Knowledgebase:
Postfix: Checking Mail Queue and Identifying Spammers.
Posted by Ryan Mendonca on 24 October 2019 05:45:14 PM

In order to identify spammers on VPS Server with Plesk Panel and Postfix as an MTA, you may use the commands mentioned below:

1. You can check the current mail queue:
# mailq OR postqueue -p
~~~~~~
B6EC910A791 141099 Thu Oct 24 05:39:16 production@coatingsandcoatings.co.in
(host alt1.gmail-smtp-in.l.google.COM[64.233.177.27] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/?p=OverQuotaTemp a187si2600273ywf.208 - gsmtp (in reply to RCPT TO command))
backdaniel26@gmail.com

B39CB10A51B 129110 Thu Oct 24 08:52:53 info@bombaytools.com
(host alt1.gmail-smtp-in.l.google.com[64.233.177.26] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/?p=OverQuotaTemp b63si10075012ybi.400 - gsmtp (in reply to RCPT TO command))
bombaytools18@gmail.com

BA317108FF9 23345 Thu Oct 24 08:06:40 MAILER-DAEMON
(host alt1.gmail-smtp-in.l.google.com[64.233.177.27] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/?p=OverQuotaTemp y75si4852577ywa.1 - gsmtp (in reply to RCPT TO command))
bombaytools18@gmail.com
~~~~~~

2. To know the number of messages sitting in the deferred queue (The command will return the number of deferred emails):
# find /var/spool/postfix/deferred -type f | wc -l
~~~~~~
17
~~~~~~

3. To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list:
# mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail
~~~~~~
16 raymon@waltonegypt.com
17 info@virtualization.network
18 info@momaient.com
21 jvilleda@hotelexcelsior.hn
27 accounts@prithvilogistics.com
39 musarrat@1lotusmarketresearch.com
40 sales@dabsautomation.com
46 sales@bombaytools.com
54 info@bombaytools.com
281 MAILER-DAEMON
~~~~~~

4. Removing all emails sent by: mailto:user@adminlogs.info
~~~~~~
# postqueue -p|grep '^[A-Z0-9]'|grep user@adminlogs.info|cut -f1 -d' '|tr -d \*|postsuper -d
~~~~~~

5. Remove all email sent from user@admin.info
~~~~~~
# postqueue -p|awk '/^[0-9,A-F].*user@admin.info / {print $1}'|cut -d '!' -f 1|postsuper -d
~~~~~~

6. Remove all email sent by domain adminlogs.info
~~~~~~
# postqueue -p | grep '^[A-Z0-9]'|grep @adminlogs.info|cut -f1 -d' ' |tr -d \*|postsuper -d
~~~~~~

7. To remove all from mail queue FAST
~~~~~~
# find /var/spool/postfix/deferred/ -type f | xargs -n1 basename | xargs -n1 postsuper -d
~~~~~~

8. To check headers of an email in postfix queue:
# postcat -vq XXXXXXXXXX
~~~~~~
root@:~# postcat -q 6761B21C519
*** ENVELOPE RECORDS active/6761B21C519 ***
message_size: 470 115
1 0
message_arrival_time: Sat Jul 15 14:56:33 2006
sender_fullname: www-data
sender: www-data@Webserver.local
*** MESSAGE CONTENTS active/6761B21C519 ***
Received: by Webserver (Postfix, from userid 33)
id 6761B21C519; Sat, 15 Jul 2006 14:56:33 -0700 (PDT)
To: info@barbesplayhouse.com
Subject: Auto message allert for new user barbe !
From: beckie@bizhat.com
X-Mailer: MyCP add user auto mailer
Message-Id: <20060715215633.6761B21C519@Webserver>
Date: Sat, 15 Jul 2006 14:56:33 -0700 (PDT)


Hello barbe !

Test mail from BizHat.com

Good luck!

*** HEADER EXTRACTED active/6761B21C519 ***
original_recipient: info@bizhat.com
recipient: info@bizhat.com
*** MESSAGE FILE END active/6761B21C519 ***
~~~~~~

9.Get the mailids of all email currently in queue:
# postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'
~~~~~~
E14BA10A986
E4C1610AB8C
EAA83105214
E868A10AB08
E295E10A58A
E59D410AB03
E182F10AB01
EF23110AA7B
~~~~~~

10. To flush the mail queue:
~~~~~~
# postfix flush OR postfix -f
~~~~~~

11. To remove all mails from the queue:
~~~~~~
# postsuper -d ALL
~~~~~~

12. To remove all mails in the deferred queue:
~~~~~~
# postsuper -d ALL deferred
~~~~~~

13. Display differed queue and hold queue
# qshape deferred

Running the following command will show you the number of deferred emails for each domain. If you see mails to one or more domain only being deferred, check if you can connect to those servers from the server.

Output:
~~~~~~
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 0 0 0 0 0 0 0 0 0 0 0
~~~~~~

The "T" column shows the total (in this case sender) count for each domain. The columns with numbers above them, show counts for messages aged fewer than that many minutes, but not younger than the age limit for the previous column. The row labeled "TOTAL" shows the total count for all domains.

(0 vote(s))
Helpful
Not helpful

Comments (0)