1.
Who is spam?
/var/qmail/bin/qmail-qread
done remote posluchova@7plus.ru remote oriflame@7russia.ru remote osanka@7russia.ru remote sidaev@8-12.ru done remote rsnrkx99c@923.ru remote pmz-keig@9zk.ru done remote reklama@a24.spb.ru done remote p9373c95@a7344l19.com done remote sigor@aaa.ua done remote samson_don@aaanet.ru done remote ramuk@aaanet.ru done remote rem_pb@aaanet.ru done remote paschenko-dd@aaanet.ru done remote razborka61@aaanet.rufind /var/qmail/queue/mess/ -name7406528
/var/qmail/queue/mess/22/7406528
Now we try to check in the e-mail from what url and ip is send:
less /var/qmail/queue/mess/22/7406528
Received: (qmail 27017 invoked by uid 399); 11 Sep 2014 01:17:35 +0300
Received: from unknown (HELO hahaha.co.il) (info@hahaha.co.il@201.164.182.100)
by mail.oyo.co.il with ESMTPAM; 11 Sep 2014 01:17:35 +0300
X-Originating-IP: 201.164.182.100
Message-ID: <E8362BC0.8CF16E69@hahaha.co.il>
Date: Thu, 11 Sep 2014 00:17:29 +0200
Reply-To: "=?UTF-8?B?UG9zbHVjaG92YQ==?=" <info@hahaha.co.il>
From: "=?UTF-8?B?UG9zbHVjaG92YQ==?=" <info@hahaha.co.il>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080227 Thunderbird/2.0.0.12
X-Accept-Language: en-us
MIME-Version: 1.0
To: <posluchova@7plus.ru>
Cc: <oriflame@7russia.ru>,
<osanka@7russia.ru>,
<sidaev@8-12.ru>,
<nuser@92.14-157-90.telenet.ru>,
<rsnrkx99c@923.ru>,
<pmz-keig@9zk.ru>,
<reklama@a24.spb.ru>,
<p9373c95@a7344l19.com>,
<sigor@aaa.ua>,
<samson_don@aaanet.ru>,
<ramuk@aaanet.ru>,
<rem_pb@aaanet.ru>,
<paschenko-dd@aaanet.ru>,
<razborka61@aaanet.ru>
Subject: =?UTF-8?B?0J3QsNC00L7QtdC70L4g0LbQuNGC0Ywg0LrQsNC6INC90LjRidC10LHRgNC+0LTRgz8g0K8g0YDQsNGB0YHQutCw0LbRgywg0LrQsNC6INC30LDRgNCw0LHQsNGC0YvQstCw0YLRjCDQvtGCIDE2MCQg0LfQsCAzINC00L3RjyE=
?=
The sending IP is 201.164.182.100
, so I want to block it.
iptables -I INPUT -s 201.164.182.100 -j DROP
2.
Install qmail-remove and
remove mail’s from queue
tar -zxpf qmail-remove-0.95.tar.gz
cd qmail-remove-0.95
make
gcc -O2 -W -Wall -o qmail-remove
qmail-remove.c
make install
cp qmail-remove /var/qmail/bin/
mkdir /var/qmail/queue/yanked
/var/qmail/bin/qmail-remove -p info@hahaha.co.il -y /var/spool/yanked
……
moved mess/5/7405637 to
yanked/7405637.mess
moved remote/5/7405637 to yanked/7405637.remote
moved info/5/7405637 to
yanked/7405637.info
moved bounce/7405637 to
yanked/7405637.bounce
7406005: no
7407799: no
7405729: no
120 file(s) match
Now the situation in the queue
/var/qmail/bin/qmail-qstat
messages in queue: 335
qmail-remove [options]
-e use
extended POSIX regular expressions
-h, -?
this help message
-i search
case insensitively [default: case sensitive]
-n
<bytes> limit our search to the first <bytes>
bytes of each file
-p <pattern>
specify the pattern to search for
-q <queuedir> specify the
base qmail queue dir [default: /var/qmail/queue]
-d actually
remove files not yank them, no -p will delete all the messages!
-r actually
remove files, without this we'll only print them
-s
<split> specify your conf-split value if non-standard
[default: 23]
-v increase
verbosity (can be used more than once)
-y <yankdir>
directory to put files yanked from the queue [default: <queuedir>/yanked]
-X
<secs> modify timestamp on matching files, to
make qmail expire mail
<secs> is the number of seconds we want to move the file into the past.
specifying a value of 0 causes this to default to (604800)
-x <timespec> modify
timestamp on matching files, to make qmail expire mail
<timespec> is a date/time string in the format of output of the
"date" program.
see manpage for strptime(2) for details of this format
No comments:
Post a Comment