Category: Internet

Managing The Exim Queue (For SysAdmins) – Removing Unwanted Messages From the Exim Queue

Have you ever had a rogue user trying to spam the world -on purpose or just because he catched a bad bug? -, a temporary problem with your Carrier, users who endlessly type hotmal, gmal, hotmial, instead of… you got the idea!  Then you’ve probably experienced having an email queue so long you can’t see the end of it and it would take hours to process.

You can see how many messages are in the queue issuing exim -bpc and see the queue with exim -bpu

In order to accelerate the queue delivery, we can give it Exim a hand.

Deleting all Frozen messagesice-34075_640

Frozen messages are just bounce messages, that is, notifications that a certain message delivery failed.

Those messages are stuck and going nowhere (**) so let’s just delete them.

You have two options:

exim -bpr | grep frozen | awk ‘{print $3}’ | xargs exim -Mrm

Basically we just examined the queue, look for the word frozen, got the message ID and pass that id to exim to delete it. Or even better run this to get the same result without affecting emails including the word frozen in some part of the email.

exiqgrep -z -i | xargs exim -Mrm

Now, If you don’t want to type that much just create a script to do that. For example:

#!/bin/bash
exiqgrep -z -i | xargs exim -Mrm

Call it removefrozen.sh or whatever you want; place it in an appropriate path and just call the script everytime you need it without the hassle.

Additionally, you might want to modify this lines in the exim configuration file:

ignore_bounce_errors_after = 2d      -> unfreezes a bounce and exim will try to deliver again
timeout_frozen_after = 7d                 -> deletes frozen messages after 7 days

to

ignore_bounce_errors_after = 12h         
timeout_frozen_after = 1d                    

To expedite the process of elimination of such bounces. Now let’s get rid of other messages.

(**) Frozen messages should be investigated to prevent them.

Deleting old messagesclock-147257_640

Messages that have been in the queue for a while, let’s say 1 day or 2 days are unlikely to be delivered. (*) Sometimes the remote mailbox is full, or the domain is non-existent and the message would be attempted to be delivered for as long as it is configured in the exim “configure” file; usually 4 days.

You can lower that value directly in the configuration file, but if you want to keep the default values and just delete old messages at your command you can run exiqgrep and delete messages based on certain time.

Now, this is something I don’t recommend doing, because you can prevent legitimate mail from being delivered, but if you have no option, the following example command deletes all messages which have been in the queue for more than 1 day (in seconds).

exiqgrep -o 86400 -i | xargs exim -Mrm

Again, you can add the command to a simple script for easier access.

Deleting messages to non-existent domains question-mark-160071_640

Now, there’s no way for exim to know if a domain is valid or not. It only knows if the DNS lookup has failed. (*) That’s why this is a tricky one. However, typos are obvious some times, and if you can identify them you can delete a good amount of emails. Now remember, you should give exim some time to attempt to deliver the message so the sender is notified of the failed delivery. Otherwise, the sender would never know he tried to send a message to a wrong recipient.

Some of the super typos I’ve seen are hotmal.com, hotmial.com, homail.com, yahooo.com, etc. A few of these domains exist but they’re not the ones the sender intended. Other cases would be very particular to your users so you might be able to identify those.

So, let’s delete messages to wrong domains with a script.

#!/bin/bash
exiqgrep -r $@ -i | xargs exim -Mrm

Call it, removerecipient.sh, i.e., and call the script with the domain or full email of the recipient you want to delete as a parameter.  Example: sh removerecipient.sh @hotmal.com

Or if you prefer typing the whole command: exiqgrep -r @hotmal.com -i | xargs exim -Mrm

IMPORTANT: The script above is just a basic example, it’s NOT sanitized and it will match partial coincidences. That is, if you intend to delete messages sent to gmal.com and you just execute removerecipient.sh gmal.com you’ll end up removing messages sent to gmal.com, agmal,com, logmal.com, etc., which may be potentially good domains.

The basic script is useful though if you want to delete thousands emails to russian, korean, etc. accounts and you have no business with them whatsoever, aka malware/SPAM.

Therefore, use with caution, use the whole email address (not just the domain) and verify the option passed as parameter inside the script. Also, ensure proper permissions are in place.

Deleting messages from non-existent senders  question-mark-160071_640

Use with the same precautions as the previous option. In this case, you delete messages from a certain sender, instead of a recipient.

#!/bin/bash
exiqgrep -f $@ -i | xargs exim -Mrm

Which it’s equivalent to exiqgrep -f fake@fakedomain.com -i | xargs exim -Mrm

Call it, removesender.sh, i.e., and call the script with the domain or full email of the recipient you want to delete as a parameter.  Example: sh removesender.sh @hotmal.com

Identifying the culprit of a spam attack magnifying-glass-29398_640

Now, all the delete commands stated above won’t stop a spam attack, they will only help in cleaning the email queue. You should identify the sender of the spam and block him. How?

