Topic: qmHandle - remove messages not from my domain.

[Jáder]

Hi

I have  a problem on my mail server (SME7.4) and got more tham 60.000 messages on outgoing queue.
I installed qmHandle to help to managem them... and was able to remove 41.000 messages after follow double bounce tips from here: http://wiki.contribs.org/Email_delete_double-bounce_messages

But I need delete most of other 20.000 messages without delete queue (lots of real e-mail included).
So I think to use this:

qmHandle -f'([^\@viadei].*)'

to delete all messages from is not from my domain... and did not worked.

I just got this back:
[root@lebre ~]# qmHandle -f'([^\@viadei].*)'

Code: [Select]

Qmail isn't running... no need to stop it.
Looking for messages from ([^\@viadei].*)
No messages from ([^\@viadei].*) found in the queue!
Qmail wasn't running when qmHandle was started, so it won't be restarted.

But I'm sure I have messages who should be cought:

Code: [Select]

6529837 (22, 22/6529837)
  Return-path: karencortez27@lycos.com
  From: karen cortez <karencortez27@lycos.com>
  To: <ashleejaniya194@yahoo.com>, <arleneashlynn102@yahoo.com>, <allyssareina469@yahoo.com>
  Subject: FW: Lost your college sweetheart to the quarterback? Get her back with this!
  Date: Mon, 31 May 2010 20:19:57 GMT
  Size: 1145 bytes

6041699 (13, 13/6041699)
  Return-path: kimburdick36@ev1.net
  From: kim burdick <kimburdick36@ev1.net>
  To: <weepfnd@yahoo.com>
  Subject: RE: Give her the ride of her life!
  Date: Mon, 31 May 2010 18:44:19 GMT
  Size: 927 bytes

None of those messages are from mydomain (viadei)!

Could someone else point me what's wrong ?

Thanks

Jáder

[piran]

Code: [Select]

qmHandle -f'([^\@viadei].*)'I don't use qmHandle but where is your NOT logic?
Wiki is directed at "delete this" ...without "delete NOT this".
You are looking to delete everything NOT viadei?
Do you need a regex NOT (exclamation "!") character?
Query your use of square brackets ie any of the included?
Query your use of round brackets, no piping "|" and no NOT "!"?
Maybe omit the .* as the syntax seems to expect domains?
Experiment or at least grep to confirm things first but...

Code: [Select]

qmHandle -f'!(viadei)'

[Jáder]

Hi quiran

Thanks by your answer.
The negative was on "^" inside "[]"

I tried your option... nothing also:

Code: [Select]

[root@lebre ~]# qmHandle  -f'!(viadei)'
Qmail isn't running... no need to stop it.
Looking for messages from !(viadei)
No messages from !(viadei) found in the queue!
Qmail wasn't running when qmHandle was started, so it won't be restarted.

I´m still with +10.000 messages on outgoing queue
Any other tip ?

[piran]

I always thought "^" meant "line beginning with"...

[Jáder]

It means... but not when inside []

[piran]

Perhaps a good thing would be to determine just how literal
or exactly the filter needs to be defined or is acting. Find
something that 'works' and interpret from it how exact the
filter must be defined. A good start is to directly attack
known combinations of spam ie subject text.

[piran]

Maybe you don't need to define "@" in your own string?
Your domain seems unique and without the @ then the
question about the escaping requirement "\" is void.

[piran]

[] is explicit - each character contained in [] is used separately.

Code: [Select]

qmHandle -f'([^v][^i][^a][^d][^e][^i])'

[Jáder]

[] is explicit - each character contained in [] is used separately.

Code: [Select]

qmHandle -f'([^v][^i][^a][^d][^e][^i])'

Don´t work either:

Code: [Select]

[root@lebre ~]# qmHandle -f'([^v][^i][^a][^d][^e][^i])'
Qmail isn't running... no need to stop it.
Looking for messages from ([^v][^i][^a][^d][^e][^i])
No messages from ([^v][^i][^a][^d][^e][^i]) found in the queue!
Qmail wasn't running when qmHandle was started, so it won't be restarted.


I´ll let qmail finish his jobs... no more than 10h till empty queue!

