Tag Archives: Exim

Exim mail queue cleanup

I wrote before about cleaning up the mail queue. I had a large queue today though and the exim tools “felt” slow. So I did it manually (which wasn’t much faster):
cd /var/spool/exim/input/
for d in *; do echo in $d; cd /var/spool/exim/input/$d; C=0; for x in *H; do grep -q example.com $x; if [ $? -eq 0 ]; then f=${x%H}; (( C++ )); rm ${f}{H,D}; fi; done; echo $C mails deleted; echo "remaining: "; ls -l | wc -l; echo ---; done

Similar Posts:

Tagged , , , , ,

Clearing the Queue

Talking about mail queues here. Especially when the queue gets filled with hundreds of thousands of spam emails.

Stop the MTA

The first thing you do is stop the MTA before it gets worse. On most Linux servers:
~: # /etc/init.d/exim stop # most WHM/cPanel based servers
~: # /etc/init.d/postfix stop # if you have postfix

Then check the queue

The commands to use are
~: # exim -bp
~: # mailq

I suggest keeping CTRL+C ready to stop the flow. If you have an infestation scrolling through the queue will take a very very long time.
But checking out the first few lines (pages) of the queue may reveal many things. For example, what user account is being exploited for sending out the spam. Sometimes that’s obvious, other times you may need to do some digging. Here’s a sample:

24h  1.1K 1VeKKb-00030t-42 <noreply@yahoo-inc.com>
        D alena@example.com
        D alenka@example.com
        D alepp@example.com
        D alerei@example.com

24h  1.1K 1VeKKb-00030u-5R <noreply@yahoo-inc.com>
        D alex@example.com
        D alex.b@example.com
        D alex.d@example.com
        D alex.f@example.com

24h  1.1K 1VeKKb-00030v-1R <noreply@yahoo-inc.com>
        D alex.t@example.com

The lines above are from an exim queue output. Obviously noreply@yahoo-inc.com is not an account on this server. Let’s find the username then clean up. A nice Exim utility is exigrep (basically it’s grep with exim ties!)
:~# exigrep 1VeKKb-00030t-42 /var/log/exim/mainlog
+++ 1VeKKb-00030t-42 has not completed +++
2013-11-08 21:18:14 1VeKKb-00030t-42 <= noreply@yahoo-inc.com H=(User) [XXX.XX.XX.XXX] P=esmtpa A=login:test@mydomain.com S=1193 T="Authenticate Your Email" from <noreply@yahoo-inc.com> for alena@example.com alenka@example.com alepp@example.com alerei@example.com [...]

2 things interest us here: the H=(User) [XXX.XX.XX.XXX] part tells us where that intruder is logging from (probably another exploited server, so it’s nice to alert the owners of that server as well. And A=login:test@mydomain.com tells us which user they are logged in as, so we can lock down that user, change their password, etc.

Cleaning up

Emptying the queue is usually an easy way out:
~: # postsuper -d ALL # for postfix
~: # exim -bp | exiqgrep -i | xargs exim -Mrm # for exim

A more subtle approach is needed when some of that mail in the queue is actually legit. If you checked out the queue earlier you might do something like the following:
~: # exiqgrep -i -f noreply@yahoo-inc.com | exim -Mrm # that will remove all mail sent by noreply@yahoo-inc.com

It’s a bit harder in postfix, here’s one recipe:
~: # mailq | tail +2 | awk 'BEGIN { RS = "" } { if ($7 == "noreply@yahoo-inc.com") print $1 }' | tr -d '*!' | postsuper -d -
remove the tail +2 | if that doesn’t work for you.

There are plenty of other things to check and do to fix your server when someone is abusing it to spam. Cleaning up is one way to start.

Ah, before I forget, here’s a link to a very nice cheatsheet for exim

Similar Posts:

Tagged , , , , ,

Dave’s Notepad

We were chatting in the morning and my colleague Dave said:

echo “blog post about distro choice” | mail -s “blog post” david@mydomain.org
that’s my ‘notepad’. 🙂

I thought that was pretty useful, but tried to make it easier by creating a bash alias. Turns out it’s better to use a bash function instead. (see this note). So my ‘jot’ function is:
function jot() { echo "$1" | mail -s "$2" abdallah@mydomain.com; }

I also noticed, that emails sent from my laptop were not reaching. It seems Ubuntu comes with Exim4 as a default MTA. I’m not too familiar with Exim, so I used the occasion to learn a new trick.

I might use this for micro-blogging next… let me go set it up 🙂

Similar Posts:

Tagged , , , , , , , , ,