Find spammer scripts in Exim – useful commands

Had a customer the other day and he asked me to clear spammers on his server. Some of these commands came in handy:

 

1. To check the number of emails present in the queue:

# exim -bpc

2. To check the emails present in the queue with the mail id and sender ID:

# exim -bp
# exim -bp | less

3. To view the header of a particular email using mail ID:

# exim -MvH mail_id

4.  To view the body of a particular email using mail ID:

# exim -Mvb mail_id

5. To view a message’s logs:

# exim -Mvl mail_id

6. To trace path:

# exim -d -bt user@domain.com

7. To get sorted list of email sender in exim queue:

# exim -bpr | grep “<” | awk {‘print $4’} |cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c| sort -n

8. To check the script that will originate spam mails:

# grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort| uniq -c|grep cwd|sort -n

9. If we need to find out exact spamming script. To do this, run following command:

# ps auxwwwe | grep user | grep –color=always “/home/user/public_html/templates/” | head

10.  To delete the emails of a specific user:

# grep -lr ‘user@domain.com’ /var/spool/exim/input/ | sed -e ‘s/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g’ | xargs exim -Mrm

# exim -bp | grep “user_email-account” | awk ‘{print $3}’ | xargs exim -Mrm

11. To delete Frozen emails from the email queue:

# grep -R -l ‘*** Frozen’ /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm
# exim -bp| grep frozen | awk ‘{print $3}’| xargs exim -Mrm
# exiqgrep -z -i | xargs exim -Mrm

12.  To delete Spam emails from the email queue:

#  grep -R -l [SPAM] /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

13. To check the no. of frozen mails:

# exiqgrep -z -c

14. To check exim logs:

# tail -f /var/log/exim_mainlog

Lowest Number MX Record Points to Local Host Rejected RCPT Error

Last night i received a mail report from one of the servers, that one of the domains was removed from the Mailscanner db. I was a little bit skeptical, as i would never remove that domain from the server. Hopefully i think it was an error that would not repeat.

Anyway, the whole point here, is that i got the following error, showing up in my queues:

2008-11-09 04:20:53 H=mx175.activesoft.ro [194.88.148.175] Warning: Sender rate 2.2 / 1h
2008-11-09 04:20:53 lowest numbered MX record points to local host: bioget.com (while verifying <admin@bioget.com> from host mx175.activesoft.ro [194.88.148$
2008-11-09 04:20:53 H=mx175.activesoft.ro [194.88.148.175] F=<newsletter@comunicatemedia.ro> temporarily rejected RCPT <admin@bioget.com>: lowest numbered M$
2008-11-09 04:25:10 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2008-11-09 04:25:10 cwd=/etc/csf 4 args: /usr/sbin/exim -C /etc/exim_outgoing.conf -bpc
2008-11-09 04:25:54 H=mx175.activesoft.ro [194.88.148.175] Warning: Sender rate 3.0 / 1h
2008-11-09 04:25:54 lowest numbered MX record points to local host: bioget.com (while verifying <admin@bioget.com> from host mx175.activesoft.ro [194.88.148$
2008-11-09 04:25:54 H=mx175.activesoft.ro [194.88.148.175] F=<newsletter@comunicatemedia.ro> temporarily rejected RCPT <admin@bioget.com>: lowest numbered M$
2008-11-09 04:30:10 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc

Anyway this issue is has a quick fix :

pico /etc/localdomains

add the domain

restart exim / mailscanner

All should be working now.

LE: if you’re using Configserver MailScanner package, then you have to update also the db, by using:

perl /usr/mscpanel/mscpanel.pl