When the email is unable to send due to blacklist, as a temporary solution, change the email sending IP in exim. Follow the following steps to realize this,
=-=-
WHM>> Main >> Service Configuration >> Exim Configuration Editor >> Domains and IPs
Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)
After this initial step of second method you need to make use of /etc/mailips file to proceed further with mail IP change.
For changing mail interface IP of the server globally, add the IP which want to set as mail IP to /etc/mailips in following given syntax:
*: xxx.xxx.xxx.xxx
where “xxx.xxx.xxx.xxx” stands for the IP which want to set as mail IP in the server.
The second method also provide you a frendly feature to set mail IPs for each domain. For setting mail IP per domain wise, follow below given syntax:
xxx.xxx.xxx.xxx hostname.tld
where “xxx.xxx.xxx.xxx” stands for the IP which want to set as domain mail IP and hostname.tld stands for the domain name.
As a permanent solution. please use the following scripts to find the spamming origin files,
To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.
# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
You will get a result as like follows,
1 [email protected]
2 [email protected]
3 [email protected]
4 [email protected]
29 [email protected]
124 [email protected]
=============================================================================================
The following scripts will check the script that will originate spam mails:
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
You will get a result as like follows for the first two scripts. The third script is just a sub of the first two scripts.
9 cwd=/home/test1/public_html
10 cwd=/home/test2/public_html/a1/www
15 cwd=/home/test3/public_html
91 cwd=/home/test4/public_html
178 cwd=/home/test5/public_html/web
770 cwd=/home/test6/public_html/foro
803 cwd=/home/test7/public_html/web
124348 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven
=============================================================================================
If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.
# ps auxwwwe | grep <user> | grep --color=always "<location of script>" | head
The usage of the above script is as shown below.
# ps auxwwwe | grep test8 | grep --color=always "/home/test8/public_html/wp/wp-content/themes/twentyeleven" | head
Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.
# grep "<script_name>" /home/user/access-logs/testdomain.com | awk '{print $1}' | sort -n | uniq -c | sort -n
=============================================================================================
Following command that will show you the script which is using script to send the email. If it is from php then use
# egrep -R "X-PHP-Script" /var/spool/exim/input/*
=============================================================================================
It shows top 50 domains using mail server with options.
# eximstats -ne -nr /var/log/exim_mainlog
=============================================================================================
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.
# ps -C exim -fH ewww | grep home
=============================================================================================
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
# netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
==============================================================================================
In order to find “nobody” spamming, issue the following command
# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n
It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.
# grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
==============================================================================================
The following script will give the summary of mails in the mail queue.
exim -bpr | exiqsumm -c | head
You will get a result as like follows,
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
114 171KB 24h 28m testdomain.com
15 28KB 36h 7m gmail.com
5 10KB 34h 10h test2domain.com
4 8192 27h 4h yourdomain.com
4 75KB 7m 7m server.domain.com
3 6041 23h 42m test123.com
==============================================================================================
grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
will list the script folder
grep POST /usr/local/apache/domlogs/dom name/*
will list POST "script name in exim main log"
You may please follow the following steps which will be useful ,
=-=-
exim -bpc -- will show the number of mails in queue
If there are large number mails in queue then check the details of mails in queue using exim -bp , exim -Mvh and exim -Mvb
exim -bp >> /root/mailque.txt
check the file "/root/mailque.txt" to see if there is large number of mails from a particular mail ID.
Use the exim commands "exim -Mvh <Message ID>" and "exim -Mvb <Message ID>" to view the mail header and body. Using this command you can understand nature of mails in queue.
If you see the from address like <user>@<serverHostname> then the mails might be sent using PHP script. You can check the "X-Mailer:" header to verify this. Use the command "exim -Mvh <Message ID>" to check the mail header
You can also check the exim_mainlog to see script path.
Execute "exigrep <Message_ID> /var/log/exim_mainlog" and check the section cwd (Eg: cwd=/home/groovepa/public_html)
Sometimes the exact script will show in X-PHP-Script header
X-Mailer: PHPMailer [version Moodle 2007101570] ---> Mailer is PHPmailer
X-PHP-Script: www.trollhalla.com/trollmail.php for 98.165.70.128 -- Here is the Script
Another option to check the exact script is from /var/log/messages.
grep <user> /var/log/messages |grep PHP_MAIL
Top 5 users sending maximum emails on the server:
root@epsilon [~]# grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5
Top 5 mail receivers:
root@epsilon [~]# egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5
If there is large number of hits from an IP,block the IP
tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f3|cut -d] -f1|sort -n |uniq -c
to find who is sending mails
ps -C exim -fH eww
command to delete frozen mails
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
=-=-
WHM>> Main >> Service Configuration >> Exim Configuration Editor >> Domains and IPs
Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)
After this initial step of second method you need to make use of /etc/mailips file to proceed further with mail IP change.