Code: [Select]

[root@lebre ~]# qmHandle  -s;date
Total messages: 10278
Messages with local recipients: 0
Messages with remote recipients: 10278
Messages with bounces: 1005
Messages in preprocess: 0
Wed Jun  2 12:06:32 BRT 2010

I also opened a bug/NFR (#5996)... to try to avoid this by ask developers to check SPF before accept message.

Thanks for your help

Jáder

[CharlieBrady]

I also opened a bug/NFR (#5996)... to try to avoid this by ask developers to check SPF before accept message.

You haven't diagnosed the problem adequately. Based on the sample you showed above, you are relaying messages from karencortez27@lycos.com to users at yahoo.com. SPF checking won't help you there. You either have a local user generating those messages, or you are accepting them for relay from the Internet side (an open mail relay, unless the connection is authenticated, in which case you have a compromised account).

You need to shut down qmail, identify the source of your spam, secure your system so that the spammer cannot use your system, and clean our the mail queue.

[Jáder]

You haven't diagnosed the problem adequately. Based on the sample you showed above, you are relaying messages from karencortez27@lycos.com to users at yahoo.com. SPF checking won't help you there. You either have a local user generating those messages, or you are accepting them for relay from the Internet side (an open mail relay, unless the connection is authenticated, in which case you have a compromised account).

You need to shut down qmail, identify the source of your spam, secure your system so that the spammer cannot use your system, and clean our the mail queue.

Charlie

I don´t know how to find out what internal client can be generating those e-mails.
But I´m sure I´m not an open relay... and as yesterday afternoon this installation is using authentication to SMTP (before it have no auth!).

Could you help me to identify the internal source (if it´s one!) ?

Thanks

Jáder

[Stefano]

how many clients do you have?

anyway, stat iptraf on your SME then watch for connections on port 25

[slords]

anyway, stat iptraf on your SME then watch for connections on port 25

Or look at the headers of the emails to see where they are coming from.

[Jáder]

I think the source was an computer with conflicker... but not sure.

The virus was removed and my queue is almost empty now. I discovered lot of e-mails to @yahoo (and we do not have that amount of @yahoo destinatary) so I did:

Code: [Select]

[root@lebre ~]# grep -R "\@yahoo" /var/qmail/queue/remote/|wc -l
8272
[root@lebre ~]# qmHandle  -s;date
Total messages: 8835
Messages with local recipients: 0
Messages with remote recipients: 8835
Messages with bounces: 1005
Messages in preprocess: 0
Wed Jun  2 14:48:12 BRT 2010

So I did:

Code: [Select]

[root@lebre ~]# qmHandle -h'\@yahoo'
...
Message 6525898 slotted for deletion.
Message 6275030 slotted for deletion.
Message 6529924 slotted for deletion.
Deleted 8287 messages from queue
Qmail wasn't running when qmHandle was started, so it won't be restarted.

and got an almost empty queue:

Code: [Select]

(14:54:43) Jáder (4306): [root@lebre ~]# qmHandle  -s;date
Total messages: 548
Messages with local recipients: 0
Messages with remote recipients: 548
Messages with bounces: 9
Messages in preprocess: 0
Wed Jun  2 14:53:41 BRT 2010
[root@lebre ~]#

I must to find out the source using logs (and remember I lost almost all of them because qpstmpd log was rotating each 20 minutes!)
Just to show you:

See qpstmptd log:

Code: [Select]

