We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

ndzlogo-1-1
90%
Loading ...

+914846689999

sales@ndz.co

NDZ WorldWide

INDIA – HEADQUARTERS

INDIA

SINGAPORE

DUBAI

UNITED STATES

CANADA

AUSTRALIA

SWITZERLAND

Troubleshoot Spamming in exim

by | Apr 28, 2013 | Email | 0 comments

The below script will help you to find the mail count by various accounts.

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

The number of mails by a domain

exigrep @domain.com /var/log/exim_mainlog|grep 2012-03-17|grep Completed | wc -l

1)Run this command in the server as root user: ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.

2)Run this command in the server as root user: eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.

3)Run this command in the server as root user: exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.

4)Run this command in the server as root user: netstat -plan|grep :25|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

5)In order to find “nobody” spamming, issue the following command

ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD|sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

Command :
grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
This will result in something like :
47 cwd=/root
8393 cwd=/home/sample/public_html/test

Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)

Provide the below mentioned command at your terminal/command prompt to find the domain which is being used by spammers.

exim -bp

exim -bpr | exiqsumm -c | head

Then,

exiqgrep -ir | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at.

Submit a Comment

Your email address will not be published. Required fields are marked *