1. Home
  2. Articles
  3. Locating possible spam activity by subject with Exim

Locating possible spam activity by subject with Exim

Locating possible spam activity by subject with Exim
Locating possible spam activity by subject with Exim

In this tutorial we will be showing you how to easily find any possible spam activity by subject on your VPS or dedicated server with the Exim mail log.

If you have seen our last tutorial about finding email accounts that are used for spam, you will already know how to track down spam activity by searching for email accounts which send out mail from several IP addresses. In this tutorial, we will be covering how you can find spam activity by looking at duplicate subjects that are going on in your server.

In order to use this tutorial, you will need root access on your VPS or dedicated server, in order to access the Exim mail log.

Locating duplicate subjects in Exim mail log

    1. Login to your server using SSH and as root user.
    2. Execute the command below to locate duplicate subjects from your Exim mail log.
awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort –n

You should receive a similar output to the one shown here.

Output:

 285 Out of Office
 303 [Forum reply] Please moderate
 578 New Account
 1764 Melt Fat Naturally

This means that the subject ‘Melt Fat Naturally’ is the one with most duplicates by far of those currently in the Exim mail log.

We may now look for the user who has been sending out this possible spam message, do this by executing the following command.

grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n

You should receive a similar output to the one shown here.

Output:

 1 test@example.com
 1762 user01@example.com

This shows that ‘user01@example.com’ was the account being used to relay this spam message.

You can now find every IP that was used by ‘user01@example.com’ and possibly block them on your server’s firewall if their activity seems malicious to you.

With the following command, you can see every IP address that the account has been sending mails with.

grep "<= user01@example.com" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n

You should receive a similar output to the one shown here.

1762 [123.45.67.89]

Now you should be able to see that all 1,960 messages that ‘user01@example.com‘ sent out, were coming from the same ‘123.45.67.89’ IP address.

The next thing to do is to block this IP from the server at the server’s firewall by executing the following command.

apf -d 123.123.123.123 "Sending weight loss spam from user01@example.com"

It is also recommended to change the email password in cPanel for the email that was used to send this spam. If you don’t change the password, the spammer will be able to come back with a different computer and a different IP address and continue to relay spam out through your account.

This is how you can use the Exim mail log on your VPS or dedicated server to track down duplicate subjects that were sent out from your server. With this knowledge, you can track down any responsible user and their IP address that sends these messages allowing you to block them, preventing spamming.

 
Updated on April 6, 2018

Was this article helpful?

Related Articles

Add A Comment