Select Page

Webhost’s Dairy : My X-mas wasn’t all just fun (part II/II)

Long time since I wrote something. I had a spamming story left half way through. Let me get to the meat of it right away…

The first step in the analysis was ascertaining the volume of e-mails still in queue. I must say Qmail is really good in handling the mail queue effectively(when compared to exim).

So, the queue status can be obtained by the following command.

# /var/qmail/bin/qmail-qstat
messages in queue: 9080
messages in queue but not yet preprocessed: 0

Here we have 9080 mails in the queue. If the server is under spamming, you are expected to have a bunch of strange email addresses in the recipient list.

Next I examined the queue using qmail-qread:

# /var/qmail/bin/qmail-qread

Reading the email content of the mails in the recipient list having strange email addresses with ‘less’ command, I got to something.

I had to get the message’s id and the file holding the particular email. I got the message’s id using qmail-qread, then the file holding the email in /var/qmail/queue using the ‘find’ command.

I have pasted one such example:

# /var/qmail/bin/qmail-qread
28 Dec 2010 02:01:11 GMT #20094014 1465 <>

# find /var/qmail/queue/ -name 20094014

# less /var/qmail/queue/mess/19/22094026
Received: (qmail 10728 invoked from network); 28 Dec 2010 19:40:46 +0300
Received: from unknown (HELO User) (xx.xx.xx.xx)
by with SMTP; 28 Dec 2010 19:40:46 +0300
From: "Fred"
Subject: Buy Me!
Date: Tue, 28 Dec 2010 19:40:52 +0300
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000


From this, it’s evident that we have spam in the queue and it was received from the network (IP:xx.xx.xx.xx). I still did not know how exactly the spammer managed to use my server to send these mails. But I wanted to clear these e-mails stuck in the queue, so that it really does not create further problems.

Qmail-Remove, a tool for such tasks, was my first choice. It was indeed the right tool for this job. I checked the number of spam e-mails with the pattern “xx.xx.xx.xx” in this case:

# qmail-remove -p xx.xx.xx.xx

Since you have the list now, you need to stop the qmail daemon using the following command, before we could actually remove the spam -emails.

# /etc/init.d/qmail stop

To delete mails from queue, I used the ‘-r’ switch.

# qmail-remove -r -p xx.xx.xx.xx

This will remove all emails in queue with the above pattern in it and place it in /var/qmail/queue/yanked folder. It meant I got rid of the ones in the queue.

Now I just had to keep an eye on the queue, to see if the server was still doing its bit of spamming. Well, it did, and this time I liked it!

I ran a tcpdump and waited for few minutes. Well, for those who do not know what that command meant – well, its just a packet sniffer tool, which catches the packets and logs them as per the criterion specified along with the tool.

# tcpdump -i eth0 -n src xx.xx.xx.xx or dst xx.xx.xx.xx -w spam.list -s 2048

On examining the log file (spam.list), I could see that the spammer was sending spam using LOGIN authentication:

334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 go ahead


I then had to decode the user/pass to see which account was being used:

# perl -MMIME::Base64 -e ‘print decode_base64(“dMTUzdA==”)’
# perl -MMIME::Base64 -e 'print decode_base64("QWeXDYM=")'


Here the account bob was used for spamming. But then bob of which domain? I had to find the domain owning this mailbox. The following query helped me there :

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "SELECT m.mail_name,, a.password FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = AND m.account_id = WHERE m.mail_name='bob' AND a.password='qwerty';"
| mail_name | name | password |
| bob | | qwerty |
1 row in set (0.01 sec)


There you go, the mail account was used by spammers. All I did was to delete the mailbox, and notified the customer of the domain of this spamming activity.

Also sent in an update to the NOC with the details . Had no response for a day from them, and then an update letting me know that the ticket was being closed.


About the Author :

Nithin works as a Senior Software Engineer in Bobcares. He joined Bobcares back in April 2008. He loves Music, Travelling  and Linux, apart from blogging.

Co-authored by Sankar.H

Mail server

1 Comment

  1. very good article NIthin..

Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.