Identifying and blocking malicious email

Each letter that passes through the mail service has its own identifier, or in other words, a unique letter number. Exim queue message identifiers are upper and lower case alphanumeric sequences such as 1TrXS1-0003SL-3h and are used by most Exim queue administration and logging commands.

Exim is a Mail Transfer Agent, a messaging agent or mail server used on many Unix family operating systems.

Let's look at a short list of ssh commands to control the mail and mail queue. All commands must be executed from root

Output the number of messages in the mail queue (what we see in monitoring)

exim -bpc

Print list of messages in queue. Outputs, queue time, size, message ID, sender, recipient

exim -bp 

An example of such a list

4h 791 1TrXgs-0004t8-0W ####@#########.com 

4h 1.8K 1TrXgu-0004tZ-5w 
####@#########.com

Accordingly, the identifiers of these two messages: 1TrXgs-0004t8-0W and 1TrXgu-0004tZ-5w

Delete the message from the queue

exim -Mrm [id] 

(Example: exim -Mrm 1TrXgs-0004t8-0W, will remove the message with the passed id from the queue)

View message headers

exim -Mvh [id]

View the message body

exim -Mvb [id]

Viewing message logs

exim -Mvl [id]

Delete all blocked messages in the mail queue

exipick -z -i | xargs exim -Mrm

Delete all messages from the mail queue where the sender domain

exipick -f @domain -i | xargs exim -Mrm

Remove all messages from the mail queue where the recipient domain

exipick -r @domain -i | xargs exim -Mrm

Remove all messages from the mail queue

exipick -i | xargs exim -Mrm

If there are several hundred thousand messages in the queue, it is faster to delete the queue with the

rm -rfv /var/spool/exim4/input/
rm -rfv /var/spool/exim4/msglog/

If you have not installed Exim a postfix on the server, you can use the following commands mailq output mail queue

postsuper -d ALL 

cleaning up the mail queue