Loading ...
Sorry, an error occurred while loading the content.

pfsasl - A perl script to remove messages from queues, based on sasl_username

Expand Messages
  • Nick Bright
    Greetings, After having a problem with a lot of mail being queued by a compromised end users mailbox, I was unable to find a script able to remove messages
    Message 1 of 5 , May 2, 2013
    • 0 Attachment
      Greetings,

      After having a problem with a lot of mail being queued by a compromised
      end users mailbox, I was unable to find a script able to remove messages
      from the queue based on the sasl_username.

      The pfdel script is very handy for removing things when the from/to
      addresses are stable, but in this case the attacker had set random from
      addresses.

      So, I used the original pfdel script and modified it into the attached
      pfsasl script. I'm a novice with perl, so there may be some
      optimizations possible - but it does work properly.

      I hope somebody finds this useful :)

      --
      -----------------------------------------------
      - Nick Bright -
      - Vice President of Technology -
      - Valnet -
      - Tel 888-332-1616 x 315 / Fax 620-331-0789 -
      - Web http://www.valnet.net/ -
      -----------------------------------------------
      - Are your files safe? -
      - Valnet Vault - Secure Cloud Backup -
      - More information& 30 day free trial at -
      - http://www.valnet.net/services/valnet-vault -
      -----------------------------------------------
    • Nick Bright
      ... Well, I feel a little silly. I posted the wrong version of the file! Correct version attached. My apologies! The differences are renaming $email_addr to
      Message 2 of 5 , May 2, 2013
      • 0 Attachment
        On 5/2/2013 10:53 PM, Nick Bright wrote:
        > Greetings,
        >
        > After having a problem with a lot of mail being queued by a
        > compromised end users mailbox, I was unable to find a script able to
        > remove messages from the queue based on the sasl_username.
        >
        > The pfdel script is very handy for removing things when the from/to
        > addresses are stable, but in this case the attacker had set random
        > from addresses.
        >
        > So, I used the original pfdel script and modified it into the attached
        > pfsasl script. I'm a novice with perl, so there may be some
        > optimizations possible - but it does work properly.
        >
        > I hope somebody finds this useful :)
        >
        Well, I feel a little silly. I posted the wrong version of the file!
        Correct version attached. My apologies!

        The differences are renaming $email_addr to $sasl_user for clarity, and
        the regex on line 41 was made tighter.

        --
        -----------------------------------------------
        - Nick Bright -
        - Vice President of Technology -
        - Valnet -
        - Tel 888-332-1616 x 315 / Fax 620-331-0789 -
        - Web http://www.valnet.net/ -
        -----------------------------------------------
        - Are your files safe? -
        - Valnet Vault - Secure Cloud Backup -
        - More information& 30 day free trial at -
        - http://www.valnet.net/services/valnet-vault -
        -----------------------------------------------
      • list@...
        ... Very nice, we tend to see the same behavior in our compromised SASL users so this will come in handy. Thanks! To keep the sharing train rolling, I
        Message 3 of 5 , May 3, 2013
        • 0 Attachment
          On 2013-05-02 23:02, Nick Bright wrote:
          > On 5/2/2013 10:53 PM, Nick Bright wrote:
          >> Greetings,
          >>
          >> After having a problem with a lot of mail being queued by a
          >> compromised end users mailbox, I was unable to find a script able to
          >> remove messages from the queue based on the sasl_username.
          >>
          >> The pfdel script is very handy for removing things when the from/to
          >> addresses are stable, but in this case the attacker had set random
          >> from addresses.
          >>
          >> So, I used the original pfdel script and modified it into the
          >> attached pfsasl script. I'm a novice with perl, so there may be some
          >> optimizations possible - but it does work properly.
          >>
          >> I hope somebody finds this useful :)
          >>
          > Well, I feel a little silly. I posted the wrong version of the file!
          > Correct version attached. My apologies!
          >
          > The differences are renaming $email_addr to $sasl_user for clarity,
          > and the regex on line 41 was made tighter.

          Very nice, we tend to see the same behavior in our compromised SASL
          users so this will come in handy. Thanks!

          To keep the sharing train rolling, I attached a queue monitoring script
          which we use with our SNMP monitoring system to alert when the mail
          queue exceeds a certain number of messages.
          We run CentOS, and configure SNMP with the following entry in
          /etc/snmp/snmpd.conf:

          "exec postqueuemon /usr/bin/sudo /path/to/scripts/mon_queue.sh"

          If it's the first custom SNMP entry your OID should be
          1.3.6.1.4.1.2021.8.1.101.1, and now you can poll this OID for your
          current mail queue size from whatever SNMP monitoring software you're
          using. Hope this is helpful as well!
        • Viktor Dukhovni
          ... It best to not let compromised accounts dominate the queue in first place. Consider a policy service that rate limits by SASL username. ... Have you
          Message 4 of 5 , May 3, 2013
          • 0 Attachment
            On Fri, May 03, 2013 at 12:07:56PM -0500, list@... wrote:

            > Very nice, we tend to see the same behavior in our compromised SASL
            > users so this will come in handy. Thanks!

            It best to not let compromised accounts dominate the queue in first
            place. Consider a policy service that rate limits by SASL username.

            > To keep the sharing train rolling, I attached a queue monitoring
            > script which we use with our SNMP monitoring system to alert when
            > the mail queue exceeds a certain number of messages.

            Have you looked at:

            http://www.postfix.org/QSHAPE_README.html

            By the way, the attachment was all NUL bytes.

            --
            Viktor.
          • Axel Luttgens
            ... Hello Viktor, I always wondered: qshape seems to be in fact a perl script (qshape.pl), and this doesn t seem to be stated in the docs. Is that
            Message 5 of 5 , May 4, 2013
            • 0 Attachment
              Le 3 mai 2013 à 19:48, Viktor Dukhovni a écrit :

              > [...]
              > Have you looked at:
              >
              > http://www.postfix.org/QSHAPE_README.html

              Hello Viktor,

              I always wondered: qshape seems to be in fact a perl script (qshape.pl), and this doesn't seem to be stated in the docs.

              Is that auxiliary/qshape/qshape.pl script the "qshape(1) program" mentioned in above document?

              TIA,
              Axel
            Your message has been successfully submitted and would be delivered to recipients shortly.