Posts Tagged ‘ Exim ’

Eximstats db growing huge

If the server have heavy email activity and “The interval, in days, to retain Exim stats in the database” is set to a high value then the eximstats DB size will be very large. First you need to findout if there is any spamming activity going on the server and stop it if any. The MySQL process for huge size eximstats DB will be very CPU consuming, so consider deleting the stats and lowering the value of “The interval, in days, to retain Exim stats in the database” in WHM tweak settings.

Cleaning large eximstats mysql database:

Login to mysql

mysql> use eximstats
mysql> delete from sends;
mysql> delete from smtp;
mysql> delete from failures;
mysql> delete from defers;

Install ClamAV in Centos with Cpanel

Cpanel WHM Installation

The easiest way to install clam antivirus in cpanel is through install plugin option in Cpanel WHM .

Go > WHM > Cpanel Install Plugin > Enable Clamav Connector

Manual Installation

You can install clamav by compiling RPM packages.

1. Compiling source: download from clamav site.
2. Installing RPM package. Download

I tried to download and compile source package, but i got zlib error complaining the version not updated. so tried RPM and just able to install for myself.

By default clamav doesnt come with centos or perhaps with yum. You have to find rpm repository and install it.

Here is how you install clam antivirus (freely available) in centos running with cpanel.

yum install clamd


yum install clamav

If it doesnt work use this

rpm -Uhv

follow this instructions here based on centos version (Locate B2 in that page)

after installing that you can issue

yum install clamd


yum install clamav

either of those should work.

Once you have installed clamav in your centos…here are some of the basic commands using the software..

1. To update the antivirus database

> freshclam

2. To run antivirus and print infected files

clamav -ri /home

3. To remove infected files and emails.

clamav -ri --remove /home

3. Running as Cron Daily Job

To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.

02 1 * * * root clamscan -R /var/www

This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.

Setup a forwarder to outbound email

To set up forwarder for an outbound email,  paste the following code in /etc/system_filter.exim



if first_delivery
and (“$h_from:” contains ““)
and not (“$h_X-Spam-Checker-Version:” begins “SpamAssassin”)
unseen deliver “


This will froward a copy of mail sent from to

Blocking Spam in Exim with URI Block Lists


Refer :

MailIP Blacklist And Spamming

Top 5 users sending maximum emails on the server:

 grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'

Top 5 mail receivers:

egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'

Script to check path for the script used for spamming

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

If there is large number of hits from an IP,block the IP

tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c

command to delete frozen mails

exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm

Following command will show path to the script being utilized to send mail

  • ps -C exim -fH eww
    ps -C exim -fH eww | grep home
    cd /var/spool/exim/input/
    egrep "X-PHP-Script" * -R

If anyone is spamming from /tmp

  • tail -f /var/log/exim_mainlog | grep /tmp

To display the IP and no of tries done the IP to send mail but rejected by the server.

  • tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F\[ ‘{print $2} ‘|awk -F\] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5

Shows the  connections from a certain ip to the   SMTP server

  • netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1

To shows the domain name and the no of emails in queue

  • exim -bp | exiqsumm | more

If  spamming from outside domain then you can block that domain or email id on the server

  • pico /etc/antivirus.exim

Add the following lines:

if $header_from: contains “”
seen finish

Catching spammer

Check mail stats

exim -bp | exiqsumm | more

Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” | sort | uniq -c | sort -n

That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n

Check if any php script is causing the mass mailing with

cd /var/spool/exim/input

egrep “X-PHP-Script” * -R

Just cat the ID that you get and you will be able to check which script is here causing problem for you.

To Remove particular email account email

exim -bpr |grep “”|awk {‘print $3′}|xargs exim -Mrm

Forwarding all mails from a domain to a Specific Email ID

You can use the code below to forward all mails from a domain to a specific email ID, it will work for newly created mail accounts automatically.

Add the code below at the end of “/etc/system_filter.exim”

Here, all the mails from are forwarded to; change the domain name ( and mail id ( as per the requirement.

if ( foranyaddress $reply_address,$return_path,$sender_address,$header_from,$h_from,$h_to:,$h_cc:,$h_bcc:,$recipients
   ( $thisaddress contains ))  and ( $header_X-Ref-Type  does not contain yes )
   headers add "X-Ref-Type: yes\n"
     unseen deliver

Setting maximum mailsperhour for a domain

You can set maximum mails per hour for domain by following steps

a) Edit the file

vi /var/cpanel/user/user-name

Add the entry MAX_EMAIL_PER_HOUR=number

b) After saving the file , run the script

/scripts/update_email_limits user-name

This will create corresponding domain entry in /var/cpanel/maxemailsperdomain