<!DOCTYPE html> <html> <head> </head> <body> <h3>Top 5 users sending maximum emails</h3> <pre>grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'</pre> <h3><span style="text-decoration: underline;">Top 5 mail receivers:</span></h3> <pre>egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'</pre> <h3>Script to check path for the script used for spamming</h3> <pre><a name="more"></a>awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1 awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1</pre> <div>If there is large number of hits from an IP,block the IP</div> <pre>tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c</pre> <div> <div><strong>Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.</strong></div> <blockquote> <pre>exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n</pre> </blockquote> <div>That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.</div> <pre>exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n</pre> </div> <div><strong>Following command will show path to the script being utilized to send mail</strong></div> <pre>ps -C exim -fH eww ps -C exim -fH eww | grep home cd /var/spool/exim/input/ egrep "X-PHP-Script" * -R</pre> <div><strong>Command to delete frozen mails</strong></div> <pre>exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm</pre> <div><strong>If anyone is spamming from /tmp</strong></div> <pre>tail -f /var/log/exim_mainlog | grep /tmp</pre> <div><strong>To display the IP and no of tries done the IP to send mail but rejected by the server.</strong></div> <pre>tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F[ '{print $2} '|awk -F] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5</pre> <div><strong>Shows the connections from a certain ip to the SMTP server</strong></div> <pre>netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1</pre> <div><strong>To shows the domain name and the no of emails in queue</strong></div> <pre>exim -bp | exiqsumm | more</pre> <div><strong>If spamming from outside domain then you can block that domain or email id on the server</strong></div> <pre>pico /etc/antivirus.exim</pre> <div>Add the following lines:</div> <blockquote> <pre>if $header_from: contains “name@domain.com” then seen finish endif</pre> </blockquote> <h2>Catching spammer</h2> <div><strong>Check mail stats</strong></div> <blockquote> <pre>exim -bp | exiqsumm | more</pre> </blockquote> <div><strong>Check if any php script is causing the mass mailing with</strong></div> <blockquote> <pre>cd /var/spool/exim/inputegrep “X-PHP-Script” * -R</pre> </blockquote> <div><strong>Just cat the ID that you get and you will be able to check which script is here causing problem for you.</strong></div> <div><strong>To Remove particular email account email</strong></div> <blockquote> <pre>exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm</pre> </blockquote> </body> </html>
Subscribe
0 Comments
Oldest