At 3 AM, your monitoring alerts: “Mail queue has 50,000 messages.” Some infected WordPress install is using your mail server as a spam cannon. Here’s how to stop the bleeding.
Check mail queue#
1
2
3
4
5
6
7
8
| # View mail queue
mailq
# Count messages in queue
mailq | tail -1
# See detailed queue
postqueue -p
|
Find spam pattern#
1
2
3
4
5
6
7
| # Look for suspicious sender IDs or patterns
mailq | grep "sender-id"
mailq | grep "spammy-subject"
mailq | grep "compromised-email"
# Check queue by sender
mailq | grep "wordpress@"
|
Delete specific messages by pattern#
The rescue command - delete all messages matching a pattern:
1
2
3
4
| # Delete messages matching a specific ID/pattern
for each in `mailq | grep "spamming-id" | awk '{print $1}' | tr -d '*!'`; do
postsuper -d $each
done
|
What this does:
mailq - Lists the mail queuegrep "spamming-id" - Filters messages containing the spam patternawk '{print $1}' - Extracts the queue ID (first column)tr -d '*!' - Removes special characters (* and !) from queue IDspostsuper -d $each - Deletes each message by queue ID
Common spam cleanup patterns#
Delete by sender email#
1
2
3
| for each in `mailq | grep "[email protected]" | awk '{print $1}' | tr -d '*!'`; do
postsuper -d $each
done
|
Delete by recipient domain#
1
2
3
| for each in `mailq | grep "@spam-domain.com" | awk '{print $1}' | tr -d '*!'`; do
postsuper -d $each
done
|
Delete by subject pattern (requires postcat)#
1
2
3
4
5
6
7
8
| # List all queue IDs
mailq | grep '^[A-F0-9]' | awk '{print $1}' | while read qid; do
# Check message content
if postcat -q $qid | grep -q "SPAM SUBJECT"; then
postsuper -d $qid
echo "Deleted: $qid"
fi
done
|
Delete ALL deferred messages#
1
2
| # Delete all deferred (held) messages
postsuper -d ALL deferred
|
Delete ALL messages in queue (nuclear option)#
1
2
3
4
5
| # WARNING: Deletes EVERYTHING in the queue
postsuper -d ALL
# Or flush entire queue
postqueue -f
|
Prevent future spam#
Block sender temporarily#
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Add to /etc/postfix/main.cf
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access,
reject
# Create /etc/postfix/sender_access
echo "[email protected] REJECT" | sudo tee -a /etc/postfix/sender_access
# Build hash database
sudo postmap /etc/postfix/sender_access
# Reload Postfix
sudo postfix reload
|
Rate limit per sender#
1
2
3
4
5
6
| # Add to /etc/postfix/main.cf
smtpd_client_message_rate_limit = 100
smtpd_client_recipient_rate_limit = 100
# Reload
sudo postfix reload
|
Check who’s sending#
1
2
3
4
5
| # Show top senders in queue
mailq | grep -E '^[A-F0-9]' | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
# Show authenticated users sending mail
grep 'sasl_username' /var/log/mail.log | awk '{print $NF}' | sort | uniq -c | sort -rn
|
Monitor queue in real-time#
1
2
3
4
5
6
7
8
| # Watch queue size
watch -n 5 'mailq | tail -1'
# Monitor mail log for spam
tail -f /var/log/mail.log | grep -i "client="
# Count messages per sender
watch -n 10 "mailq | awk '{print \$7}' | sort | uniq -c | sort -rn | head -10"
|
Useful queue management#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # Hold all messages in queue
postsuper -h ALL
# Release held messages
postsuper -H ALL
# Requeue messages (retry delivery)
postqueue -f
# Delete messages older than 5 days
find /var/spool/postfix/deferred -type f -mtime +5 -delete
# Flush specific destination
postqueue -s spam-domain.com
|
Emergency: Pause mail delivery#
1
2
3
4
5
6
7
8
| # Stop Postfix (keeps queue)
sudo systemctl stop postfix
# Clean up queue while stopped
# ... do your cleanup ...
# Start Postfix
sudo systemctl start postfix
|
Investigate the source#
1
2
3
4
5
6
7
8
| # Find which script/user is sending spam
grep "from=" /var/log/mail.log | grep "compromised@" | head -20
# Check web server logs for the culprit
grep -r "mail(" /var/www/html/ | grep -i "wp-"
# Find recently modified PHP files (possible backdoor)
find /var/www -name "*.php" -mtime -7 -ls
|
Check if you’re blacklisted#
1
2
3
4
5
6
7
| # Check your server IP against major blacklists
dig +short blacklist.example.org.bl.spamcop.net
dig +short blacklist.example.org.zen.spamhaus.org
# Use online tools
# - https://mxtoolbox.com/blacklists.aspx
# - https://www.dnsbl.info/
|
Pro tip: When you spot spam in mailq, immediately grep for the pattern (sender, subject, or message ID) and pipe it through the deletion loop. Don’t wait - spam multiplies fast. After cleanup, check /var/log/mail.log to find the infected script or compromised account and plug the hole before restarting Postfix.