Site Number

[KrazyBob]

I am having a heavy spam attack that has left tens of thousands of messages on my server. I am using qmHandle to delete all of the messages.

Deleting message: 13/338431282

I assume that 13 is the site number followed by the message number. How may I use this information to find the site name?

[prupert]

The queue has no knowledge of this sort of information. There is no such thing as 'site number'.

You should check the e-mail headers and/or log files to determine the source of the message.

[faris]

I think 13 is just the number of the message in the qmail queue?

*remember* if the spammer is still connected and happily sending more spam, restarting qmail or adding his Ip to a firewall will not have any effect and he'll still be sending spam. You need to manually kill the qmail process he's connected to.

[KrazyBob]

I don't know how to find the information.

[prupert]

The message headers and mail log will give you more information about the source of the message.

[KrazyBob]

Please! You must understand. I don't know what to look for. Telling me that the headers and maillog will help is still telling me to go fish.

[KrazyBob]

This is FRUSTRATING!!! formmail.php tells me that it is a script running every 5 seconds. But where?

[Output of formmail.php]
Tue Jul 16 15:54:02 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 15:54:02 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 15:55:16 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:00:33 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:05:17 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:10:30 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:15:36 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:20:22 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:25:18 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:30:23 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash

[prupert]

In that case it's probably best to ask your sysadmin.

Although I would really like to help you here, all I will do is repeating or rephrasing stuff you can easily find online. How message headers work and how mail servers write their log files is no secret. A little research done by yourself is always greatly appreciated on community forums: remember, we're all here on our spare time! If you have nor the time nor the knowledge there are plenty of capable folks out there that you can hire.

If you suspect spam via scripts pay close attention to the x-php-originating-script header rule that indicates which user and script has send the message. If you suspect abuse via SMTP inspect the maillog for repeated occurrences of SMTP auth's from different IP's. Those are the 'usual suspects' on shared hosting environments. However, it could also originate from something/somewhere else.

[KrazyBob]

You write as if I am not doing research. I Am the SysAdmin and I am stuck. If your time is short I understand. Don't reply. But I must find the source and I've hit a hard wall.

[KrazyBob]

Will pay for qualified Admin to resolve spammer issue.

[KrazyBob]

I humbly submit that I will pay a qualified admin to locate and terminate my spammer. I have followed all of the tricks that I know; searched the Internet and come up empty. There are over 1 million emails in the queue. They are being sent as root.

Please! Contact me and make some $$$.

[KrazyBob]

I have located the sender and disabled the account and deleted the email address. I thought that would delete his queue.

It didn't. Is there an application that will quickly clear the queue? qmHandle is far too slow.

[scott]

Nope, thats it

[KrazyBob]

I put together a basic script that will dump everything in the queue but its slow.

Code: Select all

service qmail stop;;
rm -fr /var/qmail/queue/mess/;
rm -fr /var/qmail/queue/info/;
rm -fr /var/qmail/queue/local/;
rm -fr /var/qmail/queue/intd/;
rm -fr /var/qmail/queue/todo/;
rm -fr /var/qmail/queue/remote/;
service qmail start;

Qmail rebuilds the directory structure again.

[KrazyBob]

Does vzrestore restore the OS as well as the sites?

After following directions word for word qmail isn't working correctly. I am tired and frustrated. I ran qmHandle -D and deleted some directories manually. I then ran.

Code: Select all

/usr/local/psa/admin/bin/mchk --with-spam

and nothing.

Please understand that when I ask a question I do so humbly and without any expectations. But you were all new once and know how I feel. In this case I need to migrate to Plesk 11.5 but I cannot get off of Plesk 8.3 on Centos 4.9. Parallels is of no help. EOL and all that. Apparently I write in a way that comes across poorly when that isn't my intention. Maybe its the stress I am feeling. I'll admit that this is my small business and I am scared and alone.

Plesk 8.3 is EOL and so is the yum repository. I don't know how to find and reinstall psa-qmail. Can anyone offer advice that will get me in the right direction? The name and number of a management company?