Steps to check Spam script location with Exim

Steps to check Spam script location with Exim.

  1. Bhawani Singh
    Introduction:

    Definition of spam is sending repeated messages over Emails. More spam emails contain advertisements, and also triggering messages from the same sites.Exim mail logs on the VPS or in the dedicated server is used to find possible Scenario from spammers who uses your own scripts, or their Scripts to send spam from your server

    Spamming Emails from the server

    1) How spamming is happening

    If you are not careful then there are chances your server got hacked by mail bot commands for sending spams. If this occurs frequently then your sending reputation from your email IP address, also ends up on blacklisting your site. There are many ways in which the spam can flood on a mail server system. Spam is one of the most common recurring problems in almost all the web hosting server.

    2) Stop spam from your server

    Mails sending from your own domain server accounts are real or spammed emails by analyzing the mails in outbox. In a control panel server, by default Mail Transfer Agent also called MTA which is nothing but the Exim.

    Exim, handles email send from your server. All your mail activities are logged including the mail that is sent from your server scripts. Logs will continue monitoring by logging into your working directory.

    Using this resource, we can easily trace a script of yours that is hacked to send out spam mails from your server IP, or locate suspicious scripts that a spammer has placed into the server. Exim has a command line options that identify spam. Most of the times we will get all the details from the email subject line it, and we can check the content of that email body and then email logs with the help of command-line.

    3) Locate script sending into Exim
    • Login to your server as a root user with SSH
    • Run the command to list out most used script location from your Exim mail log:
    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    You could get some output like this

    Code:
    16 /home/username2/public_html/about
    23 /home/username2/public_html
    7466 /home/username2/public_html/data
    3) Now we can run the following command to check the scripts located in the directory

    Code:
    ls -lahtr /username2/public_html/data
    We get the following result

    Code:
    drwxr-xr-x 17 username2 username2 4.0K Nov 20 10:25 ../
    -rw-r--r-- 1 username2 username2 5.6K Nov 20 11:27 mailerscript.php
    drwxr-xr-x 2 username2 username2 4.0K Nov 20 11:27 ./
    4) If we know that mailerscript.php was sending mails into Exim, we can now have a look at our Apache log to check what IP is accessing those scripts

    Code:
    grep "mailerscript.php" /home/username2/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort –n
    5) If you find a suspecious IP address sending a huge volume of emails from the script, you should block them at server firewall so that they cannot connect again

    Code:
    Apf-d 123.123.123.123 "Spamming from script in /home/username2/public_html/data"