Monitor screen showing spam in the mailbox

Deleting emails from Zimbra queue from a compromised email address

Often we encounter a situation where a Zimbra email ID is compromised due to weak password or any other compromise attempt.

To fix this we need to take below measures.

  1. Login in Zimbra Server and check the email log with below command:

 tail -f /var/log/zimbra.log

2. You may find a large number if emails in queue from any email ID

3. Now login to Zimbra Admin interface and Disable the email ID.

4. After disabling email ID, invalidate all sessions

5. As the last step you need to run below script to clear email queue and avoid further damage to IP reputation.

Run below script with root user on Zimbra server. This will find all emails from the email ID and delete emails from queue.

############Script Starts##################

#!/usr/bin/perl -w
#
# pfdel – deletes message containing specified address from
# Postfix queue. Matches either sender or recipient address.
#
# Usage: pfdel <email_address>
#

use strict;

# Change these paths if necessary.
my $LISTQ = “/opt/zimbra/common/sbin/postqueue -p”;
my $POSTSUPER = “/opt/zimbra/common/sbin/postsuper”;

my $email_addr = “”;
my $qid = “”;
my $euid = $>;

if ( @ARGV != 1 ) {
die “Usage: pfdel <email_address>\n”;
} else {
$email_addr = $ARGV[0];
}

if ( $euid != 0 ) {
die “You must be root to delete queue files.\n”;
}

 

open(QUEUE, “$LISTQ |”) ||
die “Can’t get pipe to $LISTQ: $!\n”;

my $entry = <QUEUE>; # skip single header line
$/ = “”; # Rest of queue entries print on
# multiple lines.
while ( $entry = <QUEUE> ) {
if ( $entry =~ / $email_addr$/m ) {
($qid) = split(/\s+/, $entry, 2);
$qid =~ s/[\*\!]//;
next unless ($qid);

#
# Execute postsuper -d with the queue id.
# postsuper provides feedback when it deletes
# messages. Let its output go through.
#
if ( system($POSTSUPER, “-d”, $qid) != 0 ) {
# If postsuper has a problem, bail.
die “Error executing $POSTSUPER: error ” .
“code ” . ($?/256) . “\n”;
}
}
}
close(QUEUE);

if (! $qid ) {
die “No messages with the address <$email_addr> ” .
“found in queue.\n”;
}

exit 0;

#############Script Ends###################

Make it executable

chmod 700 queue-cleaer.sh

Run Script:

./queue-clear.sh emailid@todelete.com

 

This is all for the remedy 🙂

Leave a Reply

Your email address will not be published.


*