In this article I’m going to show you how to find email forwarders or autoresponders that your users have setup on your VPS (Virtual Private Server) or dedicated server.
This is good information to know, as the sending reputation of your server’s IP address can be affected by the mailing activity of your users. It’s very typical that a user might simply be forwarding all of their email to another service such as AOL or Yahoo, and if they are sending too much mail to these services, or forwarding mail with characteristics of spam to these services, it can begin to affect the delivery of your other users on your server reaching those services in a timely manner.
Also in some cases, autoresponders can be used for spamming purposes. For instance a spammer can forge the from address of a message they send to you, with the email address of the user they would like to spam, then your autoresponder will attempt to send to that forged from address. So knowing how to find excessive amounts of autoresponder replies can be helpful as well to help protect you server’s mail IP address reputation.
Please note that in order to follow along with the steps below, you’ll need to have root access on either your VPS or dedicated server so that you have access to the Exim mail log.
Find users with the most email forwarders or autoresponders
Using the steps below I’ll walk you through finding which users on your server have the largest amount of either email forwarders or autoresponders getting sent out.
- Login to your server via SSH as the root user.
- Run the following command to get the highest count of email forwarders or autoresponders:
grep "=> .*@.*@.*" /var/log/exim_mainlog | awk '{print $6,$5}' | sort | uniq -c | sort -n
Code breakdown:grep “=> .*@.*@.*” /var/log/exim_mainlog Locate lines in the Exim mail log that indicate the message is not a normal delivery, and is either being forwarded or an autoresponder. awk ‘{print $6,$5}’ Use the awk command to print out the $6th column which is the local email account, followed by the $5th column which is the email forward or autoresponder. sort | uniq -c | sort -n Sort the users, then uniquely count them up, and finally sort them by lowest to highest. You should get back something that looks like this:
1468 <[email protected]> [email protected]
1499 <[email protected]> [email protected]
1554 <[email protected]> [email protected]
2479 [email protected] |/usr/local/cpanel/bin/autorespondIn this case, we can see that the [email protected] user has had about 2,479 autoresponder messages, and the [email protected] user had 1,554 emails forwarded off to [email protected].
Now if you see there is a particular mail forwarder getting excessively used, you might want to consider disabling the forwarder. A better option would be to directly check the email account [email protected], instead of having it forward all of the mail to the [email protected]. This way you’re not flooding AOL with a lot of messages from your server automatically, possibly leading to them rate-limiting or even blacklisting your other users on the same server from mailing AOL users.
- If as in our case, you notice one user like [email protected] has a ton of autoresponder replies going out, you can check to see what email addresses are sending into the account that are causing all of these.Run the following command to get a log of just that user’s mail activity:
grep [email protected] /var/log/exim_mainlog > EMAIL_LOG
After you’ve got that email user’s activity saved to the EMAIL_LOG file, use the following command to parse each message ID for that user to determine what address originally sent the message that triggered the autoresponder:
for eximID in `awk '/autorespond/ {print $3}' EMAIL_LOG`; do grep $eximID EMAIL_LOG |
awk '/<=/ {print $5}'; done | sort | uniq -c | sort -n
Code breakdown:for eximID in `awk ‘/autorespond/ {print $3}’ EMAIL_LOG`; Start a bash for loop, where the variable eximID is getting set for lines that we’ve used the awk command to ensure they include the word autorespond, and the column getting printed is the $3rd one which is the Exim message ID. This loop will read through each line in our EXIM_LOG file. do grep $eximID EMAIL_LOG Locate the Exim message IDs with the $eximID variable from our EMAIL_LOG file. awk ‘/<=/ {print $5}’ Use the awk command to look for incoming deliveries indicated by <=, then print out the $5th column of data which is the email address of the user sending the message in. ; done | sort | uniq -c | sort -n Completes our for loop with the done command, the takes all of the data outputted and sorts it by the email addresses, uniquely counts them, and then sorts it from lowest to highest. You should get back something that looks like this:
10 [email protected]
25 [email protected]
28 [email protected]
2211 [email protected]So in this case we can clearly see that [email protected] sent 2,211 messages into the [email protected] account causing an excessive amount of autoresponder replies.
Now that you’ve looked at this data, you’ll want to go ahead and remove the EMAIL_LOG file we created with the following command:
rm -rf EMAIL_LOG
You should now understand how to use the Exim mail log to track down users that are using excessive amounts of email forwarders or autoresponders.