How to track the exim email spam in cpanel server
- Category : Linux Helpline (Easy Guide)
- Posted on : Jan 12, 2019
- Views : 2,281
- By : Hagen V.
How to track the exim email spam in cpanel server
The cpanel server use exim as the email server. There is a never ending war going on with spam on internet. It may be probably due to insecure forms or improper exim configuration. Here are some tips avilable with exim commands that will help you to find which user in your server is sending massive spam emails.
- Step 1 : Get a total summery of cpanel users sendig spam email
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -n | uniq -c | sort -bg
A sample result is as follows,
4 kfmm 7 pa4you 7 sugigarn 8 exnernu 12 guldbrand 24 silvatica 33 danskhundecenter 35 netrod 41 orkhullet 59 ksgabwpp 81 sarastorm 84 holm 134 ohigh 201 nordicparts 754 sarasperler
- Step 2 : Find the rate of email sending document roots, from which the email are originating.
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' |grep cwd | sort -n | uniq -c | sort -n
A sample result is as follows,
7 cwd=/home/pa4you/public_html 8 cwd=/home/guldbrand/public_html 10 cwd=/home/netrod/soulx.com 10 cwd=/home/ohigh/school.rpq.dk/dream-portfolio 23 cwd=/home/netrod/soulx.net/wp-admin 24 cwd=/home/silvatica/public_html 25 cwd=/home/danskhundecenter/70201080.dk 33 cwd=/home/sarastorm/public_html/wp-admin 41 cwd=/home/orkhullet/public_html 48 cwd=/home/sarastorm/public_html 49 cwd=/home/ksgabwpp/public_html/mygear 83 cwd=/home/holm/public_html 121 cwd=/home/ohigh/kollenso.net 200 cwd=/home/nordicparts/public_html 753 cwd=/home/sarasperler
- Step 3 : Test if any live script is sending spam right now from the above path.
Syntax : ps auxwwwe | grep | grep --color=always "PATH-TO-The script " | head # ps auxwwwe | grep sarasperler | grep --color=always "/home/sarasperler" | head
- step 4 : Find the spam generating IP address via the above script. So that you can block that IP
# grep 'PATH-TO-SCRIPT' /etc/apache2/logs/domlogs/CPUSER/DOMAINNAME | awk '{print $1}' | sort -n | uniq -c | sort -n
- Step 5 : Check the exim input queue for spams
Some times, there will be still some spam emails in the exim input email queue. You can find the emails using the following command
# egrep -iR 'X-PHP-Script' /var/spool/exim/input/
- step 6 : The eximstats tool
There is a beautiful exim tool available. It is called eximstats . This will give a total summery of received and send emails from your server. This command should run as follows,
# eximstats -ne -nr /var/log/exim_mainlog
- Step 7 : Find the SMPT spammers.
These spammers directly connect to the smtp server port 25 using an smtp authentication. So if some one have a stole email account and password, then he can connect to to the exim smtp port and send massive emails from his desktop. This doesn’t need any php scripts in your server. It is too dangerous.
# netstat -plan | egrep ':25|:465' | awk {'print $5'} | cut -d: -f 1| sort -n | uniq -c| sort -n
- Step 8 : Get a summery of the current email queue
If you have massive emails in email queue. This command will show a summery of the emails setting in the server queue. Probably there will be a lot of failed emails too.
# exim -bpr | exiqsumm -c
Categories
- cPanel Question 47
- cPanel Software Management 29
- cPanel Tutorials 13
- Development 29
- Domain 13
- General 19
- Linux Helpline (Easy Guide) 156
- Marketing 47
- MySQL Question 13
- News 2
- PHP Configuration 14
- SEO 4
- SEO 42
- Server Administration 84
- SSL Installation 54
- Tips and Tricks 24
- VPS 3
- Web Hosting 44
- Website Security 22
- WHM questions 13
- WordPress 148
Subscribe Now
10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!Archive Calendar
Sat | Sun | Mon | Tue | Wed | Thu | Fri |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | |
7 | 8 | 9 | 10 | 11 | 12 | 13 |
14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 | 22 | 23 | 24 | 25 | 26 | 27 |
28 | 29 | 30 | 31 |
Recent Articles
-
Posted on : Sep 17
-
Posted on : Sep 10
-
Posted on : Aug 04
-
Posted on : Apr 01
Tags
- ts
- myisam
- vpn
- sql
- process
- kill
- tweak
- server load
- attack
- ddos mitigation
- Knowledge
- layer 7
- ddos
- webmail
- DMARC
- Development
- nginx
- seo vpn
- Hosting Security
- wireguard
- innodb
- exim
- smtp relay
- smtp
- VPS Hosting
- cpulimit
- Plesk
- Comparison
- cpu
- encryption
- WHM
- xampp
- sysstat
- optimize
- cheap vpn
- php-fpm
- mariadb
- apache
- Small Business
- Error
- Networking
- VPS
- SSD Hosting
- Link Building
- centos
- DNS
- optimization
- ubuntu