Knowledge Base
How to Check the Postfix Mail Queue and Identify Spam Activity
When your server is sending large amounts of email and you want to investigate spam activity. This article explains how to review the Postfix mail queue and identify spam senders.
In order to identify spammers on VPS Server with Plesk Panel and Postfix as an MTA, you may use the commands mentioned below. These commands been to be run via SSH as the root user.
To check the current mail queue
To know the number of messages sitting in the deferred queue (The command will return the number of deferred emails):
To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list:
Removing all emails sent by: mailto:user@example.com
Remove all email sent from user@example.com
Remove all email sent by domain example.com
To remove all from mail queue
To check headers of an email in postfix queue:
Get the mail ids of all email currently in queue
To flush the mail queue:
To remove all mails from the queue:
To remove all mails in the deferred queue:
Display deffered queue and hold queue
Output:
~~~~~~
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 0 0 0 0 0 0 0 0 0 0 0
~~~~~~
The "T" column shows the total (in this case sender) count for each domain. The columns with numbers above them, show counts for messages aged fewer than that many minutes, but not younger than the age limit for the previous column. The row labeled "TOTAL" shows the total count for all domains.
To check the current mail queue
mailq OR postqueue -p ~~~~~~ B6EC910A791 141099 Thu Oct 24 05:39:16 user@justfortest,com (host alt1.gmail-smtp-in.l.google.COM[64.233.177.27] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/?p=OverQuotaTemp a187si2600273ywf.208 - gsmtp (in reply to RCPT TO command)) user@testing.com B39CB10A51B 129110 Thu Oct 24 08:52:53 user@justfortest,com (host alt1.gmail-smtp-in.l.google.com[64.233.177.26] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/?p=OverQuotaTemp b63si10075012ybi.400 - gsmtp (in reply to RCPT TO command)) user@testing.com BA317108FF9 23345 Thu Oct 24 08:06:40 MAILER-DAEMON (host alt1.gmail-smtp-in.l.google.com[64.233.177.27] said: 452-4.2.2 The email account that you tried to reach is over quota. Please direct 452-4.2.2 the recipient to 452 4.2.2 https://support.google.com/mail/?p=OverQuotaTemp y75si4852577ywa.1 - gsmtp (in reply to RCPT TO command)) user@testing.com ~~~~~~
To know the number of messages sitting in the deferred queue (The command will return the number of deferred emails):
find /var/spool/postfix/deferred -type f | wc -l ~~~~~~ 17 ~~~~~~
To get a sorted list of the accounts that have the most mail in the queue. This usually means a maximum of 2 or 3 spammers at the end of the list:
mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail ~~~~~~ 16 user1@testing.com 17 user2@example.com 18 user3@justfortest.com 21 user4@webtest.com 281 MAILER-DAEMON ~~~~~~
Removing all emails sent by: mailto:user@example.com
postqueue -p|grep '^[A-Z0-9]'|grep user@example.com |cut -f1 -d' '|tr -d \*|postsuper -d
Remove all email sent from user@example.com
postqueue -p|awk '/^[0-9,A-F].*user@example.com / {print $1}'|cut -d '!' -f 1|postsuper -d
Remove all email sent by domain example.com
postqueue -p | grep '^[A-Z0-9]'|grep @example.com |cut -f1 -d' ' |tr -d \*|postsuper -d
To remove all from mail queue
find /var/spool/postfix/deferred/ -type f | xargs -n1 basename | xargs -n1 postsuper -d
To check headers of an email in postfix queue:
postcat -vq <postfix id> ~~~~~~ root@:~# postcat -q 6761B21C519 *** ENVELOPE RECORDS active/6761B21C519 *** message_size: 470 115 1 0 message_arrival_time: Sat Jul 15 14:56:33 2006 sender_fullname: www-data sender: www-data@testing.com *** MESSAGE CONTENTS active/6761B21C519 *** Received: by Webserver (Postfix, from userid 33) id 6761B21C519; Sat, 15 Jul 2006 14:56:33 -0700 (PDT) To: info@testing.com Subject: Auto message allert for new user barbe ! From: john@example.com X-Mailer: MyCP add user auto mailer Message-Id: <20060715215633.6761B21C519@Webserver> Date: Sat, 15 Jul 2006 14:56:33 -0700 (PDT) Hello barbe ! Test mail from example.com Good luck! ~~~~~~
Get the mail ids of all email currently in queue
postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'
~~~~~~
E14BA10A986
E4C1610AB8C
EAA83105214
E868A10AB08
E295E10A58A
E59D410AB03
E182F10AB01
EF23110AA7B
~~~~~~
To flush the mail queue:
postfix flush OR postfix -f
To remove all mails from the queue:
postsuper -d ALL
To remove all mails in the deferred queue:
postsuper -d ALL deferred
Display deffered queue and hold queue
qshape deferredRunning the following command will show you the number of deferred emails for each domain. If you see mails to one or more domain only being deferred, check if you can connect to those servers from the server.
Output:
~~~~~~
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 0 0 0 0 0 0 0 0 0 0 0
~~~~~~
The "T" column shows the total (in this case sender) count for each domain. The columns with numbers above them, show counts for messages aged fewer than that many minutes, but not younger than the age limit for the previous column. The row labeled "TOTAL" shows the total count for all domains.