Difference between revisions of "Exim Queue Scripts"

From James Dooley's Wiki
Jump to: navigation, search
(Advanced message delete based on address)
 
(38 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:One Liners]]
 
==Overview==
 
==Overview==
 
Different scripts to search the exim queue.
 
Different scripts to search the exim queue.
  
==Script==
+
{{mbox|size=tiny|msg=Note these scripts have been recently changed to look only at the '''0''' queue by default.  This will allow for faster scan times that should still represent the queue as a whole.}}
 +
 
 +
==Query Scripts==
 
===Find top sending addresses for current messages in queue===
 
===Find top sending addresses for current messages in queue===
<code>[bash,n]
+
<source lang='bash'>
find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | cut -d " " -f2 | sort | uniq -c | sort -rn
+
find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | cut -d " " -f2 | sort | uniq -c | sort -rn
</code>
+
</source>
 +
 
 +
===Find messages with specific element (subject, to, from etc)===
 +
Note this will only return the message IDs and does not corralate any information.
 +
<source lang='bash'>
 +
find /var/spool/exim/input/0 -name '*-H' | xargs grep "$ELEMENT" | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3
 +
</source>
 +
 
 +
'''''EXAMPLE:'''''
 +
<source lang='bash'>
 +
find /var/spool/exim/input/0 -name '*-H' | xargs grep "subject:" | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3
 +
</source>
  
 
===Get message IDs for messages from a specific sender===
 
===Get message IDs for messages from a specific sender===
<code>[bash,n]
+
<source lang='bash'>
find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep <EMAIL ADDRESS> | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3
+
find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3
</code>
+
</source>
 +
 
 +
'''''EXAMPLE:'''''
 +
<source lang='bash'>
 +
find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep likestospam@insecurepassword.com | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3
 +
</source>
  
 
===Get list of IP addresses sending messages from specific address===
 
===Get list of IP addresses sending messages from specific address===
<code>[bash,n]
+
<source lang='bash'>
for i in $(find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep <EMAIL ADDRESS> | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3);
+
for i in $(find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3);
 
  do exim -Mvh $i | grep helo | cut -d "[" -f2 | cut -d "]" -f1| grep -v helo_name; done | sort | uniq -c | sort -n
 
  do exim -Mvh $i | grep helo | cut -d "[" -f2 | cut -d "]" -f1| grep -v helo_name; done | sort | uniq -c | sort -n
</code>
+
</source>
 +
 
 +
'''''EXAMPLE:'''''
 +
<source lang='bash'>
 +
for i in $(find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep likestospam@insecurepassword.com  | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3);
 +
do exim -Mvh $i | grep helo | cut -d "[" -f2 | cut -d "]" -f1| grep -v helo_name; done | sort | uniq -c | sort -n
 +
</source>
 +
 
 +
===Display specific field===
 +
This will display the contents of the specific field.
 +
 
 +
<source lang='bash'>
 +
find /var/spool/exim/input/0 -name '*-H' | xargs grep "$FIELD" | cut -d: -f3- | sort | uniq -c | sort -nr
 +
</source>
 +
 
 +
'''''EXAMPLE:'''''
 +
<source lang='bash'>
 +
find /var/spool/exim/input/0 -name '*-H' | xargs grep "Subject" | cut -d: -f3- | sort | uniq -c | sort -nr
 +
</source>
 +
 
 +
==Delete Scripts==
 +
===Delete messages based on specific element (IE Subject, To, From etc)===
 +
<source lang='bash'>
 +
find /var/spool/exim/input -name '*-H' | xargs grep '$ELEMENT' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm
 +
</source>
 +
 
 +
'''''EXAMPLE:'''''
 +
<source lang='bash'>
 +
find /var/spool/exim/input -name '*-H' | xargs grep 'From: somethingimportant@somerealcompany.com' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm
 +
</source>
  
 
===Delete messages based on address===
 
===Delete messages based on address===
<code>[bash,n]
+
<source lang='bash'>
find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep <EMAIL ADDRESS> | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm
+
find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm
</code>
+
</source>
 +
 
 +
'''''EXAMPLE:'''''
 +
<source lang='bash'>
 +
find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep likestospam@insecurepassword.com | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm
 +
</source>
 +
 
 +
==Advanced Scripts==
 +
These scripts are a bit more advanced and will work on each sub-folder in the queue one at a time. This means that spam will start being removed from the server much faster.
  
