Finding spammer in Exim mail server

https://www.eukhost.com/forums/f30/finding-spammer-exim-mail-server-19785/

Finding spammer in exim mail server :

************************************************** **************************
1> Analysis of Mail queue

If there are large number of mail in exim mail queue, then

Find the domain for which large number of mail pending in exim queue

———————–
# exim -bp | exiqsumm
———————–

To get sorted list of mail sender using exim mail queue

———————–
# exim -bpr | grep “<” | awk {‘print $4’} | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n
———————–

Note : temporarily suspend the account which sending large mails.

************************************************** **************************

2> Analysis using mail logs :

# tail -f /var/log/exim/mainlog

Finding spammer using duplicated subject in mail logs =>

step 1 : use the following command to locate duplicate subjects from your Exim mail log:

———————–
# awk -F”T=\”” ‘/<=/ {print $2}’ /var/log/exim_mainlog | cut -d\” -f1 | sort | uniq -c | sort -n
———————–

This command give the sorted list of subject which are duplicated with their count. eg. “Duplicate subject ”

Step 2 : search the user who send mail with that subject

———————–
# grep “duplicate subject ” /var/log/exim_mainlog | awk ‘{print $5}’ | sort | uniq -c | sort -n
———————–

This give email account sending that mail eg. user@example.com

Step 3: Now search all of the IP addresses the user@example.com account has been sending mail

———————–
# grep “<= user01@example.com” /var/log/exim_mainlog | grep “Melt Fat Naturally” | grep -o “\[[0-9.]*\]” | sort -n | uniq -c | sort -n
———————–

Step 4. Then go ahead and block that IP in firewall
# csf -d IP

Note : you can also change the password for that account because this spammer may send email using diffierent IP address.

“““““““““““““““““““““““““ “““““““““`
Locate the spam sending script :

Step1 : use the following command to find the most used mailing script’s location from the Exim mail log:

———————–
# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n
———————–

This give the directories conating the scripts

Step 2 : then go to that particular directory

———————–
# ls -lahtr /user1/public_html/directory name
———————–

eg. mailer.php is that script

Step 3: find the IP address accessing that script using apache logs

———————–
# grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n
———————–

Step 4 : Then go ahead and block that IP in firewall
# csf -d IP

************************************************** **************************
3> Using number of connection :

This commang give the IP which has connection on port 25.
If one particular Ip is using more than 10 connection you can block it in the server firewall.

———————–
# netstat -plan|grep :25|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1
———————–

************************************************** **************************

Precautions taken to avoid futher spamming from your server:

1)Turn on the SMTP tweak. It will block the users to bypass the mail server for sending out spam.
2)Turn on blacklisting ability in whm.
3)Use spamassassin to stop receiving spam mails.