On Fri, May 25, 2012 at 11:45 AM, John Doe Smith Kamau KipNg'etich Jones < skunkworks.ku@gmail.com> wrote:
Hello good people ,
I have a rogue account sending mails from my webmail actually multiple email accounts doing this..been deleting this manually from the exim queue ..They beat me to that game..too many mails to keep up with.Some help someone?
That's for the short term..I further Need to identify which user in my network this mails are emanating from..a pointer on how to go about this is welcome too.
I could answer your questions very well, but your first sentence is not clear to me at all - "sending mails from my webmail" is not what you needed to say, because that must be you sending mail. "actually multiple e-mail accounts doing this" confuses the hell out of me. "been deleting this manually from the Exim queue" - that can be solved by rate-limiting - a feature of Exim. With rate-limiting, there is no way anyone/anything can beat you to the game. Anyway, once you rephrase that first part of your question, I will give you a sure solution! On the second part, you say you need to "identify which user in my network this (these?) mails are amanating from". Here is how to do it: First, impose a mandatory delay of N minutes on all e-mails hitting your server. You do this by inserting the following router as the very first router (just below the "begin routers" clause): delay_outgoing: driver = redirect senders = ! : ! lsearch;/etc/exim/vip_senders condition = ${if < {$message_age}{600}{yes}{no}} allow_defer data = :defer: message not old enough no_verify Create the file /etc/exim/vip_senders and inside it, put , one per line, addresses of those senders whose e-mails you don't want to delay (unless you want to lose your job!). Anyone whose address does NOT appear in that file will have their e-mails delayed for 10 minutes (600 seconds). However, bounces (from the null sender) will still be processed. This gives you the opportunity to go through the e-mails on the queue and find out who is sending them. Please restart Exim after adding that router. In no time, your queue will be full. Look at the queue using the command `exim -bp | less` . You will be able to identify mails with almost same characteristic - like same sender address. Here is an example with obfuscated data: 65h 15K 1SWrhD-0009EB-3s <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 65h 4.9K 1SWrwe-000BAx-6w <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 50h 19K 1SX5zE-0003vq-HD <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 27h 3.4K 1SXR3Y-000IT3-KL <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 25h 16K 1SXSxP-000Pip-30 <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 23h 12K 1SXV7f-0007fB-Gk <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 23h 5.6K 1SXVQ3-0009d6-I9 <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 21h 6.5K 1SXXAn-000GGo-KL <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 19h 7.5K 1SXYID-000Kr2-3d <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 14h 7.7K 1SXdPi-000C5R-Hy <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 14h 16K 1SXdbd-000Def-C5 <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name In these examples, the part inside the < > is the sender address. I am sure you know what a Message-ID is already. So if the sender address is not abvious, then try and look at the headers of these e-mails to figure out which host is sending them: exim -Mvh Message-ID | less (i.e. exim -Mvh 1SXdPi-000C5R-Hy | less) I am insisting on piping to less because some headers can be too long. That way you will see the full details about this particular message. You can then take the necessary action. I hope your server is not an Open Relay, being used by spammers! I hope that helps. You are welcome to seek further help. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler.