The Exim mail server has a lot of options/commands to find out the details of spammers easily and i details from the command line itself. Please refer to the blog post “Spam Check” to get more ideas about Exim spam trouble shooting.
We can find out the mail queue details, spam mail sender details, spam mail counts etc from the link I mentioned above. As a Linux SysAdmin, that should be helpful for your daily tasks.
Here is a script/piped-command to find out the spam mailing script’s location/folder in the server. It would be more helpful for us to identify the spam mail sending script and we can null-route it easily to mitigate spamming activity on server.
Here we go!
Steps to find the spam mailing script location?
Step 1 : SSH to your server as root user.
Step 2 : Execute the command pasted below:
# grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
The above command will displays the total count of emails sent and the corresponding directory/location which is responsible for those spam emails. You can also refer this topic, Command line tips & tricks to find out Spam emailing scripts location!
Example
# grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
...........
...........
370 /home/$USER1/public_html
386 /home/$USER2/public_html
415 /home/$USER3/public_html
470 /home/$USER4/public_html
620 /root
1409 /home/$USER5/public_html/link
6340 /home/$USER6/public_html
63898 /etc/csf
The above command check all details from the email log /var/log/exim_mainlog and lists the result. If you only need the recently active Spamming script details, you can grep the email log with current date.
The command below will find out scripts which are sending emails most recently!
grep cwd /var/log/exim_mainlog | grep $(date +%Y-%m-%d) | grep sendmail | grep public_html | awk '{print $3}' | sort | uniq -c | sort -n
That’s it! Please try it and let me know if you have any questions.
Related Links:
Check spamming – Exim.
Remove all frozen emails from mail queue.
Delete locked mails from mail queue.
Exim Log line flags.
Exim log file paths in WHM/cPanel & Directadmin.
1 /home/user1/public_html/english/wp-admin
1 /home/user2/public_html
2 /home/user3/public_html/folder
2 /home/user4/public_html
2 /root
5 /home/user5/public_html
8 /home/user6/public_html
485 /home/user6/public_html
I have found i want to find the find that sending the spam and delete it what i have to do?
Hello Abdi,
From the log that you’ve provided, the “user6″ sent about 485 emails and the emails have been sent from the public_html folder. There may be a PHP mailer or a script that send emails. Please check if there’s any vulnerable scripts in the public_html folder. You can use maldet to find any vulnerable scripts. If you’ve any contact forums, then please enable captcha for the forums to avoid spamming from this forums. Hope this info help you 🙂
How do you identify the script that is sending spams?
thanks
Need to check the script manually.
Or please scan the account using maldet.
I have scanned with Linux Malware Detector but didn’t see any thing every thing is clean, how to find if there is PHP mailer i am not the owner of the website just i have hosted the website also the website is not forum it is news
Thanks
Abdi
OMG i just found the script and deleted it,so far no new mail wow if you saved my server i want to send you a big kiss hahaha thank you
mail que still clean, i think this worked, i pray to God they will not hackback in to put any scripts back on, great command this will make detection easy now
please do contact me,
thanks
Alex
your command is makingit easy to find the mailing script
but daily the hacker is still managing to put the script back on the server in different locations, i am not able to keep them out.
how do i find out the way he is putting the files on the server??? and of course stop that from happening
nothing i have tried is working
thanks for the help
Alex
Hello,
Thank you for commands.
They work good.
regards