Posted by Unknown at 07:19

Spamming on cPanel Exim Server

Login to your server via SSH as the root user


  • The following command to pull email accounts being connected to from multiple IP addresses from the Exim mail log:


# grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq | awk '{print $1}' | uniq -c | awk '{ if ($1 > 1) print $0}'.


  • If you see that you have a lot of users that have mail logins from multiple unique IP addresses you can run the following command to get a look at exactly what IPs they're connecting from:


# grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c


  • Top 5 users sending maximum emails on the server:


grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'


  • Top 5 mail receivers maximum emails on the server:


egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'


  • Script to check and find path for the script used for spamming


awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1


  • If large number of hits from an IP, block the IP address


tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c


  • Following command will show the maximum no of email currently in the mail queue from or to the email address in the mail queue with exact figure.


exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n


  • Following command will show you password compromised email accounts


egrep 'A=courier_login|A=dovecot_login' /var/log/exim_mainlog|sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##'|awk '{print $5,$6}'|sort|uniq|awk '{print $1}'|uniq -c|awk '{ if ($1 > 1) print $0}'



  • Run below command to check the number of dovecot logins


egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1


  • Script to check path for the script used for spamming


awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1


  • Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.


exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n


  • That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.


exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n


  • Following command will show path to the script being utilized to send mail


ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R


  • Command to delete frozen mails


exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm


  • If anyone is spamming from /tmp


tail -f /var/log/exim_mainlog | grep /tmp


  • To display the IP and no of tries done the IP to send mail but rejected by the server.


tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2} '|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5


  • Shows the  connections from a certain ip to the   SMTP server


netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1


  • To shows the domain name and the no of emails in queue


exim -bp | exiqsumm | more


  • If  spamming from outside domain then you can block that domain or email id on the server


pico /etc/antivirus.exim

  • Add the following lines:

if $header_from: contains “name@domain.com” then seen finish endif

Catching spammer

  • Check mail stats

exim -bp | exiqsumm | more


  • Check if any php script is causing the mass mailing with

cd /var/spool/exim/inputegrep “X-PHP-Script” * -R

Just cat the ID that you get and you will be able to check which script is here causing problem for you.

  • To Remove particular email account email

exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)