Some scripts that are used to send out spam emails :
[root@support ~]#grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
Eximstats
[root@support ~]#eximstats -t5 /var/log/exim_mainlog > teststats
Script to know the mail count by various accounts
[root@support ~]#grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
The number of mails by a domain
[root@support ~]#exigrep @domain.com /var/log/exim_mainlog|grep 2009-04-17|grep Completed|wc -l
[root@support ~]#ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.
[root@support ~]#eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.
[root@support ~]#exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.
[root@support ~]# netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
In order to find “nobody” spamming, issue the following command
[root@support ~]#ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD|sort -n
It will give as like below result :-
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.
Command :
[root@support ~]#grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
This will result in something like :
96 cwd=/root
4583 cwd=/home/sample/public_html/test
Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)
Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.
[root@support ~]#exim -bpr | exiqsumm -c | head
[root@support ~]#exiqgrep -ir <domain> | xargs -n1 exim -Mrm
That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at <domain>.
Take below Precautions:
I)Turn on the SMTP tweak. It will block the users to bypass the mail server for sending out spam.
II)Turn on blacklisting ability in whm.
III)Use spamassassin to stop receiving spam mails.
[root@support ~]#grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
Eximstats
[root@support ~]#eximstats -t5 /var/log/exim_mainlog > teststats
Script to know the mail count by various accounts
[root@support ~]#grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
The number of mails by a domain
[root@support ~]#exigrep @domain.com /var/log/exim_mainlog|grep 2009-04-17|grep Completed|wc -l
[root@support ~]#ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.
[root@support ~]#eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.
[root@support ~]#exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.
[root@support ~]# netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
In order to find “nobody” spamming, issue the following command
[root@support ~]#ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD|sort -n
It will give as like below result :-
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.
Command :
[root@support ~]#grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
This will result in something like :
96 cwd=/root
4583 cwd=/home/sample/public_html/test
Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)
Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.
[root@support ~]#exim -bpr | exiqsumm -c | head
[root@support ~]#exiqgrep -ir <domain> | xargs -n1 exim -Mrm
That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at <domain>.
Take below Precautions:
I)Turn on the SMTP tweak. It will block the users to bypass the mail server for sending out spam.
II)Turn on blacklisting ability in whm.
III)Use spamassassin to stop receiving spam mails.
No comments:
Post a Comment