[root@lebre ~]# ls -la /var/log/qpsmtpd/
total 48816
drwxr-s---   2 smelog smelog    4096 May 31 23:45 .
drwxr-xr-x  47 root   root     12288 Jun  1 04:02 ..
-rwxr--r--   1 smelog smelog 4998073 May 31 14:50 @400000004c03f6f01778a8cc.s
-rwxr--r--   1 smelog smelog 4998054 May 31 15:09 @400000004c03fb6136e886b4.s
-rwxr--r--   1 smelog smelog 4998129 May 31 15:27 @400000004c03ffb91a3121ac.s
-rwxr--r--   1 smelog smelog 4998033 May 31 15:47 @400000004c04043d17f2f17c.s
-rwxr--r--   1 smelog smelog 4998001 May 31 16:06 @400000004c0408bb02975a5c.s
-rwxr--r--   1 smelog smelog 4998095 May 31 16:25 @400000004c040d37003fa304.s
-rwxr--r--   1 smelog smelog 4998022 May 31 16:45 @400000004c0411c7118c12b4.s
-rwxr--r--   1 smelog smelog 4998013 May 31 17:04 @400000004c041645204a4dd4.s
-rwxr--r--   1 smelog smelog 4998015 May 31 23:45 @400000004c04743a1c8a2124.s
-rw-r--r--   1 smelog smelog 4834873 Jun  2 15:13 current
-rw-------   1 smelog smelog       0 Feb 20 08:54 lock
-rw-r--r--   1 smelog smelog       0 Feb 22 07:10 state

and Qmail log:

Code: [Select]

root@lebre ~]# ls -la /var/log/qmail/
total 48448
drwxr-s---   2 qmaill nofiles    4096 Jun  2 11:45 .
drwxr-xr-x  47 root   root      12288 Jun  1 04:02 ..
-rwxr--r--   1 qmaill nofiles 4998014 Jun  1 08:37 @400000004c04f0f035f56c54.s
-rwxr--r--   1 qmaill nofiles 4998019 Jun  1 10:29 @400000004c050b5e131d9bac.s
-rwxr--r--   1 qmaill nofiles 4998082 Jun  1 14:03 @400000004c053d58090f82ec.s
-rwxr--r--   1 qmaill nofiles 4998215 Jun  1 18:46 @400000004c057fb000110184.s
-rwxr--r--   1 qmaill nofiles 4998073 Jun  1 23:03 @400000004c05bbed1a4c894c.s
-rwxr--r--   1 qmaill nofiles 4998101 Jun  2 02:09 @400000004c05e7a720211324.s
-rwxr--r--   1 qmaill nofiles 4998205 Jun  2 04:46 @400000004c060c7c0738cb04.s
-rwxr--r--   1 qmaill nofiles 4998402 Jun  2 07:49 @400000004c06373e1d741b94.s
-rwxr--r--   1 qmaill nofiles 4998208 Jun  2 11:45 @400000004c066ea522eea65c.s
-rw-r--r--   1 qmaill nofiles 4453858 Jun  2 15:13 current
-rw-------   1 qmaill nofiles       0 Feb 20 08:54 lock
-rw-r--r--   1 root   nofiles      28 Jun  2 12:45 .recent-rotated
-rw-r--r--   1 qmaill nofiles       0 Feb 22 07:10 state


[cavinbill115]

You can follow some step to solve your problem...
When the mail queue on a (dv) Dedicated-Virtual Server has messages stacked up you can use the tool qmHandle.

   1. Download qmHandle from SourceForge. You actually only need the script ‘qmHandle’ so use that if you have it handy. Upload it to the server and untar it if necessary. You may download the file directly from SourceForge using the wget command:
wget http://optusnet.dl.sourceforge.net/sourceforge/qmhandle/qmhandle-1.3.2.tar.gz

2 Then decompress the file using the tar command:

tar -xvzf qmhandle-1.3.2.tar.gz

3 First it is recommended to shutdown qmail using the service command to prevent possible corruption of the mail queue:
service qmail stop 

4 When you are done with qmhandle be sure to start it again using the service command:

service qmail start

qmHandle can show it’s own options when run without a flag:

./qmHandle

qmHandle v1.3.2
Copyright 1998-2003 Michele Beltrame

Available parameters:
-a : try to send queued messages now (qmail must be running)
-l : list message queues
-L : list local message queue
-R : list remote message queue
-s : show some statistics
-mN : display message number N
-dN : delete message number N
-Stext : delete all messages that have/contain text as Subject
-D : delete all messages in the queue (local and remote)
-V : print program version

Additional (optional) parameters:
-c : display colored output
-N : list message numbers only

(to be used either with -l, -L or -R)
You can view/delete multiple message i.e. -d123 -v456 -d567

-s to see some basic statistics

qmHandle -s

Messages in local queue: 0

Messages in remote queue: 10