Exim: Delete mail sent from user account/group!

[Fahd]

Hello,

How can I delete all messages stuck in my exim queue that were sent by a particular user account/group? I had a user account with a weak password that some spammers used to send out mail. I now have over 120,000 emails stuck in my queue. If the user account is named "spammer" how would I delete them all?

I had a look at the exim cheatsheet but it list options to delete based on sender address only. The problem is that this user account was used to send email with forged from headers at various domains like yahoo, hotmail, gmail, aol, etc.

Thanks for your help!

 

[smtalk]

Try:

exim -bp | grep 'spammer' | awk '{print $3}' | xargs exim -Mrm

 

[Fahd]

Thanks for that. Well it took several hours to run to completion and I got the message...

exim: no message ids given after -Mrm option

No change to my mailbox queue. Still has over 120,000 messages.

 

[nobaloney]

I hope you were looking for the word you wanted to find, and not the word spammer.

Jeff

 

[Fahd]

Yes, I typed in the centos user name I wanted to replace spammer. But it had no effect on my mail queue. I'm still looking for a resolution.

 

[nobaloney]

First question: did you run this as root? If not, then run it again as root.

If it still doesn't return anything, then try only this part of the command:

# exim -bp | grep 'spammer' | awk '{print $3}' > filename.txt

(Note that in my examples the # isn't to be typed; it's there to show you to execute the code as root.)

Then checkout filename.txt to see what is being returned. If that returns nothing, then try this part of the command

# exim -bp | grep 'spammer' > filename.txt

and check to see what it returns. You may find that exim isn't returning the message identifier it needs to do the deletion.

Here's what I'd do:

You probably don't ever look at frozen messages. Do you? If so, look at them now, as you'll be deleting all frozen messages.

I'd freeze all messages I can afford to get rid of:

First freeze by given sender domain:

# exiqgrep -i -f @example.tld | xargs exim -Mf

Then freeze by given recipient domain:

# exiqgrep -i -r @example.tld | xargs exim -Mf

Then I'd remove all frozen messages:

# exiqgrep -z -i | xargs exim -Mrm

All of this will take time.

Once you're done I'd bet a large portion of those 120,000 messages will be gone.

If that doesn't work for you (it's up to you to figure out what that hasn't already been frozen you need to freeze) and you're willing to lose the good with the bad, write back and ask someone to show you how to delete the entire message queue.

Jeff

 

[Fahd]

Thank you for the suggestions Jeff.

Yes, I did run the earlier command as root.

I just started running the first command you suggested as root in a screen session (so as not to timeout on ssh). Will post back with results when its done.

Well as soon as NAC notified me of the outgoing spam from my server. I stopped the exim service and cleared all frozen messages at the time. This did get rid of about 1000 messages at the time. However, since the exim queue runners are not running it is my understanding that these messages would not be frozen now even though they are more than the 5d old threshold setting. I haven't since gotten rid of the "spammer" account with the weak password. However, there are tons of outgoing mails still in the queue and so I cannot start my exim queue runners (even with local queue only option) without sending out spam. I forgot to mention, I also deleted all emails with null sender as I was seeing a lot of bounce messages due to the spam.

The problem with freezing by sender domain is that there are several different sender domains being used. The only common thing among all these mails is the nix user account/auth_id that was used to spam.

I'm wondering if somehow the number of arguments being passed to xargs is too big for even xargs to handle? Or perhaps one of the message ids being returned to xargs is invalid and it aborts the entire operation? I'm not really sure exactly how xargs works! I just know that it processes a limited number of arguments at a time.

 

[Fahd]

Hi again Jeff,

This

# exim -bp | grep 'spammer' | awk '{print $3}' > filename.txt

completed and when I opened the output text file it was empty with 9 lines, as in pico said read 9 lines but the file had nothing in it.

 

[nobaloney]

I'd say continue to go through the other tries, just to see what's there. But my best bet is you're going to end up deleting the entire mail queue.

Yes I know this gets rid of some (maybe a lot of) real messages. Have you any other ideas?

Jeff

 

[Fahd]

Hi Jeff,

My analysis is that for some reason exiqgrep doesn't seem to work on large mail queues as the several commands I've tried including the ones you suggested seems to end with no measurable results. Most of the times I get the message "no message ids given after exim -Mrm" or I get an error along the lines of "invalid line in message...". Or the command executes to completion without doing anything.

I am however down to about 25,000 messages now. Here is what is working for me...

1. Deletion of frozen messages using...

exim -bpru | grep frozen | awk {'print $3'} | xargs exim -Mrm

2. Deletion of null sender/bounce messages using...

exim -bpru | grep '<>' | awk {'print $3'} | xargs exim -Mrm

3. Deletion of specific sender domains using...

exim -bpru | grep '@domain.com' | awk {'print $3'} | xargs exim -Mrm

I am selecting domains by manually viewing the output of

exim -bp

as I get some immediate output. The most common spam domains I found were the usual suspects like gmail.com, hotmail.com, yahoo.com and also region specific domains like yahoo.fr, libero.it, btinternet.com, net.tf, etc. For those with smaller mail queues it might be easier to just get the output of eximstats by sender domain and then run the above command. Which is what I plan to do once I get my Q down to a more manageable size. Right now eximstats would take several hours to run to completion on my Q.

Blindly deleting the entire queue is not an option for me and is not one I would recommend either.

By the way, I am running Exim 4.69. The exim cheatsheet I referred to in this thread can be found at http://bradthemad.org/tech/notes/exim_cheatsheet.php

Thanks for everyones help and suggestions! I believe I can take it from here on!

 

[Fahd]

Woot! I'm all cleaned up with 266 legitimate mails saved!

 

[nobaloney]

Glad to hear you finally have it done.

We use the same cheatsheet with some custom additions I've written myself over time.

Jeff

 

[madalin]

jlasman YOU RULE. I registered over here just to thank you for your GREAT advices. You rock

Thanks. If you ever need some hosting space, let me know