For changing mail interface IP of the server globally, add the IP which want to set as mail IP to /etc/mailips in following given syntax:
*: xxx.xxx.xxx.xxx
where “xxx.xxx.xxx.xxx” stands for the IP which want to set as mail IP in the server.
The second method also provide you a frendly feature to set mail IPs for each domain. For setting mail IP per domain wise, follow below given syntax:
xxx.xxx.xxx.xxx hostname.tld
where “xxx.xxx.xxx.xxx” stands for the IP which want to set as domain mail IP and hostname.tld stands for the domain name.
As a permanent solution. please use the following scripts to find the spamming origin files,
To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.
# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
You will get a result as like follows,
1 [email protected]
2 [email protected]
3 [email protected]
4 [email protected]
29 [email protected]
124 [email protected]
=============================================================================================
The following scripts will check the script that will originate spam mails:
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
You will get a result as like follows for the first two scripts. The third script is just a sub of the first two scripts.
9 cwd=/home/test1/public_html
10 cwd=/home/test2/public_html/a1/www
15 cwd=/home/test3/public_html
91 cwd=/home/test4/public_html
178 cwd=/home/test5/public_html/web
770 cwd=/home/test6/public_html/foro
803 cwd=/home/test7/public_html/web
124348 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven
=============================================================================================
If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.
# ps auxwwwe | grep <user> | grep --color=always "<location of script>" | head
The usage of the above script is as shown below.
# ps auxwwwe | grep test8 | grep --color=always "/home/test8/public_html/wp/wp-content/themes/twentyeleven" | head
Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.
# grep "<script_name>" /home/user/access-logs/testdomain.com | awk '{print $1}' | sort -n | uniq -c | sort -n
=============================================================================================
Following command that will show you the script which is using script to send the email. If it is from php then use
# egrep -R "X-PHP-Script" /var/spool/exim/input/*
=============================================================================================
It shows top 50 domains using mail server with options.
# eximstats -ne -nr /var/log/exim_mainlog
=============================================================================================
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.
# ps -C exim -fH ewww | grep home
=============================================================================================
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
# netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
==============================================================================================
In order to find “nobody” spamming, issue the following command
# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n
It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.
# grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
==============================================================================================
The following script will give the summary of mails in the mail queue.
exim -bpr | exiqsumm -c | head
You will get a result as like follows,
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
114 171KB 24h 28m testdomain.com
15 28KB 36h 7m gmail.com
5 10KB 34h 10h test2domain.com
4 8192 27h 4h yourdomain.com
4 75KB 7m 7m server.domain.com
3 6041 23h 42m test123.com
==============================================================================================
grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
will list the script folder
grep POST /usr/local/apache/domlogs/dom name/*
will list POST "script name in exim main log"
You may please follow the following steps which will be useful ,
=-=-
exim -bpc -- will show the number of mails in queue
If there are large number mails in queue then check the details of mails in queue using exim -bp , exim -Mvh and exim -Mvb
exim -bp >> /root/mailque.txt
check the file "/root/mailque.txt" to see if there is large number of mails from a particular mail ID.
Use the exim commands "exim -Mvh <Message ID>" and "exim -Mvb <Message ID>" to view the mail header and body. Using this command you can understand nature of mails in queue.
If you see the from address like <user>@<serverHostname> then the mails might be sent using PHP script. You can check the "X-Mailer:" header to verify this. Use the command "exim -Mvh <Message ID>" to check the mail header
You can also check the exim_mainlog to see script path.
Execute "exigrep <Message_ID> /var/log/exim_mainlog" and check the section cwd (Eg: cwd=/home/groovepa/public_html)
Sometimes the exact script will show in X-PHP-Script header
X-Mailer: PHPMailer [version Moodle 2007101570] ---> Mailer is PHPmailer
X-PHP-Script: www.trollhalla.com/trollmail.php for 98.165.70.128 -- Here is the Script
Another option to check the exact script is from /var/log/messages.
grep <user> /var/log/messages |grep PHP_MAIL
Top 5 users sending maximum emails on the server:
root@epsilon [~]# grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5
Top 5 mail receivers:
root@epsilon [~]# egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5
If there is large number of hits from an IP,block the IP
tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f3|cut -d] -f1|sort -n |uniq -c
to find who is sending mails
ps -C exim -fH eww
command to delete frozen mails
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm