http://crybit.com/check-spamming-on-server-having-exim/
Electronic spamming is the use of electronic messaging systems to send unsolicited messages (spam), especially advertising, as well as sending messages repeatedly on the same site. This can occur different ways from a server. Spamming is an important problem if you have a hosting account. Your server’s main IP will be blocked in many email RBLs if any account is sending spam emails. We can check the email genuinity from the email queue itself by different ways. In a cPanel server, the default MTA (Mail Transfer Agent) is Exim. Exim have different commandline options to identify the spamming from email queue. In most cases we will get the details from the email header itself, also we can check the body of that email and the email log by using different command-line options.
To check this, log into server as root.
Count emails in queue
exim -bpc
This command shows the total number of emails in the queue. If the result is high (>2000) you can guess if there are spamming from the server.
Example
# exim -bpc 52
List emails with more details
exim -bp
This command will give a close look to emails in queue. It will give the message ID, sender, recipient, size and age of mail. From this, the message ID is useful to find out the details like header, body and log. That will discussed in detail later.
Example
# exim -bp 44h 763 1VGaIo-0002ec-RM <sender@sender.com> recipient@gmail.com 10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen *** no-reply@facebook.com 0m 502 1VHFNl-0003bf-GB <sender@sender.com> recipient@gmail.com 0m 568 1VHFNl-0003bn-Tq <sender@sender.com> recipient@gmail.com
# 1st field: Age (Eg : 44h)
# 2nd field: Size (Eg : 5.9K)
# 3rd field: Message ID (Eg : 1VGaIo-0002ec-RM)
# 4th field: Sender (Eg : sender@sender.com)
# 5th field: Recipient (Eg : recipient@gmail.com)
By using the ID we can analyse the header, body and the log informations of emails in the queue.
exim -Mvh ID
This command displays the message header. From the output displayed we can check from address, to address, subject, date, script etc.
exim -Mvb ID
Displays the message body.
exim -Mvl ID
Displays the log of email. From this log get the original user details logged in for sending email and so.
Spamming can occur in many ways. Here’re some instances of spamming. It occurs mainly through vulnerable PHP scripts or by compromising the email account’s password.
Example: Spamming from PHP script
208P Received: from $user by server.ahostname.com with local (Exim 4.82) (envelope-from <$user@server.ahostname.com>) id 1YZUIE-00013s-Sp for wend1122@yahoo.com; Sat, 21 Mar 2015 21:03:06 -0400 027T To: wend1122@yahoo.com 019 Subject: Hi there 091 X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php for "IP.Address" 023 X-Priority: 3 (Normal)
From the header itself we can analyse the genuinity of emails. If you find “X-PHP-Script” in the email header, you can confirm that the email was sent from a PHP script. In the above example the emails were sent from PHP script (X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php). In this case we have to check the scripts in the problematic account.
In this case, please make sure that you are using latest version of CMS (Eg; WordPress, Joomla etc), plugins and themes.
Analysing email count with sender
This’s very important while checking spamming. This command will sort out the email count with its sender name from the Exim mail queue. From this output we can analyse the email account who is sending large emails.
exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n
Example
See the example below:
[root@EcLinux]# exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n 3 sender@sender.com 1
Another way using “exiqgrep“
exiqgrep -f sendername|grep "<"|wc -l
This command displays the total count of emails that sent by a particular user.
Example
[root@EcLinux]# exiqgrep -f sender@sender.com|grep "<"|wc -l 3
Similarly -r switch with exiqgrep is using for recipient.
exiqgrep -f recipient|grep "<"|wc -l
Refer this for more details >> count emails in Exim mail queue for a specific sender/receiver <<
Removing emails from queue
The exim command to remove emails from queue is;
exim -Mrm
To delete all emails from queue for a particular sender.
exim -bpr| grep sendername| awk '{print $3}'|xargs exim -Mrm
The “awk” part give the message ID to remove. This will give to the input of “exim -Mrm” by using xargs command.
To remove all emails from the queue, here is a quick solution >> remove all emails from the queue <<
Frozen emails
The sender field must have the word “frozen”. To displays the total count of frozen emails in queue, we can use the following command.
exim -bp|grep frozen|wc -l
Removing frozen emails
exim -bp|grep frozen|awk {'print $3'}|xargs exim -Mrm
We can simply remove all frozen emails from the queue by using the “exiqgrep” command. Please refer the following link >> Quick way to remove all frozen emails from the email queue <<
exim -bp|exiqsumm
The above command will print the summary of emails in queue.
Example
# exim -bp|exiqsumm Count Volume Oldest Newest Domain ----- ------ ------ ------ ------ 1 6041 11h 11h facebook.com 1 763 45h 45h interia.pl --------------------------------------------------------------- 2 6804 45h 11h TOTAL
exiwhat
It displays, what exim is doing right now. See the below example:
# exiwhat 1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
Related posts
1, Exim Log line flags
2, Command to find the mail that we have sent is completed or not!