Locate spam activity by subject with Exim

In this article I’m going to review how you can locate possible spam activity by subject on your VPS (Virtual Private Server) or dedicated server using the Exim mail log.

If you’ve read my previous article on how to find email accounts being used to spam, you should already know how to track down spam activity by looking for email accounts that send out mail from multiple IP addresses. Now we’re going to cover finding spam activity by looking at duplicate subjects that are happening on your server.

To be able to follow along with this guide you’ll need to already have root access to your VPS or dedicated server so that you have access to the Exim mail log.

Locate duplicate subjects in Exim mail log

Using the steps below

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate duplicate subjects from your Exim mail log:

    awk -F"T="" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d" -f1 | sort | uniq -c | sort -n
    Code breakdown:

    awk -F”T=”” ‘/<=/ {print $2}’ /var/log/exim_mainlogUse the awk command with the -Field seperator set to T=” and looking for deliveries leaving the server noted by <=, then print out the $2nd set of data which is the subject of the message.
    cut -d” -f1Use the cut command with the -delimiter set to double quotes and return the -field of data before the 1st ocurrence. This makes it so we only get back the subjects and nothing else.
    sort | uniq -c | sort -nSort the subjects by name, then uniquely count them up, and finally sort them again numerically from lowest to highest.

    You should get back something that looks like this:

    285 Out of Office
    303 [Forum reply] Please moderate
    578 New Account
    1764 Melt Fat Naturally

    So in this case we can see that by far the subject Melt Fat Naturally is the most duplicated subject currently in the Exim mail log.

  3. Now we can search to see what user has been sending out this possible spam message with the following command:

    grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n
    Code breakdown:

    grep “Melt Fat Naturally” /var/log/exim_mainlogUse the grep command to search for our subject in the Exim mail log.
    awk ‘{print $6}’Use the awk command to print out the $6th column of data which is the sending email account.
    sort | uniq -c | sort -nSort the email accounts by name, then uniquely count them, and finally sort them again numerically from lowest to highest.

    You should end up with some results like this:

    1 [email protected]
    1762 [email protected]

    So in this case we can see that it looks like the [email protected] account was used to relay this spam message.

  4. You can now locate all of the IP addresses the [email protected] account has been sending mail from, and possibly block them at your server’s firewall if the activity looks malicious to you.Use the following command to find all the IP addresses the account has been relaying mail with:

    grep "<= [email protected]" /var/log/exim_mainlog | grep "Melt Fat Naturally" |
    grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -n

    Note: The two lines above should be written as a single line.

    Code breakdown:

    grep “<= [email protected]” /var/log/exim_mainlogUse the grep command to find outgoing messages from the [email protected] account.
    grep “Melt Fat Naturally”Use grep again to only show messages with the subject we’re looking for.
    grep -o “[[0-9.]*]”Use grep one last time with the -only matching flag, to only pull the IP address from the Exim mail log.
    sort -n | uniq -c | sort -nSort all of the IP addresses numerically, then uniquely count them up, and finally sort them numerically again from lowest to highest duplicates.

    You should get back something related to this:

    1762 [123.123.123.123]
    So we can see that all 1,763 messages the [email protected] user sent out, all came from the same 123.123.123.123 IP address.

  5. Now we can go ahead and block this IP address from our server at the server’s firewall by running the following command:

    apf -d 123.123.123.123 "Sending weight loss spam from [email protected]"

  6. It would also be recommended to change the email password in cPanel for the email account being used to send this spam. As otherwise the spammer could possibly come back from another computer with a different IP address and still attempt to relay spam out through your account.

You should now have learned how to use the Exim mail log on your VPS or dedicated server to track down duplicate subjects being sent out from your server. Then using that knowledge how to track down the responsible user and IP address sending those messages in case they were spamming and needed to be stopped.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

0 thoughts on “Locate spam activity by subject with Exim

    1. 127.0.0.1 is considered the loopback address for your server or computer. This means it is most likely your server that is sending out the spam. I recommend checking any mail scripts, or mailing plugins you may be using to see if it is originating from there. Your mail logs can provide further evidence into the origin these emails.

      Thank you,
      John-Paul

  1. Hi Jacob – thanks for the logging hints. I’ve not seen the log_selector before…. if only I’d known about that years ago… !! 🙂

    1. Using the above example you can try adding the following:

      grep “Melt Fat Naturally” /var/log/exim_mainlog | awk ‘{print $6}’ | cud -d@ -f1 | sort | uniq -c | sort -n

  2. Exim doesn’t always log the subject in /var/log/exim4/mainlog. I’d suggest you just grep through /var/spool/exim4/input/* looking for whatever and pipe that through to exim -Mrm …..

    1. Hello David,

      Thanks for the great tip! That would be a good way of looking at the live Exim queue for any possible spam, although not quite as effective for tracking down extended spamming issues.

      All of our Exim logs always contain the subjects and you can set this up on your servers as well by adding this to your /etc/exim.conf file:

      log_selector = +subject

      Or you could just log everything as well with:

      log_selector = +all

      You can read more about all the things you can enable in Exim logs in this reducing or increasing what is logged in Exim guide.

      – Jacob

Was this article helpful? Join the conversation!

Questions about our MailChannels Deployment? We have answers and are here to help!Learn More
+