CentrioHost Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog


How to track the exim email spam in cpanel server

How to track the exim email spam in cpanel server

The cpanel server use exim as the email server. There is a never ending war going on with spam on internet. It may be probably due to insecure forms or improper exim configuration. Here are some tips avilable with exim commands that will help you to find which user in your server is sending massive spam emails.

    • Step 1 : Get a total summery of cpanel users sendig spam email
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -n | uniq -c | sort -bg

A sample result is as follows,

      
      4 kfmm
      7 pa4you
      7 sugigarn
      8 exnernu
     12 guldbrand
     24 silvatica
     33 danskhundecenter
     35 netrod
     41 orkhullet
     59 ksgabwpp
     81 sarastorm
     84 holm
    134 ohigh
    201 nordicparts
    754 sarasperler
    • Step 2 : Find the rate of email sending document roots, from which the email are originating.
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' |grep cwd | sort -n | uniq -c |  sort -n

A sample result is as follows,

      7 cwd=/home/pa4you/public_html
      8 cwd=/home/guldbrand/public_html
     10 cwd=/home/netrod/soulx.com
     10 cwd=/home/ohigh/school.rpq.dk/dream-portfolio
     23 cwd=/home/netrod/soulx.net/wp-admin
     24 cwd=/home/silvatica/public_html
     25 cwd=/home/danskhundecenter/70201080.dk
     33 cwd=/home/sarastorm/public_html/wp-admin
     41 cwd=/home/orkhullet/public_html
     48 cwd=/home/sarastorm/public_html
     49 cwd=/home/ksgabwpp/public_html/mygear
     83 cwd=/home/holm/public_html
    121 cwd=/home/ohigh/kollenso.net
    200 cwd=/home/nordicparts/public_html
    753 cwd=/home/sarasperler

    • Step 3 : Test if any live script is sending spam right now from the above path.
  
Syntax :  ps auxwwwe | grep  | grep --color=always "PATH-TO-The script " | head

#  ps auxwwwe | grep sarasperler  | grep --color=always "/home/sarasperler"  | head
    • step 4 : Find the spam generating IP address via the above script. So that you can block that IP
# grep 'PATH-TO-SCRIPT' /etc/apache2/logs/domlogs/CPUSER/DOMAINNAME  | awk '{print $1}' | sort -n | uniq -c | sort -n
    • Step 5 : Check the exim input queue for spams

Some times, there will be still some spam emails in the exim input email queue. You can find the emails using the following command

# egrep -iR 'X-PHP-Script'  /var/spool/exim/input/
    • step 6 : The eximstats tool

There is a beautiful exim tool available. It is called eximstats . This will give a total summery of received and send emails from your server. This command should run as follows,

# eximstats -ne -nr /var/log/exim_mainlog
    • Step 7 : Find the SMPT spammers.

These spammers directly connect to the smtp server port 25 using an smtp authentication. So if some one have a stole email account and password, then he can connect to to the exim smtp port and send massive emails from his desktop. This doesn’t need any php scripts in your server. It is too dangerous.

#  netstat -plan | egrep ':25|:465' | awk {'print $5'} | cut -d: -f 1| sort -n  | uniq -c| sort -n
    • Step 8 : Get a summery of the current email queue

If you have massive emails in email queue. This command will show a summery of the emails setting in the server queue. Probably there will be a lot of failed emails too.

# exim -bpr | exiqsumm -c

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

SatSunMonTueWedThuFri
 123456
78910111213
14151617181920
21222324252627
28293031 

Over 20000 Satisfied Customers!

  • web hosting reviewer
    Valerie Quinn
    CTO, Acteon Group

    Centriohost staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue! ~ . . . Read more

  • Joomla hosting reviewer
    Collin Bryan
    Photographer, Allister Freeman

    I'm using centrio for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly. ~ . . . Read more

  • dedicated server reviewer
    Harry Collett
    Actor, A&J Artists

    Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all. ~ . . . Read more

  • vps web hosting reviewer
    Porfirio Santos
    Technician, Diageo PLC

    Centrio support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Centriohost have been amazingly responsive and helpful to any of my queries πŸ‘πŸ‘πŸ‘ ~ . . . Read more

  • wordpress hosting plans reviewer
    Catherine Auer
    Doctor, SmartClinics

    Anytime I've had a problem I can't solve, I've found Centriohost to be diligent and persistent. They simply won't let an issue go until the client is happy. ~ . . . Read more

  • reseller hosting reviewer
    Effectivo Social
    Freelancer, Fiverr

    Recommend their shared hosting for all my SME web design clients. Their cloud or VME offerings are too great to deal with. Pricing is perfect and suitable for all users (Ν β‰– ΝœΚ–Ν β‰–) πŸ‘Œ ~ . . . Read more

Top