[Dshield] Persistent open relay scan...

Lacroix, Yves yves.lacroix at meg.fr
Fri Jul 19 09:39:42 GMT 2002


Hi,

We used to have a sendmail on wich we also had spam problems!

Here is a script we used to purge the sendmail queue of unwanted messages.

Just type in the identification string of the mails you want deleted when
prompted!

I know this one is not perfect as it deletes mail actually processed by the
sendmail daemon but I presume someone has an idea of how to solve this. We
processed by using the script and afterwards another one to delete empty
files or when possible killing the sendmail daemon, running the script and
restarting sendmail!

Hope this helps

---script start---
echo
echo ====================
echo SPAMs suppress
echo ====================
echo
echo -n Enter identification string:
read ID

if [ $ID ]
then
  echo ...
else
  echo
  echo empty string !
  echo
  exit
fi

cd /var/spool/mqueue
ls  > /tmp/spam.lst
echo .>/tmp/spamok.lst
echo .>/tmp/nospam.lst

while read FICHIER
do

echo -----------------------------
echo $FICHIER
echo
check=`grep -i $ID /var/spool/mqueue/$FICHIER`

echo verification:
echo $check

if [ ! "$check" ]
then
   echo
   echo $File is OK
   echo
   echo $File is not a spam keep it >> /tmp/nospam.lst
else
   echo $File is a spam kill it >> /tmp/spamok.lst
   echo
   echo $File is a SPAM
   echo
   /bin/rm /var/spool/mqueue/$FICHIER
fi

# echo $FICHIER

done < /tmp/spam.lst
echo
echo ==============
echo That is fini !
echo ==============
echo

---script end---


> Message: 6
> From: "Jens Knoell" <jens at ing.twinwave.net>
> To: <list at dshield.org>
> Date: Thu, 18 Jul 2002 03:00:07 -0600
> Subject: [Dshield] Persistent open relay scan...
> Reply-To: list at dshield.org
>
> Does anyone know what generates mails like this:
> ----<Start of curious mail>----
> Return-Path: <?g>
> Received: from p5080fa84.dip.t-dialin.net (p5080FA84.dip.t-dialin.net
> [80.128.250.132])
>         by vega.ing.twinwave.net (8.11.0/8.11.0) with SMTP id g6I8M4Z24746
>         for <vega.ing.twinwave.net at p5080fa84.dip.t-dialin.net>; Thu, 18
Jul
> 2002 10:22:04 +0200
> Date: Thu, 18 Jul 2002 10:22:04 +0200
> From: 195.96.33.249 at p5080fa84.dip.t-dialin.net
> Message-Id: <200207180822.g6I8M4Z24746 at vega.ing.twinwave.net>
> Subject: Do not delete this mail
>
> vega.ing.twinwave.net and [195.96.33.249] invite you to a open mailrelay
> ----<End of curious mail>----
>
> The mentioned server is mine, and it properly rejects the mail(s). I've
got
> like 10.000 of them in my mail spool right now, and I'd like to know if
> anyone knows the used program.
>
> Another question: Does anyone know of a good way to purge the (sendmail)
> mailspool from that crap? I can't purge by sender/recipient, but the
subject
> as well as the body (see above) are always identical. Just how to kill the
> unwanted spool files?
>
> I do know that I lately pissed a few spammers off royally (including death
> threats and other funnies), so I am not surprised.
>
> Thanks in advance
> Jens
>
>
>
> --__--__--
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> http://www.dshield.org/mailman/listinfo/list
>
>
> End of Dshield Digest




More information about the list mailing list