How/Command to find out the spam mailing script’s location – Exim mail server

The Exim mail server has a lot of options/commands to find out the details of spammers easily and i details from the command line itself. Please refer to the blog post “Spam Check” to get more ideas about Exim spam trouble shooting.

We can find out the mail queue details, spam mail sender details, spam mail counts etc from the link I mentioned above. As a Linux SysAdmin, that should be helpful for your daily tasks.

Here is a script/piped-command to find out the spam mailing script’s location/folder in the server. It would be more helpful for us to identify the spam mail sending script and we can null-route it easily to mitigate spamming activity on server.

Here we go!

Steps to find the spam mailing script location?

Step 1 : SSH to your server as root user.

Step 2 : Execute the command pasted below:

# grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

The above command will displays the total count of emails sent and the corresponding directory/location which is responsible for those spam emails. You can also refer this topic, Command line tips & tricks to find out Spam emailing scripts location!

Example

# grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
     ...........
     ...........
    370 /home/$USER1/public_html
    386 /home/$USER2/public_html
    415 /home/$USER3/public_html
    470 /home/$USER4/public_html
    620 /root
   1409 /home/$USER5/public_html/link
   6340 /home/$USER6/public_html
  63898 /etc/csf

The above command check all details from the email log /var/log/exim_mainlog and lists the result. If you only need the recently active Spamming script details, you can grep the email log with current date.

The command below will find out scripts which are sending emails most recently!

grep cwd /var/log/exim_mainlog  | grep $(date +%Y-%m-%d) | grep sendmail | grep public_html | awk '{print $3}' | sort | uniq -c | sort -n

That’s it! Please try it and let me know if you have any questions.

 

Related Links:
Check spamming – Exim.
Remove all frozen emails from mail queue.
Delete locked mails from mail queue.
Exim Log line flags.
Exim log file paths in WHM/cPanel & Directadmin.

Arunlal Ashok

Linux Server Administrator. I'm managing Linux servers since 2012. I started this blog to share and discuss my ideas. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

9 Responses

  1. Abdi says:

    1 /home/user1/public_html/english/wp-admin
    1 /home/user2/public_html
    2 /home/user3/public_html/folder
    2 /home/user4/public_html
    2 /root
    5 /home/user5/public_html
    8 /home/user6/public_html
    485 /home/user6/public_html
    I have found i want to find the find that sending the spam and delete it what i have to do?

    • Arun Lal says:

      Hello Abdi,

      From the log that you’ve provided, the “user6″ sent about 485 emails and the emails have been sent from the public_html folder. There may be a PHP mailer or a script that send emails. Please check if there’s any vulnerable scripts in the public_html folder. You can use maldet to find any vulnerable scripts. If you’ve any contact forums, then please enable captcha for the forums to avoid spamming from this forums. Hope this info help you 🙂

  2. Abdi says:

    I have scanned with Linux Malware Detector but didn’t see any thing every thing is clean, how to find if there is PHP mailer i am not the owner of the website just i have hosted the website also the website is not forum it is news

    Thanks
    Abdi

  3. Alex Thorn says:

    OMG i just found the script and deleted it,so far no new mail wow if you saved my server i want to send you a big kiss hahaha thank you

  4. Alex Thorn says:

    mail que still clean, i think this worked, i pray to God they will not hackback in to put any scripts back on, great command this will make detection easy now

    please do contact me,

    thanks

    Alex

  5. Alex Thorn says:

    your command is makingit easy to find the mailing script

    but daily the hacker is still managing to put the script back on the server in different locations, i am not able to keep them out.

    how do i find out the way he is putting the files on the server??? and of course stop that from happening

    nothing i have tried is working

    thanks for the help

    Alex

  6. reza says:

    Hello,
    Thank you for commands.
    They work good.

    regards

Leave a Reply

Your email address will not be published. Required fields are marked *