Scripts To Check Spammer and Spam mails in cPanel Server - Exim:
To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.
# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
You will get a result as like follows,
1 arun@testdomain.com
2 sales@test1domain.com
3 sandy@test123.com
4 root@testdomain.co.in
29 admin@testdomain.in
124 arun@test123domain.com
The following scripts will check the script that will originate spam mails:
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
You will get a result as like follows for the first two scripts. The third script is just a sub of the first two scripts.
9 cwd=/home/test1/public_html
10 cwd=/home/test2/public_html/a1/www
15 cwd=/home/test3/public_html
91 cwd=/home/test4/public_html
178 cwd=/home/test5/public_html/web
770 cwd=/home/test6/public_html/foro
803 cwd=/home/test7/public_html/web
124348 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven
=============================================================================================
If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.
# ps auxwwwe | grep <user> | grep --color=always "<location of script>" | head
The usage of the above script is as shown below.
# ps auxwwwe | grep test8 | grep --color=always "/home/test8/public_html/wp/wp-content/themes/twentyeleven" | head
Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.
# grep "<script_name>" /home/user/access-logs/testdomain.com | awk '{print $1}' | sort -n | uniq -c | sort -n
=============================================================================================
Following command that will show you the script which is using script to send the email. If it is from php then use
# egrep -R "X-PHP-Script" /var/spool/exim/input/*
=============================================================================================
It shows top 50 domains using mail server with options.
# eximstats -ne -nr /var/log/exim_mainlog
=============================================================================================
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.
# ps -C exim -fH ewww | grep home
=============================================================================================
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
# netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
==============================================================================================
In order to find “nobody” spamming, issue the following command
# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n
It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.
# grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
==============================================================================================
The following script will give the summary of mails in the mail queue.
exim -bpr | exiqsumm -c | head
You will get a result as like follows,
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
114 171KB 24h 28m testdomain.com
15 28KB 36h 7m gmail.com
5 10KB 34h 10h test2domain.com
4 8192 27h 4h yourdomain.com
4 75KB 7m 7m server.domain.com
3 6041 23h 42m test123.com
==============================================================================================
You can find useful commands/scripts used in exim in the following link,
http://linuxadmintips4u.blogspot.in/2012/11/most-frequently-used-commands-in-exim.html
More Reference:
https://github.com/Exim/exim/wiki
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
http://www.exim.org/exim-html-4.20/doc/html/spec_13.html#IX1148
http://www.grscripts.com/tweaking.html ---> Tweakings for ASSP
You can find useful commands/scripts used in exim in the following link,
http://linuxadmintips4u.blogspot.in/2012/11/most-frequently-used-commands-in-exim.html
More Reference:
https://github.com/Exim/exim/wiki
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
http://www.exim.org/exim-html-4.20/doc/html/spec_13.html#IX1148
http://www.grscripts.com/tweaking.html ---> Tweakings for ASSP
