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Replace the text IDENTIFIED_TEXT_ON_QFFILE<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>/usr/bin/find /var/spool/mqueue/ -name 'qf*' -exec echo grep -i 'IDENTIFIED_TEXT_ON_QFFILE' {} \> /dev/null \&\& echo {} \; | sh | awk '{s=$0;sub("qf", "df", s); print "rm " $0 " " s;}' | sh<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hope that helps<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></a></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rodrigo O<br>Xnet<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Blueonyx [mailto:blueonyx-bounces@mail.blueonyx.it] <b>On Behalf Of </b>Meaulnes Legler<br><b>Sent:</b> miércoles, 15 de junio de 2016 03:29 p. m.<br><b>To:</b> BlueOnyx General Mailing List<br><b>Subject:</b> [BlueOnyx:19721] Re: prevent user from sending e-mail in /etc/mail/access<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'>thank you Chuck, that helped indeed!<br><br>there were about 16'000 files in /var/spool/mqueue, incredible! And I had to restart sendmail *immediately* after deleting them all, else the queue got populated again right away... How that happens, I wonder...<br><br>I hope this will last for a while, it did it until yet.<br><br>Thank you so much for your help!<br><br>Meaulnes Legler<span style='font-size:10.0pt'><br>~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <br>~ <a href="http://www.waveweb.ch/" target="_blank">www.WaveWeb.ch</a> ~ <br>~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <br>~ Zurich, Switzerland ~ <br>~ +41\0 44 260 16 60 ~ <br>~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ </span><br><br><o:p></o:p></p><div><p class=MsoNormal>On 15/06/16 17:13, Chuck Tetlow wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>It may be mail still on the server, waiting to go out. And as soon as you enable Sendmail again - it starts flowing. <br><br>Check to see what's waiting on the server to go out with the command-line command "mailq", or if its long - "mailq | more". The last line should be the number of messages waiting to go out from your server. Most servers are usually 0 - since mail goes out quickly. If there just a few - this isn't the problem. But if there are a LOT (I've seen 40,000+ on a exploited server before) - you have to get rid of them! <br><br>In that case, go into /var/spool/mqueue - which is the directory mail sits in while waiting to go out. Each message is either one or two files - so there could be a LOT of files in here if there are a lot of messages in the "mailq" output. And while there could be valid customer e-mails in there - its VERY time consuming to identify which is which. So I just delete everything in that directory - risking loosing a couple of valid customer e-mails along with all the SPAM in there. Just "rm -f *" in that directory to get rid of them all, and then restart the mail services on your server. <br><br>Good luck cleaning up. I know your pain!! <br><br><br>Chuck <br><br><span style='font-size:10.0pt'><br><br><b>---------- Original Message -----------</b> <br>From: Meaulnes Legler <a href="mailto:bluelist@waveweb.ch"><bluelist@waveweb.ch></a> <br>To: BlueOnyx General Mailing List <a href="mailto:blueonyx@mail.blueonyx.it"><blueonyx@mail.blueonyx.it></a> <br>Sent: Wed, 15 Jun 2016 16:43:34 +0200 <br>Subject: [BlueOnyx:19711] prevent user from sending e-mail in /etc/mail/access <br><br>> dear list <br>> <br>> with iptables, I have been able to stop the e-mail flooding attacking a <br>> specific user, see previous post [BlueOnyx:19698] Re: e-mail flooding <br>> <br>> But that user is still sending out tons of mails if I enable it again <br>> (unchecking «Suspend» in the GUI), thousands in a couple of hours with <br>> subjects like: <br>> Subject: Warning: could not send message for past 4 hours <br>> Subject: Returned mail: see transcript for details <br>> That user must have some virus and I'm afraid that my server will be <br>> tagged... <br>> <br>> I read that I could prevent user from sending e-mail by adding these <br>> lines to /etc/mail/access <br>> <a href="mailto:From:janis@legler.org">From:janis@legler.org</a> REJECT # Reject user from sending mails <br>> and restarting sendmail. But /etc/mail/access is pretty much empty: <br>> <br>> -------------------------------------------- <br>> # By default we allow relaying from localhost... <br>> Connect:localhost.localdomain RELAY <br>> Connect:localhost RELAY <br>> Connect:127.0.0.1 RELAY <br>> # Cobalt Access Section Begin <br>> <br>> # Cobalt Access Section End <br>> /etc/mail/access lines 1-15/15 (END) <br>> -------------------------------------------- <br>> <br>> Can I do so as said above without compromising the mailer? <br>> <br>> Thank you and best regards <br>> <br>> Meaulnes Legler <br>> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <br>> ~ <a href="http://www.waveweb.ch/" target="_blank">http://www.WaveWeb.ch</a> ~ <br>> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <br>> ~ Zurich, Switzerland ~ <br>> ~ +41\0 44 260 16 60 ~ <br>> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <br>> <br>> _______________________________________________ <br>> Blueonyx mailing list <br>> <a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a> <br>> <a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a> <br><b>------- End of Original Message -------</b> </span><o:p></o:p></p></blockquote><p class=MsoNormal><o:p> </o:p></p></div></body></html>