pitter patter on the keyboard

An account on one of my Zimbra servers was compromised recently, leading to about one hundred or so different spammers gangbanging it. It wasn’t hard to fix the leak but once you’ve got your spammer problem dealt with you will probably be left with huge queues. Huge queues that are probably putting your load average well above 10. Worse than the resource problem, as these queues very slowly drain you are still spamming and it will take a very long time to get off of all the RBLs you are undoubtedly now on unless we take action to clear them now.

You should be able to log into the Zimbra administration front-end, navigate to Monitor > Mail Queues and selectively clear deferred messages from bad addresses. Unfortunately, the web interface is as useless as a tit on a bull when it comes to clearing tens of thousands of messages. It’s necessary to shell in and manipulate the postfix queues directly.

Lots of thanks to TheBrain.ca for publishing his solution at http://developer.thebrain.ca/2010/06/troubleshooting-mail-queue-on-postfix.html:

# /opt/zimbra/postfix/postqueue -p | awk '/user@example.com/ {print $1}' > /tmp/user.txt
# /opt/zimbra/postfix/postsuper -d - < /tmp/user.txt

This uses awk to spit out the message ID of e-mails coming from user@example.com which we then feed into postsuper -d.

You should edit the output file and do a null search and replace for asterisks. You may also find some non-message-ID entries but these can safely be ignored.

If you don’t want to see the list of message IDs before dropping them a more elegant method can be found in the postsuper man page:

              mailq | tail +2 | grep -v ’^ *(’ | awk  ´BEGIN { RS = "" }
                  # $7=sender, $8=recipient1, $9=recipient2
                  { if ($8 == "user@example.com" && $9 == "")
                        print $1 }
              ´ | tr -d ’*!’ | postsuper -d -

You may need to open the LDAP port on your Zimbra server:

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT

Determine your Zimbra LDAP password:

# su - zimbra
$ $ zmlocalconfig -s zimbra_ldap_password
zimbra_ldap_password = XXXXXXXXXXXX

Open the Barracuda Spam Firewall administration interface. Click the Domains tab. Click the Modify link next to the domain(s) you would like to enable bad recipient rejection for. Click on the LDAP Configuration sub-tab under the Users tab. Retain all defaults except:

• LDAP Server – Change this to the host name of your Zimbra server
• Bind DN (Username) – Change this to uid=zimbra,cn=admins,cn=zimbra
• Bind Password – Change this to your zimbra_ldap_password

Do you remember the good old days before CAPTCHAs? It was a simpler time – bots spammed e-mail accounts, not websites. Few people thought of the security implications of accepting user input on their sites, even successful commercial outfits.

I’ve been doing a little tinkering with FurFinder lately and have come across a page which may indicate the year in which the paradigm shifted.

With the first post dated December 18, 2000 http://www.catswithhands.com/guestbook.html is a pre-Web 2.0 guestbook which permitted untested, unmoderated public write access for 6 years. It is 9.5MB long.

There are

$ grep "<b>Realname: </b>" guestbook.html | wc -l
4093

entries.

The spam began in earnest in 2004, after which there are only two or three posts by humans – a vivid illustration of how corrossive unchecked web spam can be to your image and audience.