How to check spamming on server which has Exim MTA?

Electronic spamming is the use of electronic messaging systems to send unsolicited messages (spam), especially advertising, as well as sending messages repeatedly on the same site.

It happens in many ways on a mail server. Spamming is one of the common and frequent problem in web hosting industry. Spamming can cause your server’s IPs blocked at different RBLs, if any accounts in your server sends multiple spam emails.

We can simply check and confirm whether the emails sending from accounts are real or spam by analyzing the email queue. In a cPanel server, the default MTA (Mail Transfer Agent) is Exim. Exim has different command line options to identify spam.

What is a Linux container?

An intro to Linux containerisation.

Basic: Containerisation helps to isolate processes. You can run your App/Services as an isolated process, running from a distinct image that provides all files necessary to support the processes.

Basically Linux containers are OS level virtualisation technique for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.

In most cases we will get the details from the email header itself, also we can check the body of that email and the email log by using different command-line options. After reading this article, you will get a clear idea on how to identify spamming on a server which uses Exim as MTA.

To check this, log into server as root.

To count emails in queue

exim -bpc

This command shows the total number of emails in the queue. If the count is high (>2000), the probability for spamming is also high.

Example

# exim -bpc
52

To list emails with more details

exim -bp

This command will give you a close look to the emails in the queue. It will give details like message ID, sender, recipient, size and age of mail. From this, the message ID is useful to find out the details like header, body and log. That will discussed in detail later.

Example

# exim -bp
44h 763 1VGaIo-0002ec-RM <[email protected]>
[email protected]

10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***
[email protected]

0m 502 1VHFNl-0003bf-GB <[email protected]>
[email protected]

0m 568 1VHFNl-0003bn-Tq <[email protected]>
[email protected]

# 1st field: Age (Eg : 44h)
# 2nd field: Size (Eg : 5.9K)
# 3rd field: Message ID (Eg : 1VGaIo-0002ec-RM)
# 4th field: Sender (Eg : [email protected])
# 5th field: Recipient (Eg : [email protected])

By using the ID we can analyse the header, body and the log information of emails in the queue.

exim -Mvh ID

This command displays the message header. From its output, we can check a lot of details about the email like; from address, to address, subject, date, script etc.

exim -Mvb ID

Displays the message body.

exim -Mvl ID

It displays the log of email. From this log, you can identify the user who created this emails and a lot more…

Spamming can occur in many ways. Here I am explaining some instances of spamming. It occurs mainly through vulnerable PHP scripts or by compromising the email account’s password.

Example: Spamming from PHP script

208P Received: from $user by server.ahostname.com with local (Exim 4.82)
(envelope-from <[email protected]>)
id 1YZUIE-00013s-Sp
for [email protected]; Sat, 21 Mar 2015 21:03:06 -0400
027T To: [email protected]
019 Subject: Hi there
091 X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php for "IP.Address"
023 X-Priority: 3 (Normal)

From the header itself, we can find out the email reputation. If you find “X-PHP-Script” in the email header, you can confirm that, those emails were sent out from a PHP script. In the above example the emails were sent from PHP script (X-PHP-Script: domain.com/templates/yoo_revista/warp/menus/page.php). In this case we have to check the scripts in the problematic account.

In this case, please make sure that you are using latest version of CMS (Eg; WordPress, Joomla etc), plugins and themes. 

Analyzing email count with sender

This’s very important while checking spamming. This command will sort out the email count with its sender name from the Exim mail queue. From this output we can analyse the email account who is sending large emails.

exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n

Example

See the example below:

[[email protected]]# exim -bpr|grep "<"|awk {'print $4'}|cut -d"<" -f2|cut -d">" -f1|sort -n|uniq -c|sort -n
3 [email protected]
1

Another way using “exiqgrep

exiqgrep -f sendername|grep "<"|wc -l

This command displays the total count of emails that sent by a particular user.

Example

[[email protected]]# exiqgrep -f [email protected]|grep "<"|wc -l
3

Similarly -r switch with exiqgrep is using for recipient.

exiqgrep -f recipient|grep "<"|wc -l

Refer this for more details >> count emails in Exim mail queue for a specific sender/receiver <<

Removing emails from queue

The exim command to remove emails from queue is;

exim -Mrm

To delete all emails from queue for a particular sender.

exim -bpr| grep sendername| awk '{print $3}'|xargs exim -Mrm

The “awk” part prints the messages IDs to remove. This will give to the input of “exim -Mrm” by using xargs function.

To remove all emails from the queue, here is a quick solution >> remove all emails from the queue <<

Frozen emails

The sender field must have the word “frozen“. To displays the total count of frozen emails in queue, we can use the following command.

exim -bp|grep frozen|wc -l

Removing frozen emails

exim -bp|grep frozen|awk {'print $3'}|xargs exim -Mrm

We can simply remove all frozen emails from the queue by using the “exiqgrep” command. Please refer the following link >> Quick way to remove all frozen emails from the email queue <<

exim -bp|exiqsumm

The above command will print the summary of emails in queue.

Example

# exim -bp|exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
1 6041 11h 11h facebook.com
1 763 45h 45h interia.pl
---------------------------------------------------------------
2 6804 45h 11h TOTAL
exiwhat

It displays, what exim is doing right now. See the below example:

# exiwhat
1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)

Related posts

1, Exim Log line flags
2, Command to find the mail that we have sent is completed or not!

, , ,

Post navigation

Arunlal Ashok

Linux Systems Architect at Endurance International Group. I know her (Linux) since many years. Linux lover. Like to play on Linux console. I started this blog to share and discuss Linux thoughts.

Always happy for an open discussion! Write to arun (@) crybit (dot) com. Check about me for more details. About this blog and our strong members, check The team CryBit.com

25 thoughts on “How to check spamming on server which has Exim MTA?

  1. Nice commands…..
    It good to learn such command as it save alot of time reading logs….more commands over this will be appreciated..

  2. Instead of utilizing the word count method when using exiqgrep try the following as this will give a comparison to the overall number of mails in the queue:

    exiqgrep -cf [email protected]

    The output would simply be something like 100 out of 3000 mails in queue

Leave a Reply

Your email address will not be published. Required fields are marked *