On 2013-05-02 23:02, Nick Bright wrote:
On 5/2/2013 10:53 PM, Nick Bright wrote:Greetings,After having a problem with a lot of mail being queued by a compromised end users mailbox, I was unable to find a script able to remove messages from the queue based on the sasl_username.The pfdel script is very handy for removing things when the from/to addresses are stable, but in this case the attacker had set random from addresses.So, I used the original pfdel script and modified it into the attached pfsasl script. I'm a novice with perl, so there may be some optimizations possible - but it does work properly.I hope somebody finds this useful :)Well, I feel a little silly. I posted the wrong version of the file! Correct version attached. My apologies! The differences are renaming $email_addr to $sasl_user for clarity, and the regex on line 41 was made tighter.
Very nice, we tend to see the same behavior in our compromised SASL users so this will come in handy. Thanks!
To keep the sharing train rolling, I attached a queue monitoring script which we use with our SNMP monitoring system to alert when the mail queue exceeds a certain number of messages. We run CentOS, and configure SNMP with the following entry in /etc/snmp/snmpd.conf:
"exec postqueuemon /usr/bin/sudo /path/to/scripts/mon_queue.sh"If it's the first custom SNMP entry your OID should be 1.3.6.1.4.1.2021.8.1.101.1, and now you can poll this OID for your current mail queue size from whatever SNMP monitoring software you're using. Hope this is helpful as well!
mon_queue.sh
Description: Binary data