 
===Advanced sender find===
 
===Advanced sender find===
Makes it easier to identify spamming accounts with large exim queues
+
Makes it easier to identify spamming accounts with large exim queues.
<code>[bash,n]
+
 
 +
{{mbox|size=tiny|msg=Most likely you will want to run the normal sender find script above as this will return lists for each queue folder.}}
 +
 
 +
<source lang='bash'>
 +
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}');
 +
do echo "Searching $dir directory";
 +
echo "Getting emails in directory";
 +
email=`find /var/spool/exim/input/$dir -name '*-H'`;
 +
ecount=`echo "$email" | wc -l`;
 +
if [[ $email != "" ]];
 +
then
 +
echo -e "\e[0;31mFound $ecount messages\e[0m";
 +
echo "$email" | xargs grep 'auth_id' | cut -d " " -f2 | sort | uniq -c | sort -rn;
 +
fi;
 +
done;
 +
</source>
 +
 
 +
===Advanced message delete based on address===
 +
Makes it easier to delete messages in large spam queues.
 +
 
 +
You will need to change '''EMAILADDRESS'''.
 +
<source lang='bash'>
 +
EMAILADDRESS='';
 
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}');  
 
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}');  
 
do echo "Cleaning up $dir";  
 
do echo "Cleaning up $dir";  
Line 33: Line 111:
 
ecount=`echo "$email" | wc -l`;  
 
ecount=`echo "$email" | wc -l`;  
 
echo "Found $ecount messages";  
 
echo "Found $ecount messages";  
echo "$email" | xargs grep 'auth_id' | cut -d " " -f2 | sort | uniq -c | sort -rn
+
spam=`echo "$email" | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d- -f1-3`
 +
scount=`echo "$spam" | wc -l`;
 +
echo "Found $scount spam messages";
 +
echo "Deleting";
 +
for msg in $(echo "$spam" | rev | cut -d "/" -f1 | rev); do exim -Mrm $msg; done;
 
done;
 
done;
</code>
+
</source>
 +
 
 +
===Advanced NDR delete===
 +
Removes Delivery Status Notifications per mail queue.
  
 +
You can change '''SUBJECT''' to delete other messages such as NDRs or what ever other verbage is used in the message.
  
===Advanced message delete based on address===
+
<source lang='bash'>
Makes it easier to delete messages in large spam queues
+
SUBJECT='Delivery Status Notification';
<code>[bash,n]
 
 
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}');  
 
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}');  
 
do echo "Cleaning up $dir";  
 
do echo "Cleaning up $dir";  
Line 47: Line 132:
 
ecount=`echo "$email" | wc -l`;  
 
ecount=`echo "$email" | wc -l`;  
 
echo "Found $ecount messages";  
 
echo "Found $ecount messages";  
spam=`echo "$email" | xargs grep 'auth_id' | grep boletin@jm11811.net | cut -d: -f1 | cut -d- -f1-3;`  
+
spam=`echo "$email" | xargs grep "Subject: $SUBJECT" | cut -d: -f1 | cut -d- -f1-3;`  
 
scount=`echo "$spam" | wc -l`;  
 
scount=`echo "$spam" | wc -l`;  
 
echo "Found $scount spam messages";  
 
echo "Found $scount spam messages";  
 
echo "Deleting";  
 
echo "Deleting";  
echo "$spam" | xargs exim -Mrm;  
+
for email in $(echo "$spam" | rev | cut -d "/" -f1 | rev);
 +
do exim -Mrm $email;
 
done;
 
done;
</code>
+
done;
 +
</source>
  
 
==What to change==
 
==What to change==
 +
 +
In the above query scripts you will want to change the variables to match what you are looking for.

Latest revision as of 14:17, 25 March 2014

Overview

Different scripts to search the exim queue.

Info icon.png
Note these scripts have been recently changed to look only at the 0 queue by default. This will allow for faster scan times that should still represent the queue as a whole.


