Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ezekg/33f071b02efaaaa51657 to your computer and use it in GitHub Desktop.
Save ezekg/33f071b02efaaaa51657 to your computer and use it in GitHub Desktop.
TERMINAL: Email / Qmail Spam cleanup and prevention

#Qmail spam prevention:

Start Qmail

/etc/init.d/qmail start
/etc/init.d/xinetd start

Stop Qmail

/etc/init.d/qmail stop
/etc/init.d/xinetd stop

The server is overloaded with SPAM. There are many messages in queue. Mail is delivered slowly. ftp://download1.swsoft.com/Plesk/Plesk9.2/Doc/en-US/plesk-9.0-unix-advanced-administration-guide/index.htm?fileName=61674.htm

Many email messages are sent from PHP scripts on the server. How can I find what domains these scripts are running on?

http://kb.swsoft.com/article_22_1711_en.html

Qmail var log location

/usr/local/psa/var/log/maillog

View the log in realtime

tail -f /usr/local/psa/var/log/maillog

Check qmail que size

/var/qmail/bin/qmail-qstat

###qmHandle

Install qmhandle

wget http://jaist.dl.sourceforge.net/sourceforge/qmhandle/qmhandle-1.3.2.tar.gz
tar xvzf qmhandle-1.3.2.tar.gz
chmod 777 qmhandle-1.3.2/qmHandle

Edit the file, uncomment the following lines, and comment out the default version

#my ($stopqmail) = '/etc/init.d/qmail stop';
#my ($startqmail) = '/etc/init.d/qmail start';

the move it to /usr/local/sbin/

mv qmhandle-1.3.2/qmHandle /usr/local/sbin/qmHandle

Show current queue stats:

qmHandle -s

List messages in the mail queue:

qmHandle -l

Get extended info about the Queue.

/usr/local/sbin/qmHandle -l -c

List messages in the mail queue while counting how many have the same subject:

qmHandle -l|grep Subject|sort| uniq -c|sort -n

List SMTP authorized senders from mail log and count how many emails they've sent:

cat /usr/local/psa/var/log/maillog |grep -I smtp_auth | grep -I 'SMTP user' | awk '{print $8}' | sort |uniq -c |sort -n

List IP Addresses that have failed SMTP authentication and count them

cat /usr/local/psa/var/log/maillog | grep -I smtp_auth | grep -I FAILED | awk '{print $13}' | sort | uniq -c | sort -n

Read a message in the queue:

qmHandle -m123456789

Delete a message based on subject:

qmHandle -S'failure notice'
qmHandle -S'Order Tracking'
qmHandle -S'Tracking Service'
qmHandle -S'Shipping Detail'
qmHandle -S'Order Detail'
qmHandle -S'Shipping Info'
qmHandle -S'Shipping Information'
qmHandle -S'Order Shipped'
qmHandle -S'Order Information'
qmHandle -S'Shipping Service'
qmHandle -S'Tracking Detail'
qmHandle -S'Tracking Info'
qmHandle -S'Tracking Information'

Queue up several subjects for deletion

qmHandle -S'failure notice' ; qmHandle -S'Order Tracking' ; qmHandle -S'Tracking Service'

Delete specific spam emails

qmHandle -H'smilesbymartin.com'
qmHandle -H'federalwaydentist.net'
qmHandle -H'bbjp.net'
qmHandle -H'periozone.com'

To delete the entire Queue (pretty slow if it's huge)

qmHandle -D

To delete the entire Queue as files then start qmail back up (probably faster)

service qmail stop && find /var/qmail/queue/{mess,intd,local,remote,todo,info}/ -type f -exec rm {} \; && service qmail start

For looking at the queue to see if any more obvious crap addresses.

/var/qmail/bin/qmail-qread | less

###Find incoming vector

should help you find some results of which account(s) are being used. cat /usr/local/psa/var/log/maillog | grep "smtp_auth" cat /usr/local/psa/var/log/maillog | grep "spammer’s IP" cat /usr/local/psa/var/log/maillog | grep "202.64.64.68"

completely rebuild all mail boxes on server (use with caution, and be patient)

Plesk article for command

/usr/local/psa/admin/sbin/mchk --without-spam

See actively running scripts

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

Turn off email for a domain in Plesk

/usr/local/psa/bin/mail --off roadsidemultimedia.com

Block an IP Address

sudo iptables -I INPUT -s 88.2.145.216 -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment