简介
本指南可帮助您调查和解决您的ESA发送意外或不需要的出站邮件的事件。它概述了识别源并停止行为的实际步骤和命令。
先决条件
使用的组件
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
故障排除
如果您知道哪个帐户发送垃圾邮件,建议立即锁定该帐户。如果不知道该帐户,请使用ESA进行调查,确定负责帐户,然后将其锁定。
工作队列检查
如果您发现工作队列中的电子邮件数量较多,而传入电子邮件速率显着超过传出速率,则表明工作队列存在问题。您可以使用workqueue命令查看状态和详细信息。
C370.lab> workqueue status
Status as of: Thu Feb 06 12:48:02 2014 GMT
Status: Operational
Messages: 48654
C370.lab> workqueue rate 5
Type Ctrl-C to return to the main prompt.
Time Pending In Out
12:48:04 48654 48 2
12:48:09 48700 31 0
工作队列中的电子邮件发件人或主题已知
如果您知道影响工作队列的电子邮件的发件人或主题,建议使用邮件过滤器。应用邮件过滤器允许ESA在工作队列中较早处理这些邮件并对其执行操作,从而提高删除邮件的效率。
您可以使用以下过滤器完成此操作:
C370.lab> filters
Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.
[]> new
Enter filter script. Enter '.' on its own line to end.
FilterName:
if (mail-from == 'user@example.com')
{
drop();
}
.
OR
FilterName:
if (subject == "^SUBJECT NAME$")
{
drop();
}
.
传送队列检查
tophosts命令显示当前受影响的主机。在实时环境中,您可能会注意到收件人主机(如example.com)在其传送队列中有大量活动收件人,这表示存在影响。
C370.lab> tophosts
Sort results by:
1. Active Recipients
2. Connections Out
3. Delivered Recipients
4. Hard Bounced Recipients
5. Soft Bounced Events
[1]> 1
Status as of: Thu Feb 06 12:52:17 2014 GMT
Hosts marked with '*' were down as of the last delivery attempt.
Active Conn. Deliv. Soft Hard
# Recipient Host Recip. Out Recip. Bounced Bounced
1 example.com 321550 50 440 75568 8984
2 the.euq.queue 0 0 0 0 0
3 the.euq.release.queue 0 0 0 0 0如果受影响的主机是不熟悉的收件人域,并且在删除所有电子邮件之前需要更多信息,则可以使用showrecipients、showmessage和deleterecipients命令。showrecipientscommand提供详细信息,如邮件ID(MID)、邮件大小、尝试传送次数、信封发件人、信封收件人和邮件主题。
C370.lab> showrecipients
Please select how you would like to show messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 1
Please enter the hostname for the messages you wish to show.
> example.com
如果传送队列中的可疑MID看起来合法,则可以在采取任何操作之前使用showmessage命令显示消息源。
C370.lab> showmessage
Enter the MID to show.
[]> 123456789
确认邮件为垃圾邮件后,您可以使用deleterecipientscommand将其删除。此命令提供三个选项,用于从传送队列中删除电子邮件:按信封发件人、收件人主机或传送队列中的所有邮件。
C370.lab> deleterecipients
Please select how you would like to delete messages:
1. By recipient host.
2. By Envelope From address.
3. All.
[1]> 2
Please enter the Envelope From address for the messages you wish to delete.
[]> user@example.com
主动监控和操作
报头重复规则
如果在一小时内检测到满足以下任一条件的指定数量的邮件,则Header Repeats规则评估为true:
规则语法为:header-repeats(<target>, <threshold> [, <direction>])
要使用此规则,请登录到CLI并部署适当的过滤器。例如,您可以创建一个过滤器来丢弃电子邮件或在达到定义的阈值后通知管理员。
C370.lab> filters
Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.
[]> new
Enter filter script. Enter '.' on its own line to end.
FilterName:
if header-repeats('mail-from',1000,'outgoing')
{
drop();
}
.
OR
FilterName:
if header-repeats('subject',1000,'outgoing')
{
notify('admin@example.com');
}
.
相关信息
反馈