Exim – Useful scripts to find the Origin of Spam mails

Scripts To Check Spammer and Spam mails in Exim:

To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.

# exim -bpr | grep “<” | awk {‘print $4’} | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n

You will get a result as like follows,

1  arun@testdomain.com
2  sales@test1domain.com
3  sandy@test123.com
4  root@testdomain.co.in
29  admin@testdomain.in
124  arun@test123domain.com

=============================================================================================

The following scripts will check the script that will originate spam mails:

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

# awk ‘{ if ($0 ~ “cwd” && $0 ~ “home”) {print $3} }’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

You will get a result as like follows for the first two scripts. The third script is just a sub of the first two scripts.

9      cwd=/home/test1/public_html
10     cwd=/home/test2/public_html/a1/www
15     cwd=/home/test3/public_html
91     cwd=/home/test4/public_html
178    cwd=/home/test5/public_html/web
770    cwd=/home/test6/public_html/foro
803    cwd=/home/test7/public_html/web
124348 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven

=============================================================================================

If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.

# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head

The usage of the above script is as shown below.

# ps auxwwwe | grep test8 | grep –color=always “/home/test8/public_html/wp/wp-content/themes/twentyeleven” | head

Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.

# grep “<script_name>” /home/user/access-logs/testdomain.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

=============================================================================================

Following command that will show you the script which is using script to send the email. If it is from php then use

# egrep -R “X-PHP-Script”  /var/spool/exim/input/*

=============================================================================================

It shows top 50 domains using mail server with options.

# eximstats -ne -nr /var/log/exim_mainlog

=============================================================================================

It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.

# ps -C exim -fH ewww | grep home
=============================================================================================

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
==============================================================================================

In order to find “nobody” spamming, issue the following command

# ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

# grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

==============================================================================================

The following script will give the summary of mails in the mail queue.

exim -bpr | exiqsumm -c | head

You will get a result as like follows,

Count  Volume  Oldest  Newest  Domain
—–      ——      ——     ——       ——

114   171KB     24h     28m  testdomain.com
15    28KB       36h     7m    gmail.com
5     10KB       34h     10h   test2domain.com
4     8192        27h     4h     yourdomain.com
4     75KB       7m      7m    server.domain.com
3     6041        23h     42m  test123.com

 

==============================================================================================

Scripts To Check Spammer and Spam mails in Exim:

To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.

# exim -bpr | grep “<” | awk {‘print $4’} | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n

You will get a result as like follows,

1  arun@testdomain.com
2  sales@test1domain.com
3  sandy@test123.com
4  root@testdomain.co.in
29  admin@testdomain.in
124  arun@test123domain.com

=============================================================================================

The following scripts will check the script that will originate spam mails:

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

# awk ‘{ if ($0 ~ “cwd” && $0 ~ “home”) {print $3} }’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

You will get a result as like follows for the first two scripts. The third script is just a sub of the first two scripts.

9      cwd=/home/test1/public_html
10     cwd=/home/test2/public_html/a1/www
15     cwd=/home/test3/public_html
91     cwd=/home/test4/public_html
178    cwd=/home/test5/public_html/web
770    cwd=/home/test6/public_html/foro
803    cwd=/home/test7/public_html/web
124348 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven

=============================================================================================

If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.

# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head

The usage of the above script is as shown below.

# ps auxwwwe | grep test8 | grep –color=always “/home/test8/public_html/wp/wp-content/themes/twentyeleven” | head

Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.

# grep “<script_name>” /home/user/access-logs/testdomain.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

=============================================================================================

Following command that will show you the script which is using script to send the email. If it is from php then use

# egrep -R “X-PHP-Script”  /var/spool/exim/input/*

=============================================================================================

It shows top 50 domains using mail server with options.

# eximstats -ne -nr /var/log/exim_mainlog

=============================================================================================

It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.

# ps -C exim -fH ewww | grep home
=============================================================================================

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
==============================================================================================

In order to find “nobody” spamming, issue the following command

# ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

# grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

==============================================================================================

The following script will give the summary of mails in the mail queue.

exim -bpr | exiqsumm -c | head

You will get a result as like follows,

Count  Volume  Oldest  Newest  Domain
—–      ——      ——     ——       ——

114   171KB     24h     28m  testdomain.com
15    28KB       36h     7m    gmail.com
5     10KB       34h     10h   test2domain.com
4     8192        27h     4h     yourdomain.com
4     75KB       7m      7m    server.domain.com
3     6041        23h     42m  test123.com

==============================================================================================

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s