In this Post, I have described steps to Prevent Spamming on Exim Server which includes finding spam script on server, null routing spam script and cleaning of mail Queue.
Without wasting anytime. let’s start now.
1). First and foremost thing is to count all emails in mail queue to check if spamming is/was in progress.
If the count is not normal then.
2). List summary of all emails in mail queue.
exim -bp | exiqsumm -c
Summary of the messages will show email counts for each domain recipient(i.e. recipient domain name with number of emails in Queue for that domain ). it will also have other details like size, time, etc.
3). List summary of all emails in mail queue with respect to sender domain and recipient domain.
exim -bp|exiqsumm -s
Order of the summary is: Count, Volume, Oldest, Newest, Sender Domain Name, Recipient Domain Name.
To show the result in descending order by count use below command.
exim -bp|exiqsumm -s -c
4). By Now, You will get the hint, that which domain name(Sender Domain) on your server is involved in spamming.
Now, list emails send by particular sender(suspicious domain name) by using -f tag within a period of 1hr(3600 sec) or emails received by particular recipient(suspicious domain name) by using -r tag within a period of 1hr(3600 sec) . You can increase the time, if you don’t get any result within 1hr.
exiqgrep -y 3600 -f domain name/email
We are doing this to get the list of few emails in queue for particular sender domain name. From the list we got we will store 2-3 message id, which we will use to check message header and body
5). Check message header, to find PHP Script involved in sending email.
exim -Mvh <Message Id>
Note: Path will be present in X-PHP-Script Row.
6). Check message body for PHP script sending email if not present In Email header
exim -Mvb <Message Id>
7). Now null route or remove the file that you got in header or body , so that PHP script can’t send email.
chmod 000 path/filename.php chown root. path/filename.php chattr +ai path/filename.php
8). Now, PHP Script involved in spamming for particular sending domain is blocked. So We can remove all the emails in Mail Queue related to that sender domain or recipient domain.
exiqgrep -x -i -f jeevan.org| xargs exim -Mrm
-x shows unfrozen messages, -i lists all message id’s, -f filter domain/email sent by sender, exim -Mrm removes emails by message id
exiqgrep -z -i -f jeevan.org| xargs exim -Mrm
-z shows frozen messages, -i lists all message id’s, -f filter domain/email sent by sender, exim -Mrm removes emails by message id
Note: If you suspected multiple domains involved in spamming in Point 3, then you need to fallow point 4 to point 8 Multiple times for each domain you suspected.
That’s all you need to prevent spamming on server.
Hope this post was helpfull to you.