How to check and stop spamming on server / Exim MTA

What is spamming?

Unsolicited messages are sent in bulk through the internet or any other electronic messaging system, advertising, as well as sending messages regularly on the same site. On mail servers, this type of activity happens in several ways. Spamming is one of the regular and recurring issues in the web hosting industry. If there are many spam emails originating from the server and if any accounts in your server send multiple spam emails, your server IP will be blacklisted at different RBLs. So, how to check and stop spamming on server Exim MTA server? Here is the solution. Please continue reading the article so that you will be able to identify spamming activity on the server and take the necessary steps and precautions.

There are ways we can check and confirm whether the emails delivered from accounts are actually real or spam mails by inspecting the email queue. Exim is the default MTA (Mail Transfer Agent) in the cPanel server. Exim has many command-line options to check spam activity in the server.

From the email header, we will be able to get the complete mail details. Also, we can get the body of that email and the mail logs using different command-line options. After going through this article, you will get some idea on how to find spamming on an Exim server.

Now login to the server as a root user:

To count emails in the queue

exim -bpc

The above command will show the total number of emails in the queue. The possibility of spamming is also high, if the count is more than 2000,

Example

# exim -bpc

52

To list emails with more details. The following command will give you more details on the emails in the queue.

exim -bp

It will display the output like message ID, sender, recipient, size, and age of mail. Here, from message ID we can find out the details of mail like header, body and

Example

# exim -bp

44h 763 5HKsLr-5672ud-MN <sender@sender.com>

recipient@gmail.com

10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***

no-reply@facebook.com 0m 502

1VHFNl-0003bf-GB <sender@sender.com>

recipient@gmail.com 0m 568

1VHFNl-0003bn-Tq <sender@sender.com>

recipient@gmail.com

# 1st field: Age (Eg: 44h)

# 2nd field: Size (Eg: 5.9K)

# 3rd field: Message ID (Eg : 5HKsLr-5672ud-MN)

# 4th field: Sender (Eg: sender@sender.com)

# 5th field: Recipient (Eg: recipient@gmail.com)

From message ID we can analyze the body, header, and log information of emails.

Also read : Email Marketing Specialist

Refer below to some basic commands

The below command will display the message header. We can check a lot of details about the email like from address, to address and subject with date and script, etc.

exim -Mvh ID

This command will display the message body.

exim -Mvb ID

The below command will display the log of email. From the log, you will be in a position to identify the user who created these emails and many more.

exim -Mvl ID

Spamming can happen in many ways. Here we will go through some instances of spamming. Spamming mostly happens because of insecure PHP scripts or because of the password of an email account has been compromised.

Example: Spamming from the PHP script

208P Received: from $user by server1.hostname.com with local (Exim 4.82)
(envelope-from <$user@server1.hostname.com>)
id 1YZUIE-00013s-Sp
for admin12@yahoo.com; Sat, 21 Mar 2015 21:03:06 -0400
027T To: admin12@yahoo.com
019 Subject: Hi there
091 X-PHP-Script: testdomain.com/admin/yoo/folder1/menu/page1.php for “IP.Address”
023 X-Priority: 3 (Normal)

From the header, we can determine the email reputation. If you notice “X-PHP-Script” in the email header, then you can confirm these emails were sent out from a PHP script. In the above example, emails were sent from a PHP script (X-PHP-Script: testdomain.com/admin/yoo/folder1/menu/page1.php). In this situation, we can check the scripts in the problematic account.

Hence, go through your application and make sure that you are using the latest updated version of CMS (Eg; WordPress, Joomla, etc), plugins, and themes.

Analyzing email count with the sender

This is very important while checking spamming. The below-mentioned command will sort the email count with the sender name from the Exim mail queue. From this output, we can analyze the email account that is sending large emails.

exim -bpr|grep “<“|awk {‘print $4’}|cut -d”<” -f2|cut -d”>” -f1|sort -n|uniq -c|sort -n

Example

See the example below:

[root@EcLinux]# exim -bpr|grep “<“|awk {‘print $4’}|cut -d”<” -f2|cut -d”>” -f1|sort -n|uniq -c|sort -n
3 sender@sender.com
1

Another way using “exiqgrep“

exiqgrep -f sendername|grep “<“|wc -l

This command displays the total count of emails sent by a particular user.

Example

[root@EcLinux]# exiqgrep -f sender@sender.com|grep “<“|wc -l
3

Similarly -r switch with exiqgrep is used for the recipient.

exiqgrep -f recipient|grep “<“|wc -l

Removing emails from the queue

The Exim command to remove emails from the queue is;

exim -Mrm

To delete all emails from the queue for a particular sender

exim -bpr| grep sendername| awk ‘{print $3}’|xargs exim -Mrm

The “awk” part prints the messages IDs to remove. This will give to the input of “exim -Mrm” by using xargs function.

Frozen emails


The sender field must have the word “frozen“. To display the total count of frozen emails in the queue, we can use the following command.

exim -bp|grep frozen|wc -l

Removing frozen emails

exim -bp|grep frozen|awk {‘print $3’}|xargs exim -Mrm

The below command will print the summary of emails in the queue

exim -bp|exiqsumm

Example

# exim -bp|exiqsumm

Count Volume Oldest Newest Domain

——– ——- ——– ——-

1 6041 11h 11h facebook.com

1 763 45h 45h interia.pl

————————————————————

2 6804 45h 11h TOTAL

It displays, what Exim is doing right now. See the below example:

exiwhat

# exiwhat

1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)

So, these are some basic commands using which we can analyze the mail activity and try to stop spamming on the server.

Leave a Comment