Deleting the files associated with a mailq entry

While troubleshooting an email delivery problem on a CentOS 7 Linux server running Sendmail, I saw an unexpected entry when I checked the mail queue with the mailq command.

# mailq
                /var/spool/mqueue (7 requests)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
u83BWu3X020476     1010 Sat Sep  3 07:32 <>
                 (Deferred: Connection refused by

The system was running Apache, but I would not expect any email to originate from Apache destined for a Yahoo email address.

The contents of queued email are stored in the /var/spool/mqueue directory. For a queued message there will normally be two files, one beginning with the letters "df" and the other with the letters "qf", containing the queue id, in this case u83BWu3X020476, as the rest of the file name.

# ls /var/spool/mqueue/??u83BWu3X020476
/var/spool/mqueue/dfu83BWu3X020476  /var/spool/mqueue/qfu83BWu3X020476

Note: you will only be able to access these files from the root account.

The "qf" file contains the email header information, so I checked it first and saw the following:

# cat /var/spool/mqueue/qfu83BWu3X020476
MDeferred: Connection refused by
$_localhost []
MDeferred: Connection refused by
H?P?Return-Path: <g>
H??Received: from (localhost [])
        by (8.14.7/8.14.7) with ESMTP id u83BWu3X020476
        for <>; Sat, 3 Sep 2016 07:32:56 -0400
H?x?Full-Name: Apache
H??Received: (from apache@localhost)
        by (8.14.7/8.14.7/Submit) id u83BWtEf020470;
        Sat, 3 Sep 2016 07:32:56 -0400
H??Message-Id: <>
H??Subject: Welcome to MoonDream
H??X-PHP-Originating-Script: 501:Subs-Post.php
H??From: "MoonDream" <>
H??Date: Sat, 03 Sep 2016 11:32:55 -0000
H??X-Mailer: SMF
H??Mime-Version: 1.0
H??Content-Type: multipart/alternative; boundary="SMF-12f9654416f81aa10a64eeba92597028"
H??Content-Transfer-Encoding: 7bit

From the subject line for the message and the X-Mailer line, I realized the email had originated from Simple Machine Forum (SMF) software on the system that was attempting to send a welcome message to someone who had tried to join the forum. I checked the Yahoo email address at the Stop Forum Spam site to see if it was associated with a known forum spammer email address, but a search on the Stop Forum Spam site for that email address did not find it listed as one used by a forum spammer. I then checked the contents of the welcome message, which was in the "df" file. - Your tech ebook super store
# head -n 7 /var/spool/mqueue/dfu83BWu3X020476
Your registration request at MoonDream has been received, GloryGaird.

The username you registered with was GloryGaird. If you forget your password, yo
u can change it at

Before you can login and start using the forum, your request will be reviewed an
d approved.  When this happens, you will receive another email from this address


I searched the Stop Forum Spam database for the username, GloryGaird, but didn't see it listed, either. I then logged into the forum itself and checked on the IP address from which the registration attempt originated. The registration attempt occurred at 06:32:55 AM local time today from When I performed a search of the Stop Forum Spam database on the IP address, I saw it was listed with the first entry related to that address appearing on January 16, 2016 and the last one on April 26, 2016 for a total of 6 such entries. All but one of the entries was associated with a email address with five different email addresses listed, none of which matched the one I saw in the queued message. The other email address was a address - "ru" is the country code for Russia, though the IP address belongs to an entity in the United States. The American Registry for Internet Numbers (ARIN), which is the Regional Internet Registry (RIR) for Canada, the United States, and many Caribbean and North Atlantic islands, shows the address is assigned to "Hudson Valley Host."

Another antispam site for forums, boards, blogs and websites, CleanTalk, listed as a source for spam, noting: marked as spam 37 times.
Discovered Nov 03, 2015, last activity Sep 03, 2016 09:44:59

CleanTalk currently offers its service for one website for $8 per year (pricing).

Since the registration attempt appeared to be one from a forum spammer, I deleted the queued email to the email address associated with the regisration attempt by deleting the two files associated with the queue id u83BWu3X020476.

# rm /var/spool/mqueue/??u83BWu3X020476
rm: remove regular file /var/spool/mqueue/dfu83BWu3X020476?
rm: remove regular file /var/spool/mqueue/qfu83BWu3X020476?

The queued message then no longer appeared in the output of the mailq command.


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px