Delete all mail by auth_id?
Hi guys,
Every now and then a cPanel or mailbox account gets compromised sending tons of 'authorised mail'. Once detected, a (apparently) way to delete all the mail by an auth_id is:
find /var/spool/exim/input -name "*-H" -exec grep -q "-auth_id AUTHID" {} \; -print | while read MSG; do exim -Mrm $(basename ${MSG%-H}); done
However, when I run this, I get the following output:
grep: invalid option -- 't'
Usage: grep [OPTION]... PATTERN [FILE]...
Try 'grep --help' for more information.
This output repeats many times (I am assuming its repeating for each mail currently in the queue). What am I doing wrong?
PS: I know how to delete mail 'from' someone or 'to' someone, but that isnt sufficient because malware generally uses spoofed addresses so hence the need to do it by the compromised auth_id.
-
You just need to escape the dash in -auth_id "\-auth_id AUTHID"
Should do the trick0 -
Thanks - I'll give that a shot :) 0 -
Hello :) Feel free to update this thread with the outcome once you have had a chance to try the updated command. Thank you. 0 -
Seemed to work well, had to use it a couple of days ago. Seemed to only delete mail by specified auth_id, but I didnt verify it 100%. After running the command, checked my queue and it was its 'usual size' of about 90 and before the command was 5000+. 0 -
I am happy to see the new command worked. Thank you for updating us with the outcome. 0
Please sign in to leave a comment.
Comments
5 comments