Scripts to check spamming in Exim mail server

1. To check the number of emails present in the queue:

# exim -bpc

2. To check the emails present in the queue with the mail id and sender ID:

# exim -bp
# exim -bp | less

3. To view the header of a particular email using mail ID:

# exim -MvH mail_id

4.  To view the body of a particular email using mail ID:

# exim -Mvb mail_id

5. To view a message's logs:

# exim -Mvl mail_id

6. To trace path:

# exim -d -bt user@domain.com

7. To get sorted list of email sender in exim queue:

# exim -bpr | grep "<" | awk {'print $4'} |cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c| sort -n

8. To check the script that will originate spam mails:

# grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort| uniq -c|grep cwd|sort -n

9. If we need to find out exact spamming script. To do this, run following command:

# ps auxwwwe | grep user | grep --color=always "/home/user/public_html/templates/" | head

10.  To delete the emails of a specific user:

# grep -lr 'user@domain.com' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm

# exim -bp | grep "user_email-account" | awk '{print $3}' | xargs exim -Mrm

11. To delete Frozen emails from the email queue:

# grep -R -l '*** Frozen' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm
# exim -bp| grep frozen | awk '{print $3}'| xargs exim -Mrm
# exiqgrep -z -i | xargs exim -Mrm

12.  To delete Spam emails from the email queue:

#  grep -R -l [SPAM] /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

13. To check the no. of frozen mails:

# exiqgrep -z -c

14. To check exim logs:

# tail -f /var/log/exim_mainlog

15. Force delivery of one message:

# exim -M mail_id

16. Force another queue run:

# exim -qf

17. Force another queue run and attempt to flush frozen messages:

# exim -qff

18. To check if there are frozen emails:

# exim -bp |awk '/fr[o]zen/ {print}'

19. To clear just one email:

# exim -Mrm mail_id

20. Check the subjects of the emails:

# exiqgrep -i |awk '{ print "exim -Mvh "$1 }' |sh |grep -i Subject

Thank you.


Comments

  1. What is this used for?

    ps auxwwwe | grep chcwisc | grep --color=always "/home/chcwisc/public_html/templates/savvypandajoomlatemplate" | head

    ReplyDelete
    Replies
    1. This will help you when you know the directory from which spam emails are originating but don't know the causing script. Use the culprit user in place of 'chcwisc' and the specific directory in place of '/home/chcwisc/public_html/templates/savvypandajoomlatemplate'.

      Delete
  2. Really helpful. thanks a ton, keep doing great work

    ReplyDelete
  3. Is it possible to find the exact file from which spam mails are generating.

    =============================
    [~]# ps auxwwwe | grep nitronet | grep --color=always "/home3/nitronet/public_html" | head
    root 26421 0.0 0.0 5236 768 pts/0 S+ 00:55 0:00 grep --color=always /home3/nitronet/public_html MANPATH=/usr/lib/courier-imap/man: HOSTNAME=server1.technicaldepot.com TERM=xterm SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=203.197.151.138 39029 22 LD_PRELOAD=/lib/libsafe.so.1.3 SSH_TTY=/dev/pts/0 USER=root LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*.mpc=01;35:*.ogg=01;35:*.wav=01;35: MAIL=/var/spool/mail/root PATH=/usr/local/jdk/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/courier-imap/sbin:/usr/lib/courier-imap/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin INPUTRC=/etc/inputrc PWD=/root JAVA_HOME=/usr/local/jdk EDITOR=pico LANG=en_US.UTF-8 SHLVL=1 HOME=/root LS_OPTIONS=--color=tty -F -a -b -T 0 LOGNAME=root VISUAL=pico CVS_RSH=ssh CLASSPATH=.:/usr/local/jdk/lib/classes.zip SSH_CONNECTION=203.197.151.138 39029 69.72.242.18 22 LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=/bin/grep
    =============================

    ReplyDelete
  4. Hello,

    I could not find any source file in your logs from where spam mails are originating.

    You need to check the spam mail header using the following command:

    exim -Mvh

    mail-id will look like 1TfweS-0004Et-PH in your mail log file.

    ReplyDelete
  5. you are awesome friend. it really helped.

    ReplyDelete

Post a Comment

Popular posts from this blog

SVN: File remains in conflict

12 tweakings for WHM/cPanel to speed up WordPress

HowTo: Enable extended logging for exim