First, you have to identify one of the spam messages and grabs its ID.

See the queue: exim -bpu

Identify a suspicious email, let’s say with ID 1ZCB3s-0007lp-N6 and check its body and its headers.

Checking the body (to verify your suspicion is correct)

exim -Mvb <message-id>
Example: exim -Mvb 1ZCB3s-0007lp-N6

If you see something like viagra promotions, malicious links, etc., you have a winner. Now, let’s check the headers:

exim -Mvh <message-id>
Example: exim -Mvh 1ZCB3s-0007lp-N6

I recommend using less afterwards to see the very first lines:

exim -Mvh 1ZCB3s-0007lp-N6 | less

Now look for the line starting with -auth_id. There you should see the username used to authenticate that email as valid to your email server. Don´t trust the sender you see in the queue because that’s just the envelope. For example you can see in the queue an email from remote@invalid.com with auth_id local@valid.com.

Once you have the address used to auth the spam, block it from your email server (suspend the account and/or change the password), warn the legitimate user, and adjust your spam filters accordingly. Also, you can block in your firewall the sender origin IP indicated in the line starting with -host_address, i.e. the spammer ip address.

Deleting ALL messages in the queue

If for some very special reason you want to delete ALL the email queue, then just issue:

 exiqgrep -i  |  xargs exim -Mrm

——-

In next posts, more queue management options coming.

(*) Always check if you don’t have a problem with DNS resolution.

Advertisements

Cookies – What they are, why they matter and how to get rid of the nasty ones.

Cookies  cookies

At this point, most people at least have heard about cookies in a non-dessert but websites sense. But what they really are and how they work remain obscure for some. So, let’s try to break it down a little.

What is a cookie?

A cookie is a data message that is stored in your Web Browser (i.e., in a file in your computer) when you visit certain websites.

cookie

Basically, you access the site and you receive the cookie that the website sent you. After that, every time you access that website, your web browser (Chrome, Firefox…), sends the cookie back to the website that created in the first place, and which it’s the only one allowed to read and modify the cookie contents.

Why do websites use cookies?

cookie2

Basically, to remember you and your previous activity on the site.

Look at it this way, let’s say your name is Sam and you’re a regular in a coffee shop where you’re always served by John and you always order black coffee. Chances are the next time you go there, John greets you with a “Hi Sam, nice to have you back here, do you want the usual? Maybe you’re interested in this muffin who’s a match made in heaven for your black coffee.” Does it sound familiar?

Well, websites try to do the same thing, just in the virtual world.  Cookies allow the website to greet you, the remember what products you were browsing last time you visited the site, products in a shopping cart or wish list, what your languages preferences are, and a lot of other stuff, for as long as the cookie stays in your computer.

Also, cookies are a mechanism to let the website know if you’re already logged in the site, so it doesn’t bug you asking for your password again and again (e.g. in a paid news site). These cookies are known as authentication cookies.

Can a cookie have a virus?

Not really. A cookie file is just a text file, it’s not code, so the cookie cannot perform any action by itself. Hence, a cookie is neither a virus or malware and they can’t install those in your computer either. However, cookies can be used to help malicious behavior by third-parties as it is explained below.

Can a cookie represent a threat?

They might, but not by themselves. The cookie is just a small text file which in the wrong hands may represent a privacy threat if a 3rd party has access to unauthorized information.

An attacker can use a bug/attack in your web browser to read cookies and gather information about you, your shopping patterns, the websites you access, and even the passwords you use to access those sites.The attacker can even use your cookies to impersonate yourself into a website.

ProTip: Never save a password in your browser, seriously.

Cookies can also be used to identify a computer infected with a certain malware, so this computer can be compromised or used later to participate in an attack to some other target. Again, the computer had to be infected in some other way (not by the cookie).

The privacy concern

There’s a particular type of cookie which arises controversy: The tracking cookie.

Remember your old normal cookie who only sends information to a website when you visit it? Well, now imagine you left the website with a spy at your back.

A tracking cookie will report to a website of your activities online, even if those activities had nothing to do with the website that gave you the cookie. This cookie will tell on you (like an annoying brother), what you’ve been doing, which sites have you been visiting, etc. Your information, along with the information of many others (in the thousands or even millions) will be analyzed and used – sometimes even sold- mainly for marketing purposes; personalizing the ads you see in a webpage, for example.

Facebook uses tracking cookies, in case you were wondering.

