For each mail in queue of Courier, e.g., there're 3 files:
/var/courier/msgs/3/D966503
/var/courier/msgs/3/C966503
/var/courier/msgq/113566/C966503.1135665987
I think you can:
1. Use firewall to avoid new connection(TCP flag SYN) to your TCP port 25.
But DO NOT let it refuse new connection requests(i.e. response with TCP
flag RST), only ignore new connection request.
2. Wait till all incoming connections terminate, and then stop Courier.
3. Use a script to delete mails in queue directly, every 3 files owned by
'nobody' for each mail.
Are all queued mails by 'nobody' REALLY to be deleted?
4. Start Courier and re-enable new connection to your TCP port 25.
Geo wrote:
Good afternoon,
Sending this from gmail. I'm hoping it doesn't butcher the formatting
or make this unreadable or inconvenient for anyone.
I was recently hit with a php hack, and that allowed the kiddie to
move files and send mail as user 'nobody'. Like, 380,000 over 18
hours. My first attempt at cleaning this up was to generate a list of
all the mailids that matched user 'nobody' and use 'cancelmsg' to get
rid of them. However, from what I'm seeing in the mail logs, that
still means they have to come up in queue and be processed before
they'll get cancelled.
It also doesn't appear to be foolproof, as I'm still seeing some of
those messages processing in what appears to be a normal fashion. So,
2 questions:
1) What did I miss? Shouldn't that have gotten rid of *any* message
from that sender?
2) Was/is there a more efficient way to wholesale delete the messages
from the queue without even having to process them? I briefly thought
of having a script tree-walk through the msgs folders and start
removing files that matches patterns, but wanted to try for simpler
methods first.
I look forward to any assistance.
Regards,
- zj
2 messages in net.sourceforge.lists.courier-usersRe: [courier-users] PHP hacked. Clean...
