How to Delete Multiple Outbound Emails[from a Particular E-mail Add] from an Exim Queue
Hello good people , I have a rogue account sending mails from my webmail actually multiple email accounts doing this..been deleting this manually from the exim queue ..They beat me to that game..too many mails to keep up with.Some help someone? That's for the short term..I further Need to identify which user in my network this mails are emanating from..a pointer on how to go about this is welcome too.
Read on spamming my friend else by the time you read this. your ip will be blacklisted and by the time you get to understand spamming you will be down for a very long time ...Lemme save you some time , virus scan you network and server ... On Fri, May 25, 2012 at 11:45 AM, John Doe Smith Kamau KipNg'etich Jones < skunkworks.ku@gmail.com> wrote:
Hello good people ,
I have a rogue account sending mails from my webmail actually multiple email accounts doing this..been deleting this manually from the exim queue ..They beat me to that game..too many mails to keep up with.Some help someone?
That's for the short term..I further Need to identify which user in my network this mails are emanating from..a pointer on how to go about this is welcome too.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
Ha! that's happened already ..so can't fall further than this i guess :P All those have been done.Next? On Fri, May 25, 2012 at 12:13 PM, geoffrey gitagia <ggitagia@gmail.com>wrote:
Read on spamming my friend else by the time you read this. your ip will be blacklisted and by the time you get to understand spamming you will be down for a very long time ...Lemme save you some time , virus scan you network and server ...
On Fri, May 25, 2012 at 11:45 AM, John Doe Smith Kamau KipNg'etich Jones < skunkworks.ku@gmail.com> wrote:
Hello good people ,
I have a rogue account sending mails from my webmail actually multiple email accounts doing this..been deleting this manually from the exim queue ..They beat me to that game..too many mails to keep up with.Some help someone?
That's for the short term..I further Need to identify which user in my network this mails are emanating from..a pointer on how to go about this is welcome too.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
if the spamming is via webmail as you claim, change the passwords. It would also be useful to temporarily disable smtp authentication and webmail access from outside as you test. This website usually has useful information on how to deal with exim queues. http://bradthemad.org/tech/notes/exim_cheatsheet.php Boniface On Fri, May 25, 2012 at 12:13 PM, geoffrey gitagia <ggitagia@gmail.com>wrote:
Read on spamming my friend else by the time you read this. your ip will be blacklisted and by the time you get to understand spamming you will be down for a very long time ...Lemme save you some time , virus scan you network and server ...
On Fri, May 25, 2012 at 11:45 AM, John Doe Smith Kamau KipNg'etich Jones < skunkworks.ku@gmail.com> wrote:
Hello good people ,
I have a rogue account sending mails from my webmail actually multiple email accounts doing this..been deleting this manually from the exim queue ..They beat me to that game..too many mails to keep up with.Some help someone?
That's for the short term..I further Need to identify which user in my network this mails are emanating from..a pointer on how to go about this is welcome too.
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
On Fri, May 25, 2012 at 11:45 AM, John Doe Smith Kamau KipNg'etich Jones < skunkworks.ku@gmail.com> wrote:
Hello good people ,
I have a rogue account sending mails from my webmail actually multiple email accounts doing this..been deleting this manually from the exim queue ..They beat me to that game..too many mails to keep up with.Some help someone?
That's for the short term..I further Need to identify which user in my network this mails are emanating from..a pointer on how to go about this is welcome too.
I could answer your questions very well, but your first sentence is not clear to me at all - "sending mails from my webmail" is not what you needed to say, because that must be you sending mail. "actually multiple e-mail accounts doing this" confuses the hell out of me. "been deleting this manually from the Exim queue" - that can be solved by rate-limiting - a feature of Exim. With rate-limiting, there is no way anyone/anything can beat you to the game. Anyway, once you rephrase that first part of your question, I will give you a sure solution! On the second part, you say you need to "identify which user in my network this (these?) mails are amanating from". Here is how to do it: First, impose a mandatory delay of N minutes on all e-mails hitting your server. You do this by inserting the following router as the very first router (just below the "begin routers" clause): delay_outgoing: driver = redirect senders = ! : ! lsearch;/etc/exim/vip_senders condition = ${if < {$message_age}{600}{yes}{no}} allow_defer data = :defer: message not old enough no_verify Create the file /etc/exim/vip_senders and inside it, put , one per line, addresses of those senders whose e-mails you don't want to delay (unless you want to lose your job!). Anyone whose address does NOT appear in that file will have their e-mails delayed for 10 minutes (600 seconds). However, bounces (from the null sender) will still be processed. This gives you the opportunity to go through the e-mails on the queue and find out who is sending them. Please restart Exim after adding that router. In no time, your queue will be full. Look at the queue using the command `exim -bp | less` . You will be able to identify mails with almost same characteristic - like same sender address. Here is an example with obfuscated data: 65h 15K 1SWrhD-0009EB-3s <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 65h 4.9K 1SWrwe-000BAx-6w <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 50h 19K 1SX5zE-0003vq-HD <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 27h 3.4K 1SXR3Y-000IT3-KL <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 25h 16K 1SXSxP-000Pip-30 <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 23h 12K 1SXV7f-0007fB-Gk <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 23h 5.6K 1SXVQ3-0009d6-I9 <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 21h 6.5K 1SXXAn-000GGo-KL <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 19h 7.5K 1SXYID-000Kr2-3d <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 14h 7.7K 1SXdPi-000C5R-Hy <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name 14h 16K 1SXdbd-000Def-C5 <list-bounces+johndoe= somedomain.name@mylists.name> johndoe@somedomain.name In these examples, the part inside the < > is the sender address. I am sure you know what a Message-ID is already. So if the sender address is not abvious, then try and look at the headers of these e-mails to figure out which host is sending them: exim -Mvh Message-ID | less (i.e. exim -Mvh 1SXdPi-000C5R-Hy | less) I am insisting on piping to less because some headers can be too long. That way you will see the full details about this particular message. You can then take the necessary action. I hope your server is not an Open Relay, being used by spammers! I hope that helps. You are welcome to seek further help. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler.
participants (4)
-
Boniface -
geoffrey gitagia -
John Doe Smith Kamau KipNg'etich Jones -
Odhiambo Washington