Exim MailIP Blacklist And SpammingScript to check path for the script used for spamming

 

Top 5 users sending maximum emails on the server:

 grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'

Top 5 mail receivers:

egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'

Script to check path for the script used for spamming

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
If there is large number of hits from an IP,block the IP
tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c
command to delete frozen mails
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
Following command will show path to the script being utilized to send mail
  • ps -C exim -fH eww
    ps -C exim -fH eww | grep home
    cd /var/spool/exim/input/
    egrep "X-PHP-Script" * -R
If anyone is spamming from /tmp
  • tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done the IP to send mail but rejected by the server.
  • tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F[ ‘{print $2} ‘|awk -F] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
Shows the  connections from a certain ip to the   SMTP server
  • netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails in queue
  • exim -bp | exiqsumm | more
If  spamming from outside domain then you can block that domain or email id on the server
  • pico /etc/antivirus.exim
Add the following lines:

if $header_from: contains “[email protected]
then
seen finish
endif

Catching spammer

Check mail stats
exim -bp | exiqsumm | more
Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
Check if any php script is causing the mass mailing with
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
To Remove particular email account email
exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm

Leave a Reply

Your email address will not be published. Required fields are marked *