Re: mail queue issues -- backed up with spam messages

On Sat, Oct 16, 2004 at 08:01:10PM -0400, Wietse Venema wrote:
> Craig Sanders:
> > On Sat, Oct 16, 2004 at 12:17:27PM -0400, Wietse Venema wrote:
> > > I suggest that you search the maillog file for all records that
> > > list the IP address while the bad customer was using it. That
> > > gives you the queue ID strings and the random sender addresses.
> > >
> > > grep '[111\.222\.333\.444\]' /var/log/maillog >11.22.33.4-records
> > >
> > > edit the file, and delete records outside the window of interest
> > >
> > > postsuper -h - <11.22.33.4-records
> >
> > you can avoid having to manually edit the file with a one-liner like this:
> >
> > grep "client=.*\[111\.222\.333\.444\]" /var/log/mail.log | \
> > awk '{print $6}' | \
> > sed -e 's/://' | \
> > postsuper -d -
> >
> > (or "postsuper -h -" to hold the messages rather than delete them)
>
> The one-liner does not delete the logfile records outside the time
> window of interest.

sorry, i can't parse that.

if you mean that logfiles are rotated and there may be more queue entries than
in the single log file grepped, then that's obvious. if the spam run crosses
a log-rotation period, then run the one-liner on multiple log files. mail.log,
mail.log.0, mail.log.1.gz or whatever.

the one-liner deletes (or holds) all messages from a specific IP address that
it can find in the mail log file. nothing more, nothing less. if you know for
certain that ONLY the spammer has used that IP in the time period, then
"postsuper -d -" is safe. if not, then "postsuper -h -" is the best to use,
then unhold the "good" messages and delete the rest.


craig

ps: it would be useful if postsuper could accept queue-ids with an optional
final ":" character. that would avoid having to call sed to strip it off
when grepping mail logs.

--
craig sanders <cas@taz.net.au>