Although this is not harmful to you or your computer, you might not want to share your information with everybody. Most legitimate sites will let you opt-out being tracked and most popular web browsers have an option to send websites a “Do not track” request. However, this does not work at 100%, because some sites simply ignore your “do-not-track-me” request.

In conclusion, cookies are useful and harmless in the good hands, but in the wrong hands they could turn their back on you.

Minimizing Risks

If order to minimize the risks cookies might represent you SHOULD always have an antivirus or malware scanner up to date and regularly analyze your computer. A malware scanner should be able to detect if a cookie has information of a malicious site. I recommend MalwareBytes.

Also, you can delete the cookies from your web browser manually or configure the browser to delete cookies every time you close the web browser.

Keep in mind that if you delete the cookies, you’ll lose some of the cool personalized stuff some websites are able to show you thanks to them. So, there’s an alternate way: The EFF Privacy Badger. The EFF Privacy badger is a web browser extension (Chrome and Firefox) able to recognize which type of cookies (and spy ads) are in a website.

When you visit a site, this extension will allow the good cookies and block the bad ones (trackers and/or related to potential harmful sites). The picture below shows a visit to CNN where the Privacy Badger blocked a tracker (in red).

badger

Thanks for reading!

Telling Firefox to Never Remember History or Clearing it on Exit

1. Click the menu button New Fx Menu and click over Options.

firop

2. Click on Privacy on the left panel. Select Firefox will: to Never Remember History or if you want to be Granular Use custom settings for history.

customhistory383. If you opted for Use custom settings for history click the box for Clear history when Firefox closes.
clear history auto fx38
  • To specify what types of history should be cleared, click the Settings button next to Clear history when Firefox closes.
  • In the Settings for Clearing History window, check the items that you want to have cleared automatically each time you quit Firefox.
    history fx38
  • After selecting your options, click OK to close this Window.
  • Close the Options tab in the browser, marked as: about:preferences page.

Removing your Internet History from almost everywhere

For any reason you want to remove your Internet activities and thus hide them from your spouse, boss, potential employer or another entity, here are some tips and directions:

Deleting your Internet History from your Browser 

Google Chrome

  1. Locate the Chrome Control Center upper right corner of the browser. You should see a symbol with some horizontal lines

g1

2. Click on History as the Figure below shows:

g2

3. Your browser Internet history will appear. Click on the button “Clear browsing data”

g3

4. In the next window you can select which elements to delete and the time range. If you want to delete only your history, check only the first 2 options. If you check Passwords, for instance, all the passwords previously saved in your favorite websites will be removed.

g4

5. Click on Clear browsing data again.

6. Excellent job!

Note: Chrome lacks the feature to remove history on exit, but there are several extensions you can integrate to the browser to accomplish that function.

Firefox

  1. In the upper right corner of the Firefox Window locate a symbol with some horizontal lines.
  2. Click on it and the windows below will appear.
  3. Cllick on the History symbol

f2

After you’ve clicked the History option. The following window will appear:

4. Click on “Clear Recent History”

f3

That option will take you to the next window.

  • Here you can delete ALL your history (Everything) or just the last few hours or the last day, as well as select WHICH elements you want to delete, not just History but Cookies and Cache, Form-saved fields, etc.

f4

5. Click on Clear Now and You’re Done!.

In Firefox you also have the option to delete the history while closing the browser.  For more detailed instructions click on this post.

Internet Explorer

Are you kidding? Use another browser.


Automatic Tools

If you use more than one browser it makes sense not to want to do this individually. Worry not, there are apps for that (well, actually computer programs)

You might want to check:

Both programs would let you not only to delete your internet history (and related content), but empty your Trash Bin, delete the lists of the files you’ve recently used on Windows (MRU), among other advanced features.

Also, if you don’t want your browser to store any History information anymore you could always use incognito mode.

Removing your Google Internet Search History 

Ok, now you’re computer is rid of your whole internet activities. That doesn’t mean your activity on the sites you’ve visited is gone. Don’t worry, most sites would delete that info after a while (sometimes they have to store that info for legal/law issues), but what about what you’ve searched on Google? Yeah, you want that gone too, you want that gone now!

Well, I was going to take some screenshots but Google Help has this documented nicely. Just click here to get directions on how to remove your Google History from your Computer or Smartphone. Also (like myself) to disable the History records.

Going Anonymous

If for some legitimate or paranoid reasons you wish to go anonymous on the Internet, you can use Tor, an anonymity browser which doesn’t store anything on the browser and which doesn’t let the sites know your real IP. Covering Tor, its capabilities, disadvantages and potential legal issues, is quite extensive for this post.

Good luck!