The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Delete all mail by auth_id?

Discussion in 'E-mail Discussions' started by osirion, Sep 27, 2015.

  1. osirion

    osirion Active Member

    Joined:
    Jan 16, 2007
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    158
    Hi guys,
    Every now and then a cPanel or mailbox account gets compromised sending tons of 'authorised mail'. Once detected, a (apparently) way to delete all the mail by an auth_id is:
    find /var/spool/exim/input -name "*-H" -exec grep -q "-auth_id AUTHID" {} \; -print | while read MSG; do exim -Mrm $(basename ${MSG%-H}); done
    However, when I run this, I get the following output:
    grep: invalid option -- 't'
    Usage: grep [OPTION]... PATTERN [FILE]...
    Try 'grep --help' for more information.

    This output repeats many times (I am assuming its repeating for each mail currently in the queue). What am I doing wrong?

    PS: I know how to delete mail 'from' someone or 'to' someone, but that isnt sufficient because malware generally uses spoofed addresses so hence the need to do it by the compromised auth_id.
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    464
    Likes Received:
    54
    Trophy Points:
    78
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    You just need to escape the dash in -auth_id
    Code:
    "\-auth_id AUTHID"
    Should do the trick
     
    osirion likes this.
  3. osirion

    osirion Active Member

    Joined:
    Jan 16, 2007
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    158
    Thanks - I'll give that a shot :)
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,741
    Likes Received:
    1,143
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Feel free to update this thread with the outcome once you have had a chance to try the updated command.

    Thank you.
     
  5. osirion

    osirion Active Member

    Joined:
    Jan 16, 2007
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    158
    Seemed to work well, had to use it a couple of days ago. Seemed to only delete mail by specified auth_id, but I didnt verify it 100%. After running the command, checked my queue and it was its 'usual size' of about 90 and before the command was 5000+.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    35,741
    Likes Received:
    1,143
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I am happy to see the new command worked. Thank you for updating us with the outcome.
     
Loading...

Share This Page