Find the Origin of Spam Emails in cPanel Using Exim

You are here:
< All Topics

If an unsolicited message or spam is distributed utilizing a messaging system, then it is named spamming. Electronic mail spam is without doubt one of the most acknowledged spamming, whereas spamming additionally happens in different social platforms. A few of the examples for such spamming are immediate message spam, net search-engine spam, wiki spam, Web discussion board spam, social spam, and extra.

The several types of spam are Electronic mail spam, remark spam, trackback spam, phishing spam, international financial institution spam, and extra. Exim or MTA manages the e-mail deliveries in your server (Mail Switch Agent). All the e-mail actions, together with the mail despatched utilizing the script, are logged in Exim.

To examine the origin of spam emails in cPanel, you should utilize Exim because it saves all of the exercise logs. Run the next script to examine spammers and spam emails within the cPanel server.

Discover Spammers IP

To seek out the spammers or attackers IP, you may run the next command.

# grep “massmailer.php” /residence/<username>/access-logs/<domainname> | awk ‘print $1’ | type -n | uniq -c | type -n

Sorted Listing of Electronic mail Senders

The Exim mail queue shops all of the emails despatched by every particular person. To examine the variety of emails despatched by all of the customers, you may run the next script.

# exim -bpr | grep “<” | awk ‘print$4’ | minimize -d “<” -f 2 | minimize -d “>” -f 1 | type -n | uniq -c | type -n

This script kinds the record of e-mail senders and shows the output just like the one proven under.

1          abc@testdomain.com

3          gross sales@test1domain.com

5          root@testdomain.co.in

29        admin@testdomain.in

178      xyz@check1234area.com

Within the above end result, we may see that the e-mail handle ‘xyz@check1234area.com’ is sending many emails.

Test the Spam Orgininating Script

To examine which script is originating the spam e-mail, you may run the next scripts.

# grep “cwd=/residence” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | type | uniq -c | grep cwd | type -n

# awk ‘ if ($0 ~ “cwd” && $0 ~ “residence”) print $3 ’ /var/log/exim_mainlog | type | uniq -c | type -nk 1

# grep ‘cwd=/residence’ /var/log/exim_mainlog | awk ‘print $3’ | minimize -d / -f 3 | type -bg | uniq -c | type -bg

Within the above three scripts, the third one is the sub of the primary two scripts. The primary two scripts ought to have a end result or output just like the one proven under.

     8                 cwd=/residence/test1/public_html

11                cwd=/residence/test2/public_html/a1/www

16                cwd=/residence/test3/public_html

81                cwd=/residence/test4/public_html

170               cwd=/residence/test5/public_html/net

760               cwd=/residence/test6/public_html/foro

802               cwd=/residence/test7/public_html/net

124340           cwd=/residence/test8/public_html/wp/wp-content/themes/twentyeleven

Discover the Precise Spamming Script

The next script exhibits the at present working spamming script. Yow will discover out the precise spamming script within the mail servers at any time utilizing this script.

# ps auxwwwe | grep <consumer> | grep –coloration=at all times “<location of script>” | head

For instance,

# ps auxwwwe | grep check | grep –coloration=at all times “/residence/check/public_html/wp/wp-content/themes/twentyeleven” | head

After you discover the precise script, you will get the IP handle chargeable for spamming by utilizing the next script. The next script lists the IP addresses together with the variety of entry. Within the record, the IP handle with the excessive variety of entry might be inflicting spamming. You’ll be able to block that IP handle in CSF or APF firewall.

# grep “<script_name>” /residence/consumer/access-logs/<domainname> | awk ‘print $1’ | type -n | uniq -c | type -n

Different Scripts:

If you’re utilizing the PHP script to ship mail, then you should utilize the next command to search out the script to ship the e-mail.

# egrep -R “X-PHP-Script” /var/spool/exim/enter/*

To record the highest 50 domains utilizing the mail server, it is best to run the next command.

# eximstats -ne -nr /var/log/exim_mainlog

You need to use the under command to examine from which consumer’s residence the mail is distributed. This end result helps in straightforward monitoring of e-mail, and we are able to block them if crucial.

# ps -C exim -fH ewww | grep residence

Listing IPs Linked to the Server By way of Port 25

You need to use the next command to record all of the IPs linked to the server by way of port quantity 25. If a specific IP is crossing the connection restrict of 10, then within the server firewall, it’s worthwhile to block that IP.

# netstat -plan | grep :25 | awk ‘print $5’ | minimize -d: -f 1 | type | uniq -c | type -nk 1

Discover “no one” Spamming Difficulty

If the spamming is at present in progress and also you wish to discover the “no one” spamming problem, then you may run the under script:

# ps -C exim -fH ewww | awk ‘for(i=1;i<40;i++)print $i’ | type | uniq -c | grep PWD | type -n

The above script ought to have an output just like the one proven under if the spamming is at present working.

6 PWD=/

348 PWD=/residence/pattern/public_html/abc

We have to depend the PWD, and if it has the massive PWD worth, then it’s worthwhile to examine the file. If the file is “/” or “/var/spool/mail/var/spool/exim”, then you may ignore it.

If the spamming has occurred someday earlier than, then it’s worthwhile to run the next command to search out the “no one” spamming problem.

# grep “cwd=” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | type | uniq -c | grep cwd | type -n

Show the Abstract of Spam Mails

To show the abstract of mails within the mail queue, you may run the next command.

# exim -bpr | exiqsumm -c | head

This above command ought to show output or responds equally to the one proven under.

Depend               Quantity            Oldest              Latest            Area

——                 ——                 ——                 ——                 ——

114                  171KB              24h                  28m                 check123area.com

15                   28KB                36h                  7m                   gmail.com

5                    10KB                34h                  10h                  test3domain.com

4                    8192                27h                  4h                    yourdomain.com

4                    75KB                7m                   7m                   server.area.com

3                    6041                22h                  42m                 test_abc.com

So that is how you discover the origin of Spam Emails in cPanel utilizing Exim. If you happen to want any additional assist, please do attain our help division.

Knowledge Base



Tag Cloud