Tag: spammer

Managing The Exim Queue (For SysAdmins) – Removing Unwanted Messages From the Exim Queue

Have you ever had a rogue user trying to spam the world -on purpose or just because he catched a bad bug? -, a temporary problem with your Carrier, users who endlessly type hotmal, gmal, hotmial, instead of… you got the idea!  Then you’ve probably experienced having an email queue so long you can’t see the end of it and it would take hours to process.

You can see how many messages are in the queue issuing exim -bpc and see the queue with exim -bpu

In order to accelerate the queue delivery, we can give it Exim a hand.

Deleting all Frozen messagesice-34075_640

Frozen messages are just bounce messages, that is, notifications that a certain message delivery failed.

Those messages are stuck and going nowhere (**) so let’s just delete them.

You have two options:

exim -bpr | grep frozen | awk ‘{print $3}’ | xargs exim -Mrm

Basically we just examined the queue, look for the word frozen, got the message ID and pass that id to exim to delete it. Or even better run this to get the same result without affecting emails including the word frozen in some part of the email.

exiqgrep -z -i | xargs exim -Mrm

Now, If you don’t want to type that much just create a script to do that. For example:

exiqgrep -z -i | xargs exim -Mrm

Call it removefrozen.sh or whatever you want; place it in an appropriate path and just call the script everytime you need it without the hassle.

Additionally, you might want to modify this lines in the exim configuration file:

ignore_bounce_errors_after = 2d      -> unfreezes a bounce and exim will try to deliver again
timeout_frozen_after = 7d                 -> deletes frozen messages after 7 days


ignore_bounce_errors_after = 12h         
timeout_frozen_after = 1d                    

To expedite the process of elimination of such bounces. Now let’s get rid of other messages.

(**) Frozen messages should be investigated to prevent them.

Deleting old messagesclock-147257_640

Messages that have been in the queue for a while, let’s say 1 day or 2 days are unlikely to be delivered. (*) Sometimes the remote mailbox is full, or the domain is non-existent and the message would be attempted to be delivered for as long as it is configured in the exim “configure” file; usually 4 days.

You can lower that value directly in the configuration file, but if you want to keep the default values and just delete old messages at your command you can run exiqgrep and delete messages based on certain time.

Now, this is something I don’t recommend doing, because you can prevent legitimate mail from being delivered, but if you have no option, the following example command deletes all messages which have been in the queue for more than 1 day (in seconds).

exiqgrep -o 86400 -i | xargs exim -Mrm

Again, you can add the command to a simple script for easier access.

Deleting messages to non-existent domains question-mark-160071_640

Now, there’s no way for exim to know if a domain is valid or not. It only knows if the DNS lookup has failed. (*) That’s why this is a tricky one. However, typos are obvious some times, and if you can identify them you can delete a good amount of emails. Now remember, you should give exim some time to attempt to deliver the message so the sender is notified of the failed delivery. Otherwise, the sender would never know he tried to send a message to a wrong recipient.

Some of the super typos I’ve seen are hotmal.com, hotmial.com, homail.com, yahooo.com, etc. A few of these domains exist but they’re not the ones the sender intended. Other cases would be very particular to your users so you might be able to identify those.

So, let’s delete messages to wrong domains with a script.

exiqgrep -r $@ -i | xargs exim -Mrm

Call it, removerecipient.sh, i.e., and call the script with the domain or full email of the recipient you want to delete as a parameter.  Example: sh removerecipient.sh @hotmal.com

Or if you prefer typing the whole command: exiqgrep -r @hotmal.com -i | xargs exim -Mrm

IMPORTANT: The script above is just a basic example, it’s NOT sanitized and it will match partial coincidences. That is, if you intend to delete messages sent to gmal.com and you just execute removerecipient.sh gmal.com you’ll end up removing messages sent to gmal.com, agmal,com, logmal.com, etc., which may be potentially good domains.

The basic script is useful though if you want to delete thousands emails to russian, korean, etc. accounts and you have no business with them whatsoever, aka malware/SPAM.

Therefore, use with caution, use the whole email address (not just the domain) and verify the option passed as parameter inside the script. Also, ensure proper permissions are in place.

Deleting messages from non-existent senders  question-mark-160071_640

Use with the same precautions as the previous option. In this case, you delete messages from a certain sender, instead of a recipient.

exiqgrep -f $@ -i | xargs exim -Mrm

Which it’s equivalent to exiqgrep -f fake@fakedomain.com -i | xargs exim -Mrm

Call it, removesender.sh, i.e., and call the script with the domain or full email of the recipient you want to delete as a parameter.  Example: sh removesender.sh @hotmal.com

Identifying the culprit of a spam attack magnifying-glass-29398_640

Now, all the delete commands stated above won’t stop a spam attack, they will only help in cleaning the email queue. You should identify the sender of the spam and block him. How?

First, you have to identify one of the spam messages and grabs its ID.

See the queue: exim -bpu

Identify a suspicious email, let’s say with ID 1ZCB3s-0007lp-N6 and check its body and its headers.

Checking the body (to verify your suspicion is correct)

exim -Mvb <message-id>
Example: exim -Mvb 1ZCB3s-0007lp-N6

If you see something like viagra promotions, malicious links, etc., you have a winner. Now, let’s check the headers:

exim -Mvh <message-id>
Example: exim -Mvh 1ZCB3s-0007lp-N6

I recommend using less afterwards to see the very first lines:

exim -Mvh 1ZCB3s-0007lp-N6 | less

Now look for the line starting with -auth_id. There you should see the username used to authenticate that email as valid to your email server. Don´t trust the sender you see in the queue because that’s just the envelope. For example you can see in the queue an email from remote@invalid.com with auth_id local@valid.com.

Once you have the address used to auth the spam, block it from your email server (suspend the account and/or change the password), warn the legitimate user, and adjust your spam filters accordingly. Also, you can block in your firewall the sender origin IP indicated in the line starting with -host_address, i.e. the spammer ip address.

Deleting ALL messages in the queue

If for some very special reason you want to delete ALL the email queue, then just issue:

 exiqgrep -i  |  xargs exim -Mrm


In next posts, more queue management options coming.

(*) Always check if you don’t have a problem with DNS resolution.