Site Number
Site Number
I am having a heavy spam attack that has left tens of thousands of messages on my server. I am using qmHandle to delete all of the messages.
Deleting message: 13/338431282
I assume that 13 is the site number followed by the message number. How may I use this information to find the site name?
Deleting message: 13/338431282
I assume that 13 is the site number followed by the message number. How may I use this information to find the site name?
Re: Site Number
The queue has no knowledge of this sort of information. There is no such thing as 'site number'.
You should check the e-mail headers and/or log files to determine the source of the message.
You should check the e-mail headers and/or log files to determine the source of the message.
Lemonbit Internet Dedicated Server Management
Re: Site Number
I think 13 is just the number of the message in the qmail queue?
*remember* if the spammer is still connected and happily sending more spam, restarting qmail or adding his Ip to a firewall will not have any effect and he'll still be sending spam. You need to manually kill the qmail process he's connected to.
*remember* if the spammer is still connected and happily sending more spam, restarting qmail or adding his Ip to a firewall will not have any effect and he'll still be sending spam. You need to manually kill the qmail process he's connected to.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Site Number
I don't know how to find the information.
Re: Site Number
The message headers and mail log will give you more information about the source of the message.
Lemonbit Internet Dedicated Server Management
Re: Site Number
Please! You must understand. I don't know what to look for. Telling me that the headers and maillog will help is still telling me to go fish.
Re: Site Number
This is FRUSTRATING!!! formmail.php tells me that it is a script running every 5 seconds. But where?
[Output of formmail.php]
Tue Jul 16 15:54:02 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 15:54:02 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 15:55:16 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:00:33 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:05:17 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:10:30 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:15:36 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:20:22 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:25:18 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:30:23 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
[Output of formmail.php]
Tue Jul 16 15:54:02 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 15:54:02 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 15:55:16 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:00:33 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:05:17 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:10:30 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:15:36 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:20:22 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:25:18 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Tue Jul 16 16:30:23 PDT 2013 - / - root $1$pM8YzyeT$F.5MwcAJklWYxeThoceKe. 0 0 root /root /bin/bash
Re: Site Number
In that case it's probably best to ask your sysadmin.
Although I would really like to help you here, all I will do is repeating or rephrasing stuff you can easily find online. How message headers work and how mail servers write their log files is no secret. A little research done by yourself is always greatly appreciated on community forums: remember, we're all here on our spare time! If you have nor the time nor the knowledge there are plenty of capable folks out there that you can hire.
If you suspect spam via scripts pay close attention to the x-php-originating-script header rule that indicates which user and script has send the message. If you suspect abuse via SMTP inspect the maillog for repeated occurrences of SMTP auth's from different IP's. Those are the 'usual suspects' on shared hosting environments. However, it could also originate from something/somewhere else.
Although I would really like to help you here, all I will do is repeating or rephrasing stuff you can easily find online. How message headers work and how mail servers write their log files is no secret. A little research done by yourself is always greatly appreciated on community forums: remember, we're all here on our spare time! If you have nor the time nor the knowledge there are plenty of capable folks out there that you can hire.
If you suspect spam via scripts pay close attention to the x-php-originating-script header rule that indicates which user and script has send the message. If you suspect abuse via SMTP inspect the maillog for repeated occurrences of SMTP auth's from different IP's. Those are the 'usual suspects' on shared hosting environments. However, it could also originate from something/somewhere else.
Lemonbit Internet Dedicated Server Management
Re: Site Number
You write as if I am not doing research. I Am the SysAdmin and I am stuck. If your time is short I understand. Don't reply. But I must find the source and I've hit a hard wall.
Wanted: Admin to Locate my Spammer $$$ Re: Site Number
Will pay for qualified Admin to resolve spammer issue.
Re: Site Number
I humbly submit that I will pay a qualified admin to locate and terminate my spammer. I have followed all of the tricks that I know; searched the Internet and come up empty. There are over 1 million emails in the queue. They are being sent as root.
Please! Contact me and make some $$$.
Please! Contact me and make some $$$.
Re: Site Number
I have located the sender and disabled the account and deleted the email address. I thought that would delete his queue.
It didn't. Is there an application that will quickly clear the queue? qmHandle is far too slow.
It didn't. Is there an application that will quickly clear the queue? qmHandle is far too slow.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Site Number
Nope, thats it
Re: Site Number
I put together a basic script that will dump everything in the queue but its slow.
Qmail rebuilds the directory structure again.
Code: Select all
service qmail stop;;
rm -fr /var/qmail/queue/mess/;
rm -fr /var/qmail/queue/info/;
rm -fr /var/qmail/queue/local/;
rm -fr /var/qmail/queue/intd/;
rm -fr /var/qmail/queue/todo/;
rm -fr /var/qmail/queue/remote/;
service qmail start;
Re: Site Number
Does vzrestore restore the OS as well as the sites?
After following directions word for word qmail isn't working correctly. I am tired and frustrated. I ran qmHandle -D and deleted some directories manually. I then ran.
and nothing.
Please understand that when I ask a question I do so humbly and without any expectations. But you were all new once and know how I feel. In this case I need to migrate to Plesk 11.5 but I cannot get off of Plesk 8.3 on Centos 4.9. Parallels is of no help. EOL and all that. Apparently I write in a way that comes across poorly when that isn't my intention. Maybe its the stress I am feeling. I'll admit that this is my small business and I am scared and alone.
Plesk 8.3 is EOL and so is the yum repository. I don't know how to find and reinstall psa-qmail. Can anyone offer advice that will get me in the right direction? The name and number of a management company?
After following directions word for word qmail isn't working correctly. I am tired and frustrated. I ran qmHandle -D and deleted some directories manually. I then ran.
Code: Select all
/usr/local/psa/admin/bin/mchk --with-spam
Please understand that when I ask a question I do so humbly and without any expectations. But you were all new once and know how I feel. In this case I need to migrate to Plesk 11.5 but I cannot get off of Plesk 8.3 on Centos 4.9. Parallels is of no help. EOL and all that. Apparently I write in a way that comes across poorly when that isn't my intention. Maybe its the stress I am feeling. I'll admit that this is my small business and I am scared and alone.
Plesk 8.3 is EOL and so is the yum repository. I don't know how to find and reinstall psa-qmail. Can anyone offer advice that will get me in the right direction? The name and number of a management company?