Vicious Circle

John Rudd jrudd at UCSC.EDU
Sat Mar 5 22:37:02 GMT 2005 

On Mar 5, 2005, at 9:10 AM, Dave Goodrich wrote:

>
> I am at a loss, the root of the issue is I have 100k messages a day,
> some just *might* be legitimate address misspellings, I can't drop all
> bounces. But the vast majority are trash.
>
> Whats a sysadmin to do?
>

(while everyone else is telling you what you should have done to
prevent this, I'll answer this part: what you can do while it's
happening ... though, you're probably already through the bulk of it)

I have two scripts I run, qstat and qflush.  You're going to probably
want to run them (as root) like:

# qstat mqueue
# qflush mqueue relay.domain.tld
(where relay.domain.tld is something you pull out of the results of
qstat)

You may get some errors from qflush about the files not being there.
That just means sendmail got rid of them before you could (or
mailscanner finished scanning them, if you're running against
mqueue.in, before you got to cleaning them out).


1) qstat - identify the relays of the messages in your queue (I assume
that they're in mqueue now, and not mqueue.in, but it's just a slight
substitution if they're in mqueue.in: I use this technique to filter
out mail bombs that are clogging up mqueue.in):

#!/bin/sh

if [ "$#" -ne "1" ]; then
    echo "usage: qstat queue"
    echo "   queue = mqueue | mqueue.in"
fi

cd /var/spool/$1

# this next blob is all one line, but my mail program might wrap it
wrong
/bin/ls | /bin/grep "^qf" | /bin/xargs -I file grep "^._" file |
/bin/sed -e "s/
^._//" | /bin/sort | /bin/uniq -c | /bin/sort -n | /bin/tail -5

# end


This will tell you who the top 5 relays are.  If you got a mail bomb or
dictionary attack from a single source, it will be REALLY obvious who
is dominating your mail queue from this.


2) qflush - flush the bad relay out of your queue:

#!/bin/sh

if [ "$#" -lt "2" ]; then
    echo "usage: qflush queue pattern"
    echo "  queue = mqueue.in | mqueue"
    echo "  pattern = hostname in qf:\$_"
fi

if [ "$#" -ge "3" ]; then
    echo "usage: qflush queue pattern"
    echo "  queue = mqueue.in | mqueue"
    echo "  pattern = hostname in qf:\$_"
fi

cd /var/spool/$1

# this next blob is all one line, but my mail program might wrap it
wrong
/bin/ls | /bin/grep "^qf" | /bin/xargs -I file /bin/grep -l "^._$2"
file | /bin/grep -vi "no such file" | /bin/sed -e "s/^qf/rm \?\?/" -e
"s/:.*//"  > /tmp/qflush.$$

/bin/sh /tmp/qflush.$$

/bin/rm /tmp/qflush.$$
# end

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list