We are here discussing different commands which can be used in find spamming in an Exim mail server,
1. Hourly count of sent mail for a domain, by specifying the domain and date.
DOMAIN='<DOMAIN>';DATE='YYYY-MM-DD';o1=`for i in $(grep $DOMAIN /var/log/exim_mainlog|grep $DATE|egrep "A=fixed|A=<LOGIN>"|awk {'print $4'}|sort|uniq);do grep $i /var/log/exim_mainlog;done|grep -v "retry time not reached for any host"`;unset DOMAIN;unset DATE;o2=`echo "$o1"|awk {'print $2'}|cut -d: -f1|sort| uniq -c`;echo " COUNT HOUR";echo "$o2";unset o1;unset o2;
DOMAIN : domain.com without www
YYYY-MM-DD : Date like 2011-11-03
LOGIN : dovecot_login / courier_login
Replace all instances of above terms with appropriate values from now on.
2. How many emails have been sent per email address for the specified domain.
grep somedomain.com /var/log/exim_mainlog | grep courier_login | awk -F"courier_login:" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
3. Show how many emails have been sent from ALL domains since the beginning of the log.
cat /var/log/exim_mainlog | grep "A\=<LOGIN>" | awk -F"A=<LOGIN>:" {'print $2'} | cut -f1 -d' ' | sort | uniq -c | sort -n | awk {'print $1, " unique emails sent by " , $2'}
4. Delete mail in queue from a certain user.
for i in $(exim -bp|grep user@domain.com|grep -|grep @|awk {'print $3'});do exim -Mrm $i;done
5. Find the source path if from address is being forged.
echo -ne “What cpanel user: “; read p; cat /var/log/exim_mainlog | grep cwd | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n | grep $p
6. Find the files that sends mail via phpMail.
find ./ -name \*.php -exec grep -l "mail(" {} \;
7. Show user and number of connections to IMAP.
ps -ef |grep imap | awk ‘{print $1}’ | sort | uniq -c | sort -g -k 1 | tail
8. Fix Shadow file permission.
If the user receives mail, but can not send and all settings are correct
find /home/<user>/etc -type f -name shadow -exec chmod 644 {} \;
9. Show the number of failed logins per IP (Check if the user is being brute forced).
grep FAILED /var/log/maillog |awk ‘{print $9}’ |sort -n|uniq -c |sort -n |tail -7
10. Shows number of failed logins, the IP doing the failing, and how many different users were attempted to be logged into:
awk -F”ffff:” ‘/FAILED/ {IP[$NF]++;}END{ for ( host in IP ) print IP[host]” “host}’ /var/log/maillog | awk ‘{ if ( $1 > 99 ) print $0}’ | sort -nk1 | sed ‘s#]##’ > IPS; for IP in `awk ‘{print $2}’ IPS`; do echo -n $(grep $IP IPS); echo -n ” – Failed users: “; grep $IP /var/log/maillog | awk -F”user=” ‘/FAILED/ {print $2}’ | cut -d, -f1 | sort | uniq | wc -l; done
Will show something like:
135 50.75.12.41 – Failed users: 3
11. Show all the emails in queue by domain.
exim -bp | /usr/sbin/exiqsumm
12. Show you all the emails in queue by email account
exim -bp|awk 'NF>1{print $4}' | sort | uniq -c |sort -nk1
13. Force delivery of one message
exim -M <messageID>
14. View the log for the message.
exim -Mvl <messageID>
15. View the header of the message
exim -Mvh <messageID>
16. View the body of the message
exim -Mvb <messageID>
17. Remove message without sending any error message.
exim -Mrm <messageID>
18. Number of frozen mails in the queue
exim -bpr | grep frozen | wc -l
19. Deleting frozen Messages
exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm
OR
exiqgrep -z -i | xargs exim -Mrm
20. Check to see how many emails are in queue for domain.com, run the following:
exim -bp | grep ‘domain.com>’
Make sure the ‘>‘ is in there because that character appears in the sending field. If you don’t, then it will show you the to and from results.
21. Top 50 domains using mail server sorted by different criteria.
eximstats -ne -nr /var/log/exim_mainlog
22. Show the IPs which are connected to server through port number 25.
netstat -plan | grep :25 | awk {‘print $5′} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
23. Find “nobody” spamming (Only works when the spamming is going on).
ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n
It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
24. Remove all mails from ‘<>’
exim -bp | grep “<>” | awk ‘{print $3}’ | xargs exim -Mrm
