pfsasl - A perl script to remove messages from queues, based on sasl_username

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pfsasl - A perl script to remove messages from queues, based on sasl_username

Nick Bright-3
Greetings,

After having a problem with a lot of mail being queued by a compromised
end users mailbox, I was unable to find a script able to remove messages
from the queue based on the sasl_username.

The pfdel script is very handy for removing things when the from/to
addresses are stable, but in this case the attacker had set random from
addresses.

So, I used the original pfdel script and modified it into the attached
pfsasl script. I'm a novice with perl, so there may be some
optimizations possible - but it does work properly.

I hope somebody finds this useful :)

--
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet                                     -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information&  30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------


pfsasl.pl (3K) Download Attachment
smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pfsasl - A perl script to remove messages from queues, based on sasl_username

Nick Bright-3
On 5/2/2013 10:53 PM, Nick Bright wrote:

> Greetings,
>
> After having a problem with a lot of mail being queued by a
> compromised end users mailbox, I was unable to find a script able to
> remove messages from the queue based on the sasl_username.
>
> The pfdel script is very handy for removing things when the from/to
> addresses are stable, but in this case the attacker had set random
> from addresses.
>
> So, I used the original pfdel script and modified it into the attached
> pfsasl script. I'm a novice with perl, so there may be some
> optimizations possible - but it does work properly.
>
> I hope somebody finds this useful :)
>
Well, I feel a little silly. I posted the wrong version of the file!
Correct version attached. My apologies!

The differences are renaming $email_addr to $sasl_user for clarity, and
the regex on line 41 was made tighter.

--
-----------------------------------------------
-  Nick Bright                                -
-  Vice President of Technology               -
-  Valnet                                     -
-  Tel 888-332-1616 x 315 / Fax 620-331-0789  -
-  Web http://www.valnet.net/                 -
-----------------------------------------------
- Are your files safe?                        -
- Valnet Vault - Secure Cloud Backup          -
- More information&  30 day free trial at     -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------


pfsasl.pl (3K) Download Attachment
smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pfsasl - A perl script to remove messages from queues, based on sasl_username

list@airstreamcomm.net
On 2013-05-02 23:02, Nick Bright wrote:

> On 5/2/2013 10:53 PM, Nick Bright wrote:
>> Greetings,
>>
>> After having a problem with a lot of mail being queued by a
>> compromised end users mailbox, I was unable to find a script able to
>> remove messages from the queue based on the sasl_username.
>>
>> The pfdel script is very handy for removing things when the from/to
>> addresses are stable, but in this case the attacker had set random
>> from addresses.
>>
>> So, I used the original pfdel script and modified it into the
>> attached pfsasl script. I'm a novice with perl, so there may be some
>> optimizations possible - but it does work properly.
>>
>> I hope somebody finds this useful :)
>>
> Well, I feel a little silly. I posted the wrong version of the file!
> Correct version attached. My apologies!
>
> The differences are renaming $email_addr to $sasl_user for clarity,
> and the regex on line 41 was made tighter.
Very nice, we tend to see the same behavior in our compromised SASL
users so this will come in handy.  Thanks!

To keep the sharing train rolling, I attached a queue monitoring script
which we use with our SNMP monitoring system to alert when the mail
queue exceeds a certain number of messages.
We run CentOS, and configure SNMP with the following entry in
/etc/snmp/snmpd.conf:

"exec postqueuemon /usr/bin/sudo /path/to/scripts/mon_queue.sh"

If it's the first custom SNMP entry your OID should be
1.3.6.1.4.1.2021.8.1.101.1, and now you can poll this OID for your
current mail queue size from whatever SNMP monitoring software you're
using.  Hope this is helpful as well!

mon_queue.sh (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pfsasl - A perl script to remove messages from queues, based on sasl_username

Viktor Dukhovni
On Fri, May 03, 2013 at 12:07:56PM -0500, [hidden email] wrote:

> Very nice, we tend to see the same behavior in our compromised SASL
> users so this will come in handy.  Thanks!

It best to not let compromised accounts dominate the queue in first
place.  Consider a policy service that rate limits by SASL username.

> To keep the sharing train rolling, I attached a queue monitoring
> script which we use with our SNMP monitoring system to alert when
> the mail queue exceeds a certain number of messages.

Have you looked at:

        http://www.postfix.org/QSHAPE_README.html

By the way, the attachment was all NUL bytes.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: pfsasl - A perl script to remove messages from queues, based on sasl_username

Axel Luttgens
Le 3 mai 2013 à 19:48, Viktor Dukhovni a écrit :

> [...]
> Have you looked at:
>
> http://www.postfix.org/QSHAPE_README.html

Hello Viktor,

I always wondered: qshape seems to be in fact a perl script (qshape.pl), and this doesn't seem to be stated in the docs.

Is that auxiliary/qshape/qshape.pl script the "qshape(1) program" mentioned in above document?

TIA,
Axel