<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<small>On 16/06/16 01:27, Rodrigo Ordońez Licona wrote:</small><br>
<blockquote cite="mid:11d901d1c75d$7073d3a0$515b7ae0$@xnet.mx"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">HI Meaulnes Legler <span lang="EN-US"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">We use this script to cleanup the mqueue When
this kind of infecttions happen,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">You have to identify a string of text on the
offending messages, It could be the ip of the sender or a
line inside the subject something inside the qf File of any
of the emails sent. In our cases mos of the time Viagra or
mortgage was enogh to identify bad emails from good ones<br>
</span></p>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:monospace;" lang="EN-US">/usr/bin/find
/var/spool/mqueue/ -name 'qf*' -exec echo grep -i <i>'IDENTIFIED_TEXT_ON_QFFILE'</i>
{} \> /dev/null \&\& echo {} \; | sh | awk
'{s=$0;sub("qf", "df", s); print "rm " $0 " " s;}' | sh</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Hope that helps<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p></o:p>Rodrigo O<br>
<o:p></o:p></span></p>
</div>
</blockquote>
it did, indeed. I'm waiting a while, then will set up that script as
a cron job and enable the account again. Let's see if that works.<br>
<br>
I'm wondering why iptables doesn't block that incoming mail with the
spoofed address. I wrote a script that digs out all IPs in
/var/logs/maillog that had the spoofed address entry (about 5'000!)
and DROPped them in iptables. Maybe I have to drop IP blocks instead
of single entries, but that needs a more refined script...<br>
<br>
Thank you and best regards<br>
<br>
Meaulnes Legler
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td>~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~</td>
</tr>
<tr>
<td>~ <tt> <a class="moz-txt-link-abbreviated" href="http://www.WaveWeb.ch">www.WaveWeb.ch</a> </tt> ~</td>
</tr>
<tr>
<td>~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~</td>
</tr>
<tr>
<td>~ <small><tt>Zurich, Switzerland</tt></small> ~
<br>
~ <small><tt>tel: +41 44 2601660</tt></small> ~</td>
</tr>
</tbody>
</table>
<br>
<br>
</body>
</html>