What is spamming?
Unsolicited messages are sent in bulk through the internet or any other electronic messaging system, advertising, as well as sending messages regularly on the same site. On mail servers, this type of activity happens in several ways. Spamming is one of the regular and recurring issues in the web hosting industry. If there are many spam emails originating from the server and if any accounts in your server send multiple spam emails, your server IP will be blacklisted at different RBLs. So, how to check and stop spamming on server Exim MTA server? Here is the solution. Please continue reading the article so that you will be able to identify spamming activity on the server and take the necessary steps and precautions.
There are ways we can check and confirm whether the emails delivered from accounts are actually real or spam mails by inspecting the email queue. Exim is the default MTA (Mail Transfer Agent) in the cPanel server. Exim has many command-line options to check spam activity in the server.
From the email header, we will be able to get the complete mail details. Also, we can get the body of that email and the mail logs using different command-line options. After going through this article, you will get some idea on how to find spamming on an Exim server.
Now login to the server as a root user:
To count emails in the queue
exim -bpc
The above command will show the total number of emails in the queue. The possibility of spamming is also high, if the count is more than 2000,
Example
# exim -bpc
52
To list emails with more details. The following command will give you more details on the emails in the queue.
exim -bp
It will display the output like message ID, sender, recipient, size, and age of mail. Here, from message ID we can find out the details of mail like header, body and
Example
# exim -bp
44h 763 5HKsLr-5672ud-MN <sender@sender.com>
recipient@gmail.com
10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***
no-reply@facebook.com 0m 502
1VHFNl-0003bf-GB <sender@sender.com>
recipient@gmail.com 0m 568
1VHFNl-0003bn-Tq <sender@sender.com>
recipient@gmail.com
# 1st field: Age (Eg: 44h)
# 2nd field: Size (Eg: 5.9K)
# 3rd field: Message ID (Eg : 5HKsLr-5672ud-MN)
# 4th field: Sender (Eg: sender@sender.com)
# 5th field: Recipient (Eg: recipient@gmail.com)
From message ID we can analyze the body, header, and log information of emails.
Also read : Email Marketing Specialist
Refer below to some basic commands
The below command will display the message header. We can check a lot of details about the email like from address, to address and subject with date and script, etc.
exim -Mvh ID
This command will display the message body.
exim -Mvb ID
The below command will display the log of email. From the log, you will be in a position to identify the user who created these emails and many more.
exim -Mvl ID
Spamming can happen in many ways. Here we will go through some instances of spamming. Spamming mostly happens because of insecure PHP scripts or because of the password of an email account has been compromised.
Example: Spamming from the PHP script
208P Received: from $user by server1.hostname.com with local (Exim 4.82)
(envelope-from <$user@server1.hostname.com>)
id 1YZUIE-00013s-Sp
for admin12@yahoo.com; Sat, 21 Mar 2015 21:03:06 -0400
027T To: admin12@yahoo.com
019 Subject: Hi there
091 X-PHP-Script: testdomain.com/admin/yoo/folder1/menu/page1.php for “IP.Address”
023 X-Priority: 3 (Normal)
From the header, we can determine the email reputation. If you notice “X-PHP-Script” in the email header, then you can confirm these emails were sent out from a PHP script. In the above example, emails were sent from a PHP script (X-PHP-Script: testdomain.com/admin/yoo/folder1/menu/page1.php). In this situation, we can check the scripts in the problematic account.
Hence, go through your application and make sure that you are using the latest updated version of CMS (Eg; WordPress, Joomla, etc), plugins, and themes.
Analyzing email count with the sender
This is very important while checking spamming. The below-mentioned command will sort the email count with the sender name from the Exim mail queue. From this output, we can analyze the email account that is sending large emails.
exim -bpr|grep “<“|awk {‘print $4’}|cut -d”<” -f2|cut -d”>” -f1|sort -n|uniq -c|sort -n
Example
See the example below:
[root@EcLinux]# exim -bpr|grep “<“|awk {‘print $4’}|cut -d”<” -f2|cut -d”>” -f1|sort -n|uniq -c|sort -n
3 sender@sender.com
1
Another way using “exiqgrep“
exiqgrep -f sendername|grep “<“|wc -l
This command displays the total count of emails sent by a particular user.
Example
[root@EcLinux]# exiqgrep -f sender@sender.com|grep “<“|wc -l
3
Similarly -r switch with exiqgrep is used for the recipient.
exiqgrep -f recipient|grep “<“|wc -l
Removing emails from the queue
The Exim command to remove emails from the queue is;
exim -Mrm
To delete all emails from the queue for a particular sender
exim -bpr| grep sendername| awk ‘{print $3}’|xargs exim -Mrm
The “awk” part prints the messages IDs to remove. This will give to the input of “exim -Mrm” by using xargs function.
Frozen emails
The sender field must have the word “frozen“. To display the total count of frozen emails in the queue, we can use the following command.
exim -bp|grep frozen|wc -l
Removing frozen emails
exim -bp|grep frozen|awk {‘print $3’}|xargs exim -Mrm
The below command will print the summary of emails in the queue
exim -bp|exiqsumm
Example
# exim -bp|exiqsumm
Count Volume Oldest Newest Domain
——– ——- ——– ——-
1 6041 11h 11h facebook.com
1 763 45h 45h interia.pl
————————————————————
2 6804 45h 11h TOTAL
It displays, what Exim is doing right now. See the below example:
exiwhat
# exiwhat
1923 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
So, these are some basic commands using which we can analyze the mail activity and try to stop spamming on the server.