Electronic spamming is the use of electronic messaging systems to send unsolicited messages (spam), especially advertising, as well as sending messages repeatedly on the same site.
It happens in many ways on a mail server. Spamming is one of the common and frequent problem in web hosting industry. Spamming can cause your server’s IPs blocked at different RBLs, if any accounts in your server sends multiple spam emails.
We can simply check and confirm whether the emails sending from accounts are real or spam by analyzing the email queue. In a cPanel server, the default MTA (Mail Transfer Agent) is Exim. Exim has different command line options to identify spam.
An intro to Linux containerisation.
Basic: Containerisation helps to isolate processes. You can run your App/Services as an isolated process, running from a distinct image that provides all files necessary to support the processes.
Basically Linux containers are OS level virtualisation technique for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.
In most cases we will get the details from the email header itself, also we can check the body of that email and the email log by using different command-line options. After reading this article, you will get a clear idea on how to identify spamming on a server which uses Exim as MTA.
To check this, log into server as root.
To count emails in queue
exim -bpc
This command shows the total number of emails in the queue. If the count is high (>2000), the probability for spamming is also high.
Example
# exim -bpc
52
To list emails with more details
exim -bp
This command will give you a close look to the emails in the queue. It will give details like message ID, sender, recipient, size and age of mail. From this, the message ID is useful to find out the details like header, body and log. That will discussed in detail later.
Example
# exim -bp
44h 763 1VGaIo-0002ec-RM <[email protected]>
[email protected]
10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***
[email protected]
0m 502 1VHFNl-0003bf-GB <[email protected]>
[email protected]
0m 568 1VHFNl-0003bn-Tq <[email protected]>
[email protected]
# 1st field: Age (Eg : 44h)
# 2nd field: Size (Eg : 5.9K)
# 3rd field: Message ID (Eg : 1VGaIo-0002ec-RM)
# 4th field: Sender (Eg : [email protected])
# 5th field: Recipient (Eg : [email protected])
By using the ID we can analyse the header, body and the log information of emails in the queue.
exim -Mvh ID
This command displays the message header. From its output, we can check a lot of details about the email like; from address, to address, subject, date, script etc.
exim -Mvb ID
Displays the message body.
exim -Mvl ID
It displays the log of email. From this log, you can identify the user who created this emails and a lot more…
Spamming can occur in many ways. Here I am explaining some instances of spamming. It occurs mainly through vulnerable PHP scripts or by compromising the email account’s password.
Example: Spamming from PHP script
208P Received: from $user by server.ahostname.com with local (Exim 4.82)
(envelope-from <[email protected]>)
id 1YZUIE-00013s-Sp
for [email protected]; Sat, 21 Mar 2015 21:03:06 -0400
027T To: [email protected]
019 Subject: Hi there
091 X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php for "IP.Address"
023 X-Priority: 3 (Normal)
From the header itself, we can find out the email reputation. If you find “X-PHP-Script” in the email header, you can confirm that, those emails were sent out from a PHP script. In the above example the emails were sent from PHP script (X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php). In this case we have to check the scripts in the problematic account.
In this case, please make sure that you are using latest version of CMS (Eg; WordPress, Joomla etc), plugins and themes.
Analyzing email count with sender
This’s very important while checking spamming. This command will sort out the email count with its sender name from the Exim mail queue. From this output we can analyse the email account who is sending large emails.
exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n
Example
See the example below:
[root@EcLinux]# exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n
3 [email protected]
1
Another way using “exiqgrep“
exiqgrep -f sendername|grep "<"|wc -l
This command displays the total count of emails that sent by a particular user.
Example
[root@EcLinux]# exiqgrep -f [email protected]|grep "<"|wc -l
3
Similarly -r switch with exiqgrep is using for recipient.
exiqgrep -f recipient|grep "<"|wc -l
Refer this for more details >> count emails in Exim mail queue for a specific sender/receiver <<
Removing emails from queue
The exim command to remove emails from queue is;
exim -Mrm
To delete all emails from queue for a particular sender.
exim -bpr| grep sendername| awk '{print $3}'|xargs exim -Mrm
The “awk” part prints the messages IDs to remove. This will give to the input of “exim -Mrm” by using xargs function.
To remove all emails from the queue, here is a quick solution >> remove all emails from the queue <<
Frozen emails
The sender field must have the word “frozen“. To displays the total count of frozen emails in queue, we can use the following command.
exim -bp|grep frozen|wc -l
Removing frozen emails
exim -bp|grep frozen|awk {'print $3'}|xargs exim -Mrm
We can simply remove all frozen emails from the queue by using the “exiqgrep” command. Please refer the following link >> Quick way to remove all frozen emails from the email queue <<
exim -bp|exiqsumm
The above command will print the summary of emails in queue.
Example
# exim -bp|exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
1 6041 11h 11h facebook.com
1 763 45h 45h interia.pl
---------------------------------------------------------------
2 6804 45h 11h TOTAL
exiwhat
It displays, what exim is doing right now. See the below example:
# exiwhat
1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
Related posts
1, Exim Log line flags
2, Command to find the mail that we have sent is completed or not!
Dear Mr. Arun Lal
GOOD INFORMATIVE COMMANDS
PLEASE SHARE MORE
Thanks for your feedback. Will update/post more about it soon.
Nice commands…..
It good to learn such command as it save alot of time reading logs….more commands over this will be appreciated..
Thanks for your feedback. Will update more tricks on it 🙂
What a good info I appreciate for your help
thank you
Thanks YoungBoy 🙂
Well done Arun. I appreciate your work.
Thanks for your feedback 🙂
Instead of utilizing the word count method when using exiqgrep try the following as this will give a comparison to the overall number of mails in the queue:
exiqgrep -cf [email protected]
The output would simply be something like 100 out of 3000 mails in queue
Hello Sir,
Really helpfull information on the site.
Hello Sachin,
I am glad to know that it helped you!
Hi Arun,
Good job. What i need is to automatically clear spam mails in server.
Can u come up with it?
You’re welcome, Jegan!
I suggest, first find out the source of spamming on the server.
You can create cron for your requirement.
Good Job. Arun .Thank you so much
Senaka,
You’re welcome!!
Great work
Thanks Antony!!
Awesome… Very useful
Thanks Sathya for the great support!!
Thank you very much, that’s a very well built guide that aggregate very useful commands explained very clear
Hi Arun,
This is very helpful. Please share these types of knowledge and the explanations are very clear.