Vicious Circle

Dave Goodrich ldg at TLS.NET
Sun Mar 6 05:10:13 GMT 2005 

John Rudd wrote:

> On Mar 5, 2005, at 9:10 AM, Dave Goodrich wrote:
>
>>
>> I am at a loss, the root of the issue is I have 100k messages a day,
>> some just *might* be legitimate address misspellings, I can't drop all
>> bounces. But the vast majority are trash.
>>
>> Whats a sysadmin to do?
>>
>
> (while everyone else is telling you what you should have done to
> prevent this, I'll answer this part: what you can do while it's
> happening ... though, you're probably already through the bulk of it)

Yep, dropping double bounces has helped.

>
> I have two scripts I run, qstat and qflush.  You're going to probably
> want to run them (as root) like:

Ahh, those will help to clean out the cruft without waiting for the
changes to take place.

Thanks,

DAve

>
> # qstat mqueue
> # qflush mqueue relay.domain.tld
> (where relay.domain.tld is something you pull out of the results of
> qstat)
>
> You may get some errors from qflush about the files not being there.
> That just means sendmail got rid of them before you could (or
> mailscanner finished scanning them, if you're running against
> mqueue.in, before you got to cleaning them out).
>
>
> 1) qstat - identify the relays of the messages in your queue (I assume
> that they're in mqueue now, and not mqueue.in, but it's just a slight
> substitution if they're in mqueue.in: I use this technique to filter
> out mail bombs that are clogging up mqueue.in):
>
> #!/bin/sh
>
> if [ "$#" -ne "1" ]; then
>    echo "usage: qstat queue"
>    echo "   queue = mqueue | mqueue.in"
> fi
>
> cd /var/spool/$1
>
> # this next blob is all one line, but my mail program might wrap it
> wrong
> /bin/ls | /bin/grep "^qf" | /bin/xargs -I file grep "^._" file |
> /bin/sed -e "s/
> ^._//" | /bin/sort | /bin/uniq -c | /bin/sort -n | /bin/tail -5
>
> # end
>
>
> This will tell you who the top 5 relays are.  If you got a mail bomb or
> dictionary attack from a single source, it will be REALLY obvious who
> is dominating your mail queue from this.
>
>
> 2) qflush - flush the bad relay out of your queue:
>
> #!/bin/sh
>
> if [ "$#" -lt "2" ]; then
>    echo "usage: qflush queue pattern"
>    echo "  queue = mqueue.in | mqueue"
>    echo "  pattern = hostname in qf:\$_"
> fi
>
> if [ "$#" -ge "3" ]; then
>    echo "usage: qflush queue pattern"
>    echo "  queue = mqueue.in | mqueue"
>    echo "  pattern = hostname in qf:\$_"
> fi
>
> cd /var/spool/$1
>
> # this next blob is all one line, but my mail program might wrap it
> wrong
> /bin/ls | /bin/grep "^qf" | /bin/xargs -I file /bin/grep -l "^._$2"
> file | /bin/grep -vi "no such file" | /bin/sed -e "s/^qf/rm \?\?/" -e
> "s/:.*//"  > /tmp/qflush.$$
>
> /bin/sh /tmp/qflush.$$
>
> /bin/rm /tmp/qflush.$$
> # end
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>


--
Dave Goodrich
Systems Administrator
http://www.tls.net
Get rid of Unwanted Emails...get TLS Spam Blocker!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list