How to check spamming on server which has Exim as MTA

Posted on by phong

http://crybit.com/check-spamming-on-server-having-exim/

Electronic spamming is the use of electronic messaging systems to send unsolicited messages (spam), especially advertising, as well as sending messages repeatedly on the same site. This can occur different ways from a server. Spamming is an important problem if you have a hosting account. Your server’s main IP will be blocked in many email RBLs if any account is sending spam emails. We can check the email genuinity from the email queue itself by different ways. In a cPanel server, the default MTA (Mail Transfer Agent) is Exim. Exim have different commandline options to identify the spamming from email queue. In most cases we will get the details from the email header itself, also we can check the body of that email and the email log by using different command-line options.

To check this, log into server as root.

Count emails in queue

exim -bpc

This command shows the total number of emails in the queue. If the result is high (>2000) you can guess if there are spamming from the server.

Example

# exim -bpc
52

List emails with more details

exim -bp

This command will give a close look to emails in queue. It will give the message ID, sender, recipient, size and age of mail. From this, the message ID is useful to find out the details like header, body and log. That will discussed in detail later.

Example

# exim -bp
44h 763 1VGaIo-0002ec-RM <sender@sender.com>
recipient@gmail.com

10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***
no-reply@facebook.com

0m 502 1VHFNl-0003bf-GB <sender@sender.com>
recipient@gmail.com

0m 568 1VHFNl-0003bn-Tq <sender@sender.com>
recipient@gmail.com

# 1st field: Age (Eg : 44h)
# 2nd field: Size (Eg : 5.9K)
# 3rd field: Message ID (Eg : 1VGaIo-0002ec-RM)
# 4th field: Sender (Eg : sender@sender.com)
# 5th field: Recipient (Eg : recipient@gmail.com)

By using the ID we can analyse the header, body and the log informations of emails in the queue.

exim -Mvh ID

This command displays the message header. From the output displayed we can check from address, to address, subject, date, script etc.

exim -Mvb ID

Displays the message body.

exim -Mvl ID

Displays the log of email. From this log get the original user details logged in for sending email and so.

Spamming can occur in many ways. Here’re some instances of spamming. It occurs mainly through vulnerable PHP scripts or by compromising the email account’s password.

Example: Spamming from PHP script

208P Received: from $user by server.ahostname.com with local (Exim 4.82)
(envelope-from <$user@server.ahostname.com>)
id 1YZUIE-00013s-Sp
for wend1122@yahoo.com; Sat, 21 Mar 2015 21:03:06 -0400
027T To: wend1122@yahoo.com
019 Subject: Hi there
091 X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php for "IP.Address"
023 X-Priority: 3 (Normal)

From the header itself we can analyse the genuinity of emails. If you find “X-PHP-Script” in the email header, you can confirm that the email was sent from a PHP script. In the above example the emails were sent from PHP script (X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php). In this case we have to check the scripts in the problematic account.

In this case, please make sure that you are using latest version of CMS (Eg; WordPress, Joomla etc), plugins and themes.

Analysing email count with sender

This’s very important while checking spamming. This command will sort out the email count with its sender name from the Exim mail queue. From this output we can analyse the email account who is sending large emails.

exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n

Example

See the example below:

[root@EcLinux]# exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n
3 sender@sender.com
1

Another way using “exiqgrep

exiqgrep -f sendername|grep "<"|wc -l

This command displays the total count of emails that sent by a particular user.

Example

[root@EcLinux]# exiqgrep -f sender@sender.com|grep "<"|wc -l
3

Similarly -r switch with exiqgrep is using for recipient.

exiqgrep -f recipient|grep "<"|wc -l

Refer this for more details >> count emails in Exim mail queue for a specific sender/receiver <<

Removing emails from queue

The exim command to remove emails from queue is;

exim -Mrm

To delete all emails from queue for a particular sender.

exim -bpr| grep sendername| awk '{print $3}'|xargs exim -Mrm

The “awk” part give the message ID to remove. This will give to the input of “exim -Mrm” by using xargs command.

To remove all emails from the queue, here is a quick solution >> remove all emails from the queue <<

Frozen emails

The sender field must have the word “frozen”. To displays the total count of frozen emails in queue, we can use the following command.

exim -bp|grep frozen|wc -l

Removing frozen emails

exim -bp|grep frozen|awk {'print $3'}|xargs exim -Mrm

We can simply remove all frozen emails from the queue by using the “exiqgrep” command. Please refer the following link >> Quick way to remove all frozen emails from the email queue <<

exim -bp|exiqsumm

The above command will print the summary of emails in queue.

Example

# exim -bp|exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
1 6041 11h 11h facebook.com
1 763 45h 45h interia.pl
---------------------------------------------------------------
2 6804 45h 11h TOTAL

exiwhat

It displays, what exim is doing right now. See the below example:

# exiwhat
1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)

Related posts

1, Exim Log line flags
2, Command to find the mail that we have sent is completed or not!

Written by phong

View all author posts →

View Larger Map