Topic: Monitoring Mail

[mmccarn]

If you don't normally talk to any of these domains, or to stop all email to these domains while you debug the problem, you could create 'filmportal.de', 'yahoo.com' and 'live.com' as local domains on your SME server, find and fix the source of the problem, then delete the local domains.

[mmccarn]

It's possible that email to these specific addresses would be dropped if you create qmail's 'badmailto' control file and restart qmail:

Code: [Select]

echo 'presse@filmportal.de
jvcyr2002@yahoo.com
davidjones@live.com' > /var/qmail/control/badmailto
sv t qmail

If that causes problems, or when you're done debugging, remove the file and restart qmail again:

Code: [Select]

rm -f /var/qmail/control/badmailto
sv t qmail

[edit]
No - this doesn't seem to work... (I attempted to block a test email, but could still send to it through my SME server).

[Bud]

Stefano

thank you for your help

i am getting tons of the following in my qmail

----------------------------------------

Qmail message queue, viewed at:
Mon Jun 12 14:42:55 2017
2259620 (8, 8/2259620)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 07:54:15 +0000
  Size: 1008 bytes

2254748 (12, 12/2254748)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 06:47:00 +0000
  Size: 1008 bytes

2257480 (7, 7/2257480)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 07:24:32 +0000
  Size: 1008 bytes

2255955 (0, 0/2255955)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 07:03:42 +0000
  Size: 1008 bytes

2256608 (9, 9/2256608)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 07:12:47 +0000
  Size: 1008 bytes

2254519 (13, 13/2254519)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 06:43:56 +0000
  Size: 1008 bytes

2254026 (3, 3/2254026)
  Return-path: davidjones@live.com
  From: "Mr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Mon, 12 Jun 2017 06:36:45 +0000
  Size: 1008 bytes

------------------------------------------------------

with the result no mail is going out as the isp is blocking any delivery of mail

how do i find out where the message originates from? what pc, hostname, user, ip on the lan ?

any ideas 

[Stefano]

Check qpsmtpd log to see who is injecting those emails

[Daniel B.]

Check qpsmtpd log to see who is injecting those emails

It could be injected in qmail directly by eg, a compromised web application

[Stefano]

Indeed, my bad (I'm on the phone..)
So, Bud, check both qmail and qpsmtpd logs

[CharlieBrady]

Indeed, my bad (I'm on the phone..)
So, Bud, check both qmail and qpsmtpd logs

IMO it will be quicker and more useful to find one such message in the queue and look at its Received: headers.

[CharlieBrady]

with the result no mail is going out as the isp is blocking any delivery of mail

how do i find out where the message originates from? what pc, hostname, user, ip on the lan ?

You need to:

1. stop qmail and qpsmtpd
2. identify the source of the problem and then fix it.
3. clean your mail queue of all the bad messages
4. restart qmail and qpsmtpd

You may need to interact with your ISP and/or with some email blacklists before you will then be able to send email via your ISP.

[Bud]

thank you everyone for your input and support

CharlieBrady

2. identify the source of the problem and then fix it. - that is exactly what i am trying to do. what do you recommend i do to identify the source(s) ?
3. clean your mail queue of all the bad messages - how do i determine where in my mail queue all the bad messages are or do you recommend i do the following ?

sv d /service/qmail
mv /var/qmail/queue /var/qmail/queue.spam
yum -y reinstall qmail
signal-event email-update

any help appreciated 

[Daniel B.]

Look at your logs (/var/log/qmail/current and /var/log/qpsmtpd/current), you should be able to identify where those emails are comming from. You can also check the raw message. Eg, identify one of those spam in qmail queue:

Code: [Select]

grep -r 'IMMEDIATE ATTENTION' /var/qmail/queue/mess

Then, open one of the result

Code: [Select]

less /var/qmail/queue/mess/22/2097530

And look especially at the headers. You should either see the client IP if it was submitted through qpsmtpd, or the uid of the user if injected directly in qmail. Depending on that, you can investigate further.

[CharlieBrady]

sv d /service/qmail
mv /var/qmail/queue /var/qmail/queue.spam
yum -y reinstall qmail

This will give a new clean qmail queue, but you will be left with some valid messages stuck in the old queue. I would recommend you be more selective on deleting messages from the existing queue. But it's up to you...
 

[Jean-Philippe Pialasse]

using qmHandle (https://wiki.contribs.org/Qmhandle_mail_queue_manager)

Code: [Select]

qmHandle -h'davidjones@live.com'
will delete all the emails in the queue with the email davidjones@live.com in headers

[Bud]

guys thank you for all your help, much appreciated

ok so i get this problem every day regarding davidjones@live.com

i check the queue and logs
i do a " grep -r 'YOUR IMMEDIATE ATTENTION IS REQUIRED' /var/qmail/queue/mess "
i get over 9k of mail messages from " davidjones@live.com "
with the result i have to keep deleting the emails as per Jean-Philippe Pialasee: qmHandle -h'davidjones@live.com' every day

an example of the " /var/log/qpsmtpd/current "

2260492 (6, 6/2260492)
  Return-path: davidjones@live.com
  From: "Barr.David Jones" 'davidjones@live.com'
  To: Recipients 'davidjones@live.com'
  Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
  Date: Tue, 20 Jun 2017 16:28:57 +0000
  Size: 1008 bytes

an example of " less /var/qmail/queue/mess/6/2260492 "

Received: (qmail 15347 invoked by uid 453); 20 Jun 2017 16:08:18 -0000
Authentication-Results: mysmeserver.com; auth=pass (login) smtp.auth=theresa
Received: from Unknown (HELO [104.192.4.19]) (104.192.4.19)
 by mysmeserver.com (qpsmtpd/0.96) with ESMTPSA (DHE-RSA-AES256-SHA encrypted); Tue, 20 Jun 2017 18:08:18 +0200
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: YOUR IMMEDIATE ATTENTION IS REQUIRED
To: Recipients <davidjones@live.com>
From: "Barr.David Jones" <davidjones@live.com>
Date: Tue, 20 Jun 2017 16:07:57 +0000
Reply-To: davidwhite_chambers@yahoo.com

Attention:

I am David Jones Attorney to the late Engr.Steve Moore who died with his wi=
fe and their three kids in a car accident.

Before his death he had funds valued at $27 Million deposited in a bank

I need your assistance to retrieve the money left behind by my client.

Get back to me for more details.

Thanks

Barr David Jones

please guys i need help on how do i get rid of this problem 

[Daniel B.]

The theresa account on your server is compromised. Change its password ASAP, and then cleanup the qmail queue

[Bud]

Daniel B. thank you for your quick reply

you mentioned " cleanup the qmail queue "

how do i do that?

i have done so, i will monitor and reply

thank you