Twice in the last month we've discovered unusual slowdowns with our mail server. When looking into it further, we've discovered that a customer's email account was compromised and a spammer (virus?) is using the customer's email account credentials to send spam.

I changed the email password and firewalled the IP address of the source sending spam through the server.

I then had a lot of messages in the mail queue to clean out. These commands have come in handy for me:

  1. Removing emails sending as the compromized email account

First, I create a file that has the whole mail queue:

postqueue -p > /tmp/mailqueue

I then grep for just the queued messages for the offending email account (the compromised customer account):

grep "customer@example.com" /tmp/mailqueue > /tmp/mailqueue2

 

From there, I edit the /tmp/mailqueue2 file in my favorite text editor, Vim. I remove everyone on the line except for the message id at the beginning of every line. I also be careful to remove asterisks from the message id.  I then save the file.

Then I run this command to remove all emails sent as that user (all the message ids) from the queue:

for QID in `cat /tmp/mailqueue3`; do postsuper -d $QID; done

 

  1. Remove messages that have bounced back

I then want to remove messages coming back to the customer's email account. This command does it all for me:

postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } / customer@example\.com/ { print $1 }' | tr -d '*!' | postsuper -d -