In this article I’m going to review how you can locate possible spam activity by subject on your VPS (Virtual Private Server) or dedicated server using the Exim mail log.
If you’ve read my previous article on how to find email accounts being used to spam, you should already know how to track down spam activity by looking for email accounts that send out mail from multiple IP addresses. Now we’re going to cover finding spam activity by looking at duplicate subjects that are happening on your server.
To be able to follow along with this guide you’ll need to already have root access to your VPS or dedicated server so that you have access to the Exim mail log.
Locate duplicate subjects in Exim mail log
Using the steps below
- Login to your server via SSH as the root user.
- Run the following command to locate duplicate subjects from your Exim mail log:
awk -F"T="" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d" -f1 | sort | uniq -c | sort -n
Code breakdown:awk -F”T=”” ‘/<=/ {print $2}’ /var/log/exim_mainlog Use the awk command with the -Field seperator set to T=” and looking for deliveries leaving the server noted by <=, then print out the $2nd set of data which is the subject of the message. cut -d” -f1 Use the cut command with the -delimiter set to double quotes “ and return the -field of data before the 1st ocurrence. This makes it so we only get back the subjects and nothing else. sort | uniq -c | sort -n Sort the subjects by name, then uniquely count them up, and finally sort them again numerically from lowest to highest. You should get back something that looks like this:
285 Out of Office
303 [Forum reply] Please moderate
578 New Account
1764 Melt Fat Naturally
So in this case we can see that by far the subject Melt Fat Naturally is the most duplicated subject currently in the Exim mail log. - Now we can search to see what user has been sending out this possible spam message with the following command:
grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n
Code breakdown:grep “Melt Fat Naturally” /var/log/exim_mainlog Use the grep command to search for our subject in the Exim mail log. awk ‘{print $6}’ Use the awk command to print out the $6th column of data which is the sending email account. sort | uniq -c | sort -n Sort the email accounts by name, then uniquely count them, and finally sort them again numerically from lowest to highest. You should end up with some results like this:
1 [email protected]
1762 [email protected]
So in this case we can see that it looks like the [email protected] account was used to relay this spam message. - You can now locate all of the IP addresses the [email protected] account has been sending mail from, and possibly block them at your server’s firewall if the activity looks malicious to you.Use the following command to find all the IP addresses the account has been relaying mail with:
grep "<= [email protected]" /var/log/exim_mainlog | grep "Melt Fat Naturally" |
grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -nNote: The two lines above should be written as a single line.
Code breakdown:
grep “<= [email protected]” /var/log/exim_mainlog Use the grep command to find outgoing messages from the [email protected] account. grep “Melt Fat Naturally” Use grep again to only show messages with the subject we’re looking for. grep -o “[[0-9.]*]” Use grep one last time with the -only matching flag, to only pull the IP address from the Exim mail log. sort -n | uniq -c | sort -n Sort all of the IP addresses numerically, then uniquely count them up, and finally sort them numerically again from lowest to highest duplicates. You should get back something related to this:
1762 [123.123.123.123]
So we can see that all 1,763 messages the [email protected] user sent out, all came from the same 123.123.123.123 IP address. - Now we can go ahead and block this IP address from our server at the server’s firewall by running the following command:
apf -d 123.123.123.123 "Sending weight loss spam from [email protected]"
- It would also be recommended to change the email password in cPanel for the email account being used to send this spam. As otherwise the spammer could possibly come back from another computer with a different IP address and still attempt to relay spam out through your account.
You should now have learned how to use the Exim mail log on your VPS or dedicated server to track down duplicate subjects being sent out from your server. Then using that knowledge how to track down the responsible user and IP address sending those messages in case they were spamming and needed to be stopped.
I found 127.0.0.1 is the highest ip that send enail spam. how about that?
127.0.0.1 is considered the loopback address for your server or computer. This means it is most likely your server that is sending out the spam. I recommend checking any mail scripts, or mailing plugins you may be using to see if it is originating from there. Your mail logs can provide further evidence into the origin these emails.
Thank you,
John-Paul
Hi Jacob – thanks for the logging hints. I’ve not seen the log_selector before…. if only I’d known about that years ago… !! 🙂
What do you do when one of the IPs belong to your server…?
If you let us know, we can look into it further. What Ip address is it?
Instead of [email protected] I am seeing just the username test01. how do i tailor the command to include only the username test01 without the @example.com
Using the above example you can try adding the following:
grep “Melt Fat Naturally” /var/log/exim_mainlog | awk ‘{print $6}’ | cud -d@ -f1 | sort | uniq -c | sort -n
Exim doesn’t always log the subject in /var/log/exim4/mainlog. I’d suggest you just grep through /var/spool/exim4/input/* looking for whatever and pipe that through to exim -Mrm …..
Hello David,
Thanks for the great tip! That would be a good way of looking at the live Exim queue for any possible spam, although not quite as effective for tracking down extended spamming issues.
All of our Exim logs always contain the subjects and you can set this up on your servers as well by adding this to your /etc/exim.conf file:
Or you could just log everything as well with:
You can read more about all the things you can enable in Exim logs in this reducing or increasing what is logged in Exim guide.
– Jacob