Re: pfsasl - A perl script to remove messages from queues, based on sasl_username
- On 2013-05-02 23:02, Nick Bright wrote:
> On 5/2/2013 10:53 PM, Nick Bright wrote:Very nice, we tend to see the same behavior in our compromised SASL
>> After having a problem with a lot of mail being queued by a
>> compromised end users mailbox, I was unable to find a script able to
>> remove messages from the queue based on the sasl_username.
>> The pfdel script is very handy for removing things when the from/to
>> addresses are stable, but in this case the attacker had set random
>> from addresses.
>> So, I used the original pfdel script and modified it into the
>> attached pfsasl script. I'm a novice with perl, so there may be some
>> optimizations possible - but it does work properly.
>> I hope somebody finds this useful :)
> Well, I feel a little silly. I posted the wrong version of the file!
> Correct version attached. My apologies!
> The differences are renaming $email_addr to $sasl_user for clarity,
> and the regex on line 41 was made tighter.
users so this will come in handy. Thanks!
To keep the sharing train rolling, I attached a queue monitoring script
which we use with our SNMP monitoring system to alert when the mail
queue exceeds a certain number of messages.
We run CentOS, and configure SNMP with the following entry in
"exec postqueuemon /usr/bin/sudo /path/to/scripts/mon_queue.sh"
If it's the first custom SNMP entry your OID should be
220.127.116.11.4.1.2021.8.1.101.1, and now you can poll this OID for your
current mail queue size from whatever SNMP monitoring software you're
using. Hope this is helpful as well!
- On Fri, May 03, 2013 at 12:07:56PM -0500, list@... wrote:
> Very nice, we tend to see the same behavior in our compromised SASLIt best to not let compromised accounts dominate the queue in first
> users so this will come in handy. Thanks!
place. Consider a policy service that rate limits by SASL username.
> To keep the sharing train rolling, I attached a queue monitoringHave you looked at:
> script which we use with our SNMP monitoring system to alert when
> the mail queue exceeds a certain number of messages.
By the way, the attachment was all NUL bytes.
- Le 3 mai 2013 à 19:48, Viktor Dukhovni a écrit :
> [...]Hello Viktor,
> Have you looked at:
I always wondered: qshape seems to be in fact a perl script (qshape.pl), and this doesn't seem to be stated in the docs.
Is that auxiliary/qshape/qshape.pl script the "qshape(1) program" mentioned in above document?