MailIP Blacklist And Spamming

Top 5 users sending maximum emails on the server:

 grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'

Top 5 mail receivers:

egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'

Script to check path for the script used for spamming

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

If there is large number of hits from an IP,block the IP

tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c

command to delete frozen mails

exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm

Following command will show path to the script being utilized to send mail

  • ps -C exim -fH eww
    ps -C exim -fH eww | grep home
    cd /var/spool/exim/input/
    egrep "X-PHP-Script" * -R

If anyone is spamming from /tmp

  • tail -f /var/log/exim_mainlog | grep /tmp

To display the IP and no of tries done the IP to send mail but rejected by the server.

  • tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F\[ ‘{print $2} ‘|awk -F\] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5

Shows the  connections from a certain ip to the   SMTP server

  • netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1

To shows the domain name and the no of emails in queue

  • exim -bp | exiqsumm | more

If  spamming from outside domain then you can block that domain or email id on the server

  • pico /etc/antivirus.exim

Add the following lines:

if $header_from: contains “name@domain.com”
then
seen finish
endif

Catching spammer

Check mail stats

exim -bp | exiqsumm | more

Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” | sort | uniq -c | sort -n

That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n

Check if any php script is causing the mass mailing with

cd /var/spool/exim/input

egrep “X-PHP-Script” * -R

Just cat the ID that you get and you will be able to check which script is here causing problem for you.

To Remove particular email account email

exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: