Troubleshoot Spamming in exim

Posted: 1p in Exim

Troubleshoot Spamming

Get details of scripts that are used to send out spam emails :

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i teststats

Script to know the mail count by various accounts

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

The number of mails by a domain

exigrep @domain.com /var/log/exim_mainlog|grep 2009-04-17|grep Completed|wc -l

It will show the number of mails send by each one.

exim -bpr | grep “<" | awk {'print $4'} | cut -d "” -f 1 | sort -n | uniq -c | sort -n

1)Issue this command: ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.

2)Issue this command: eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.

3)Issue this command: exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.

4)Issue this command: netstat -plan|grep :25|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

5)In order to find “nobody” spamming, issue the following command

ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}'|sort|uniq -c|grep PWD|sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

Command :
grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
This will result in something like :
47 cwd=/root
8393 cwd=/home/sample/public_html/test

Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)

Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.

exim -bp

exim -bpr | exiqsumm -c | head

grep “<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1 | tail -5

Script to check dovecot user email count

egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1

grep user /var/log/messages |grep PHP_MAIL

exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm

less /usr/local/apache/domlogs/ | awk '{print $1}' | sort | uniq -c | sort -n

Script to find the Subject of mail saved
——————
grep emailaddress /var/log/exim_mainlog | perl -nle 'print $1 if (/T="(.+?)"/)' | tail -10

grep emailaddress /var/log/exim_mainlog | perl -nle 'print $1 if (/T="(.+?)"/

Then,

exiqgrep -ir | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at .

Precautions:
1)Turn on the SMTP tweak. It will block the users to bypass the mail server for sending out spam.
2)Turn on blacklisting ability in whm.
3)Use spamassassin to stop receiving spam mails.
=================================================================>

Advertisements
Comments
  1. geokoshy says:

    Great work man Yo Yo.. !!

  2. Jobinson says:

    Its really useful to the people who belongs to the linux server administration.

  3. Wonderful work! That is the type of info that are meant to be shared around the net.
    Shame on Google for no longer positioning this post higher!
    Come on over and consult with my web site
    . Thanks =)

  4. I could not resist commenting. Very well written!

  5. hi!,I really like your writing very much! share we be in contact extra about your article on AOL?
    I require an expert in this space to resolve my problem.

    Maybe that is you! Having a look ahead to look you.

  6. Good respond in return of this difficulty with firm arguments and
    explaining everything regarding that.

  7. Greetings! Very helpful advice within this post! It is the little
    changes that will make the most important changes.
    Many thanks for sharing!

  8. I’m pretty pleased to uncover this great site.
    I want to to thank you for ones time just for this fantastic read!!
    I definitely enjoyed every little bit of it and
    I have you book-marked to look at new stuff in your blog.

  9. I’m impressed, I have to admit. Seldom do I encounter a blog that’s both equally educative and
    engaging, and without a doubt, you have hit the nail on
    the head. The problem is something that too few people are speaking intelligently about.

    I’m very happy I came across this during my hunt
    for something concerning this. buy followers instagram,
    pick the bundle this best suits your preferences.

    One method to buy instagram followers cheap is to have superstars bring in a posting for you.

  10. szNnWN1Dp7 says:

    Third Flower

    My spouse and that i are already now delighted that Albert could carry out his scientific tests as a result of the tips he had via your web content. It truly is from time to time perplexing to simply always be gifting away actions which many people mig…

  11. I like this website. it is extremely useful.
    Thanks for sharing.

  12. These are actually impressive ideas in about blogging.
    You have touched some pleasant things here. Any way keep up wrinting.

  13. Usually I do not read article on blogs, but I would like
    to say that this write-up very forced me to take a look at and do so!
    Your writing style has been amazed me. Thanks, quite nice post.

  14. www.air.it says:

    Your means of describing all in this post
    is genuinely good, every one be capable of simply know it, Thanks
    a lot.

  15. It’s the best time to make some plans for the future and it is time to
    be happy. I have read this post and if I could I want
    to suggest you some interesting things or tips. Maybe you can write next articles referring to this article.
    I wish to read even more things about it!

  16. Trista says:

    I constantly spent my half an hour to read this website’s articles or reviews daily along with a cup of coffee.

  17. My partner and I stumbled over here from a different web address and thought
    I might check things out. I like what I see so now
    i’m following you. Look forward to finding out
    about your web page repeatedly.

  18. Way cool! Some very valid points! I appreciate you writing this post and the rest
    of the site is also very good.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s