Deleting the files associated with a mailq entry

While troubleshooting an email delivery problem on a CentOS 7 Linux server running Sendmail, I saw an unexpected entry when I checked the mail queue with the mailq command.

# mailq
                /var/spool/mqueue (7 requests)
-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
u83BWu3X020476     1010 Sat Sep  3 07:32 <apache@example.com>
                 (Deferred: Connection refused by mail.user-mail.net.)
                                         <donniemenniti12345@yahoo.com>

The system was running Apache, but I would not expect any email to originate from Apache destined for a Yahoo email address.

The contents of queued email are stored in the /var/spool/mqueue directory. For a queued message there will normally be two files, one beginning with the letters "df" and the other with the letters "qf", containing the queue id, in this case u83BWu3X020476, as the rest of the file name.

# ls /var/spool/mqueue/??u83BWu3X020476
/var/spool/mqueue/dfu83BWu3X020476  /var/spool/mqueue/qfu83BWu3X020476
#

Note: you will only be able to access these files from the root account.

The "qf" file contains the email header information, so I checked it first and saw the following:

# cat /var/spool/mqueue/qfu83BWu3X020476
V8
T1472902376
K1472913905
N5
P481534
I253/1/137858593
MDeferred: Connection refused by mail.user-mail.net.
Fbs
$_localhost [127.0.0.1]
$rESMTP
$sexample.com
${daemon_flags}
${if_addr}127.0.0.1
S<apache@example.com>
A<>
MDeferred: Connection refused by mail.user-mail.net.
rRFC822; donniemenniti12345@yahoo.com
RPFD:<donniemenniti12345@yahoo.com>
H?P?Return-Path: <g>
H??Received: from example.com (localhost [127.0.0.1])
        by example.com (8.14.7/8.14.7) with ESMTP id u83BWu3X020476
        for <donniemenniti12345@yahoo.com>; Sat, 3 Sep 2016 07:32:56 -0400
H?x?Full-Name: Apache
H??Received: (from apache@localhost)
        by example.com (8.14.7/8.14.7/Submit) id u83BWtEf020470;
        Sat, 3 Sep 2016 07:32:56 -0400
H??Message-Id: <201609031132.u83BWtEf020470@moonpoint.com>
H??To: donniemenniti12345@yahoo.com
H??Subject: Welcome to MoonDream
H??X-PHP-Originating-Script: 501:Subs-Post.php
H??From: "MoonDream" <lee@example.com>
H??Date: Sat, 03 Sep 2016 11:32:55 -0000
H??X-Mailer: SMF
H??Mime-Version: 1.0
H??Content-Type: multipart/alternative; boundary="SMF-12f9654416f81aa10a64eeba92597028"
H??Content-Transfer-Encoding: 7bit
.
#

From the subject line for the message and the X-Mailer line, I realized the email had originated from Simple Machine Forum (SMF) software on the system that was attempting to send a welcome message to someone who had tried to join the forum. I checked the Yahoo email address at the Stop Forum Spam site to see if it was associated with a known forum spammer email address, but a search on the Stop Forum Spam site for that email address did not find it listed as one used by a forum spammer. I then checked the contents of the welcome message, which was in the "df" file.

oreilly.com - Your tech ebook super store 
# head -n 7 /var/spool/mqueue/dfu83BWu3X020476
Your registration request at MoonDream has been received, GloryGaird.

The username you registered with was GloryGaird. If you forget your password, yo
u can change it at http://example.com/forum/index.php?action=reminder.

Before you can login and start using the forum, your request will be reviewed an
d approved.  When this happens, you will receive another email from this address
.

Regards,
#

I searched the Stop Forum Spam database for the username, GloryGaird, but didn't see it listed, either. I then logged into the forum itself and checked on the IP address from which the registration attempt originated. The registration attempt occurred at 06:32:55 AM local time today from 192.210.134.207. When I performed a search of the Stop Forum Spam database on the 192.210.134.207 IP address, I saw it was listed with the first entry related to that address appearing on January 16, 2016 and the last one on April 26, 2016 for a total of 6 such entries. All but one of the entries was associated with a yahoo.com email address with five different yahoo.com email addresses listed, none of which matched the one I saw in the queued message. The other email address was a lenta.ru address - "ru" is the country code for Russia, though the IP address belongs to an entity in the United States. The American Registry for Internet Numbers (ARIN), which is the Regional Internet Registry (RIR) for Canada, the United States, and many Caribbean and North Atlantic islands, shows the 192.210.134.20 address is assigned to "Hudson Valley Host."

Another antispam site for forums, boards, blogs and websites, CleanTalk, listed 192.210.134.207 as a source for spam, noting:

192.210.134.207 marked as spam 37 times.
Discovered Nov 03, 2015, last activity Sep 03, 2016 09:44:59

CleanTalk currently offers its service for one website for $8 per year (pricing).

Since the registration attempt appeared to be one from a forum spammer, I deleted the queued email to the email address associated with the regisration attempt by deleting the two files associated with the queue id u83BWu3X020476.

# rm /var/spool/mqueue/??u83BWu3X020476
rm: remove regular file /var/spool/mqueue/dfu83BWu3X020476?
rm: remove regular file /var/spool/mqueue/qfu83BWu3X020476?
#

The queued message then no longer appeared in the output of the mailq command.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px