Exim - Find Spammer

Steps to find the Orgin Of Spam Mails

Find the Total Queue on Exim

#exim -bpc

To get the sorted list of mails from domain

#  exim -bp | exiqsumm -c | head

To get a sorted list of email sender in exim mail queue,below command will show you the number of mails send by each one,

# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n

You will get a result as like follows,

1 mridul@testdomain.com

2 prasanth@test1domain.com

3 nithin@test123.com

4 stebu@testdomain.co.in

29 eljo@testdomain.in

124 hacker@test123domain.com

Print the total mails from the e-mail Id,

# exiqgrep -f <e-mail@domain> -i | wc -l

To print the mail Ids from the e-mail Id,

# exiqgrep -f <e-mail@domain> -i

You'll get mail Ids ,from the list Open one or two mails using the command,

# exim -Mvh <e-mail_ID >
# exim -Mvb <e-mail_ID >
# exim -Mvl <e-mail_ID >

 You'll get " auth_id "  from the mail header , If the user is spammer ,we want to stop it by changing  E-mail password of the authenticated user_e-mail id/domain.

spamming will definitely stop now , If it won't work  evaluate the  "exim_main log"

# tail -f /var/log/exim_mainlog | grep login

We can see the current spamming going through Exim ,Evaluate the log and check who is currently spamming , you 'll get a IP adress which is used for spamming , block IP by,

# csf -d <IP_address>  

Suspend the User for the securing the server.


To remove the mails from a specific user,type

# exiqgrep -f <e-mail@domain> -i | xargs exim -Mrm

To remove mailnull(<>) mails from the mail queue , type

# exiqgrep -f "<>" -i | xargs exim -Mrm

If the spammer is sending mails using scripts :


Check mail log to know which home directory is used for spamming,

# tail -f /var/log/exim_mainlog|grep home

The following scripts will check the script that will originate spam mails:

# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n

# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

You will get a result as like follows for the first two scripts. The third script is just a sub of the first two scripts.

9 cwd=/home/test1/public_html10 cwd=/home/test2/public_html/a1/www15 cwd=/home/test3/public_html91 cwd=/home/test4/public_html178 cwd=/home/test5/public_html/web770 cwd=/home/test6/public_html/foro803 cwd=/home/test7/public_html/web124348 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven

If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.

# ps auxwwwe | grep <user> | grep --color=always "<location of script>" | head

The usage of the above script is as shown below.

# ps auxwwwe | grep test8 | grep --color=always "/home/test8/public_html/wp/wp-content/themes/twentyeleven" | head

Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.

# grep "<script_name>" /home/user/access-logs/testdomain.com | awk '{print $1}' | sort -n | uniq -c | sort -n

Following command that will show you the script which is using script to send the email. If it is from php then use

# egrep -R "X-PHP-Script"  /var/spool/exim/input/*

It shows top 50 domains using mail server with options.

# eximstats -ne -nr /var/log/exim_mainlog

It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.

# ps -C exim -fH ewww | grep home

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

# netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

In order to find “nobody” spamming, issue the following command

# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n

 It will give some result like:

Example :

6 PWD=/
347 PWD=/home/sample/public_html/test

Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

# grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n

To remove bounced emails from the server

• # cd /var/spool/exim/input
• # find . -type f -iname ‘*’ -exec grep -li "Failed" {} \; -exec rm {}\;

To remove all messages from the queue, enter:

# exiqgrep -i | xargs exim -Mrm

or 

# exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

Or

Open a new screen using Screen command

# screen

change directory by ,

# cd /var/spool/exim/input/

remove all directories to clear entire Queue,

# rm -rf *

That's it ,Entire mail queue will clear by this. :-)