Query Scripts

Find top sending addresses for current messages in queue

find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | cut -d " " -f2 | sort | uniq -c | sort -rn

Find messages with specific element (subject, to, from etc)

Note this will only return the message IDs and does not corralate any information. 

find /var/spool/exim/input/0 -name '*-H' | xargs grep "$ELEMENT" | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3

EXAMPLE: 

find /var/spool/exim/input/0 -name '*-H' | xargs grep "subject:" | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3

Get message IDs for messages from a specific sender

find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3

EXAMPLE: 

find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep likestospam@insecurepassword.com | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3

Get list of IP addresses sending messages from specific address

for i in $(find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep $EMAILADDRESS  | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3);
 do exim -Mvh $i | grep helo | cut -d "[" -f2 | cut -d "]" -f1| grep -v helo_name; done | sort | uniq -c | sort -n

EXAMPLE: 

for i in $(find /var/spool/exim/input/0 -name '*-H' | xargs grep 'auth_id' | grep likestospam@insecurepassword.com  | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3);
 do exim -Mvh $i | grep helo | cut -d "[" -f2 | cut -d "]" -f1| grep -v helo_name; done | sort | uniq -c | sort -n

Display specific field

This will display the contents of the specific field. 

 find /var/spool/exim/input/0 -name '*-H' | xargs grep "$FIELD" | cut -d: -f3- | sort | uniq -c | sort -nr

EXAMPLE: 

 find /var/spool/exim/input/0 -name '*-H' | xargs grep "Subject" | cut -d: -f3- | sort | uniq -c | sort -nr

Delete Scripts

Delete messages based on specific element (IE Subject, To, From etc)

find /var/spool/exim/input -name '*-H' | xargs grep '$ELEMENT' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm

EXAMPLE: 

find /var/spool/exim/input -name '*-H' | xargs grep 'From: somethingimportant@somerealcompany.com' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm

Delete messages based on address

find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm

EXAMPLE: 

find /var/spool/exim/input -name '*-H' | xargs grep 'auth_id' | grep likestospam@insecurepassword.com | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm

Advanced Scripts

These scripts are a bit more advanced and will work on each sub-folder in the queue one at a time. This means that spam will start being removed from the server much faster.

Advanced sender find

Makes it easier to identify spamming accounts with large exim queues.

Info icon.png
Most likely you will want to run the normal sender find script above as this will return lists for each queue folder.


for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}'); 
do echo "Searching $dir directory"; 
echo "Getting emails in directory"; 
email=`find /var/spool/exim/input/$dir -name '*-H'`;
ecount=`echo "$email" | wc -l`;
if [[ $email != "" ]];
then
echo -e "\e[0;31mFound $ecount messages\e[0m"; 
echo "$email" | xargs grep 'auth_id' | cut -d " " -f2 | sort | uniq -c | sort -rn;
fi;
done;

Advanced message delete based on address

Makes it easier to delete messages in large spam queues.

You will need to change EMAILADDRESS. 

EMAILADDRESS='';
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}'); 
do echo "Cleaning up $dir"; 
echo "Getting emails in directory"; 
email=`find /var/spool/exim/input/$dir -name '*-H'`; 
ecount=`echo "$email" | wc -l`; 
echo "Found $ecount messages"; 
spam=`echo "$email" | xargs grep 'auth_id' | grep $EMAILADDRESS | cut -d: -f1 | cut -d- -f1-3` 
scount=`echo "$spam" | wc -l`; 
echo "Found $scount spam messages"; 
echo "Deleting";
for msg in $(echo "$spam" | rev | cut -d "/" -f1 | rev); do exim -Mrm $msg; done;
done;

Advanced NDR delete

Removes Delivery Status Notifications per mail queue.

You can change SUBJECT to delete other messages such as NDRs or what ever other verbage is used in the message. 

SUBJECT='Delivery Status Notification';
for dir in $(ls -l /var/spool/exim/input/ | grep -v "\." | awk '{print $9}'); 
do echo "Cleaning up $dir"; 
echo "Getting emails in directory"; 
email=`find /var/spool/exim/input/$dir -name '*-H'`; 
ecount=`echo "$email" | wc -l`; 
echo "Found $ecount messages"; 
spam=`echo "$email" | xargs grep "Subject: $SUBJECT" | cut -d: -f1 | cut -d- -f1-3;` 
scount=`echo "$spam" | wc -l`; 
echo "Found $scount spam messages"; 
echo "Deleting"; 
for email in $(echo "$spam" | rev | cut -d "/" -f1 | rev);
do exim -Mrm $email;
done;
done;

What to change

In the above query scripts you will want to change the variables to match what you are looking for.

Retrieved from "http://wiki.jamesdooley.us/index.php?title=Exim_Queue_Scripts&oldid=559"