Home Download News FAQ / Knowledge Base Screenshots Documentation Support Site map
philosophical imaginary

Differences

This shows you the differences between two versions of the page.

faq:spam:recover [2013/01/12 08:27]
dothebart spam recovery howto.
faq:spam:recover [2014/05/19 14:11] (current)
dothebart [Clearing the situation - without webcit]
Line 18: Line 18:
 This is probably a good time to tell your users that the mailsystem is unavailable, and you're working on the situation.\\ This is probably a good time to tell your users that the mailsystem is unavailable, and you're working on the situation.\\
 Now you need to find out whose account was hacked. therefore you need to inspect your outbound mailqueue. \\ Now you need to find out whose account was hacked. therefore you need to inspect your outbound mailqueue. \\
-Goto **// Administration / View the outbound SMTP queue/ //** \\+As an aide user, Goto **// Administration / View the outbound SMTP queue/ //** \\
 The **//Jobs waiting for further processing://** table shows you probably a huge list of mail jobs being processed. The **//Sender//** Column should show you who is the one that was hacked. Contact this person, and tell him he has to clear the situation on his system. Right now its probably a good idea to change his password.\\ The **//Jobs waiting for further processing://** table shows you probably a huge list of mail jobs being processed. The **//Sender//** Column should show you who is the one that was hacked. Contact this person, and tell him he has to clear the situation on his system. Right now its probably a good idea to change his password.\\
  
 ======Clearing the Situation===== ======Clearing the Situation=====
-And now you're in the need for a way to delete a huge number of jobs from the Queue, right? Since webcit dynamicaly decides which representation to provide for a room, and the mailqueue is just another (hidden) room, you simply need to chose another representation by changing the **//view//** parameter in the URL in your browser from **11** to **1** and press enter. Now you've got the compfy mailbox view, you will get a better view of the situation. There are two sorts of messages in this room: those with regular subjects, and those with QMSG as subject. its always pairs of them; the QMSG with the queueing information, and the regular mail. We suspect that __NONE__+And now you're in the need for a way to delete a huge number of jobs from the Queue, right? Since webcit dynamicaly decides which representation to provide for a room, and the mailqueue is just another (hidden) room, you simply need to chose another representation by changing the **//view//** parameter in the URL in your browser from **11** to **1** and press enter. Now you've got the compfy mailbox view, you will get a better view of the situation. There are two sorts of messages in this room: those with regular subjects, and those with QMSG as subject. its always pairs of them; the QMSG with the queueing information, and the regular mail. We assume that __NONE__ of the mails currently in the Queue will be sent. Select all of them and press <del> to move them into your personal trashbin. You can later check, whether there are mails from your users that they should send again. Please note that you should respect the privacy of your users. 
 +======Clearing the situation - without webcit===== 
 +If your situation is that worse, that webcit can't help you anymore, we need to go a little more low-tech. 
 +Instead of webcit talking to citserver, we write a little shellscript utilizing netcat //(Note: some distros call the Unix-Domain-Socket enabled netcat we need 'openbsd-netcat', test with nc -h whether 'U' is in the possible arguments)//. 
 + 
 +**SIDENOTE:** this script will delete messages permanentely, you won't be able to look at them later. 
 + 
 +You've probably already read about [[faq:generalquestions:i_want_to_automate|citadel scripting]]; more details can be found at [[documentation:applicationprotocol|the application protocol documentation]]; eventualy you may want to implement the MOVE command... 
 + 
 +Please adjust [[documentation:file_layout|the location of your unix domain socket]] according to your installation. 
 + 
 +You need to run this script with write permissions to the admin-socket. 
 +<code bash> 
 +#!/bin/bash 
 +# get all message IDs from the spool folder:  
 +(printf 'GOTO __CitadelSMTPspoolout__\nMSGS\n'; sleep 1; ) |nc -U /var/run/citadel/citadel-admin.socket  |grep -v '^200 .*' |grep -v '^000$'  |grep -v '^100 *$'> /tmp/msgids 
 +# (grep out status-codes etc.) 
 + 
 +# check the file /tmp/msgids for validity, then remove this:  
 +exit 
 + 
 +# now we know all of them, chunksize items per command. 
 +chunksize=30 
 +count=`wc -l < /tmp/msgids` 
 +chunks=$(($((count/${chunksize})) + 1)) 
 + 
 +start=${chunksize} 
 + 
 +
 +printf 'GOTO __CitadelSMTPspoolout__\n' 
 +for i in `seq 1 $chunks`; do  
 +    line='' 
 +    messages=`head /tmp/msgids -n${start}|tail -n ${chunksize}` 
 +    #printf "${messages}" 
 +    for msgid in ${messages}; do  
 + if test -n "${line}"; then  
 +     line=${line}',' 
 + fi 
 + line=${line}$msgid 
 +    done 
 +    printf "DELE $line\n" 
 +    start=$((${start} + ${chunksize})) 
 +done 
 +# after we sent all commands, give citserver a while to catch up, 
 +# before we close the connection. 
 +sleep 1000000 
 + 
 +)|nc -U /var/run/citadel/citadel-admin.socket 
 +</code> 
 +=====getting back to normal business===== 
 +Now that you  
 +  * removed the spam from your mailqueue 
 +  * identified & cleared possible infections on the client host 
 +you need to  
 +  * configure the new password on the client and tell the user his new password for the web login (or better let him choose a new one which mustn't be the old one) 
 +  * educate you user about possible attack vectors, and that his credentials are possibly burned, and he should change passwords on other accounts 
 +  * re-enable the inbound SMTP-Ports 
 +  * remove the outbound mailblock setting from your initscript 
 +  * restart citserver 
 +  * send a test mail! 
 +  * check whether you made it into some RBL, and clear the situation with them; else some remote hosts may reject mails from you as spam... 
 + 
  
Copyright © 1987-2014 Uncensored Communications Group. All rights reserved.     Login (site admin)