Top 5 users sending maximum emails
grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5
eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'
Top 5 mail receivers:
egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5
eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'
Script to check path for the script used for spamming
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1 awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
If there is large number of hits from an IP,block the IP
tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c
Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n
Following command will show path to the script being utilized to send mail
ps -C exim -fH eww ps -C exim -fH eww | grep home cd /var/spool/exim/input/ egrep "X-PHP-Script" * -R
Command to delete frozen mails
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
If anyone is spamming from /tmp
tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done the IP to send mail but rejected by the server.
tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F[ '{print $2} '|awk -F] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5
Shows the connections from a certain ip to the SMTP server
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails in queue
exim -bp | exiqsumm | more
If spamming from outside domain then you can block that domain or email id on the server
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com” then seen finish endif
Catching spammer
Check mail stats
exim -bp | exiqsumm | more
Check if any php script is causing the mass mailing with
cd /var/spool/exim/inputegrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
To Remove particular email account email
exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm