Tracing post spamming in Exim

Posted: May 7, 2014 in Uncategorized

If the spam mails are not in queue, then we need to check in logs to find out details of spamming. Unless we are not sure what to check in logs, it would be difficult to find the traces of spamming from logs. In such situations, you can use the following method to figure out the details.

1. Use eximstats to get an idea on the mail distribution on server.

# eximstats exim_mainlog

Two things are important in the output:

a) The date range of the output. For example:

Exim statistics from 2013-11-11 04:39:07 to 2013-11-16 13:29:39

b) Deliveries per hour

Deliveries per hour (each dot is 124 deliveries)
————————————————

00-01 232 .
01-02 155 .
02-03 77
03-04 68
04-05 87
05-06 101
06-07 102
07-08 97
08-09 145 .
09-10 188 .
10-11 175 .
11-12 6183 ………………………………………….
12-13 2505 ………………..
13-14 361 ..
14-15 338 ..
15-16 256 ..
16-17 874 …….
17-18 448 …
18-19 337 ..
19-20 296 ..
20-21 272 ..
21-22 190 .
22-23 242 .
23-24 272 ..

In the above details, you can find a huge delivery of mails between 11-12 hours and 12-13 hours. This is something that we need to further look into to find the details.

2) Find the day in which these mails had been sent from server.

From the date range details, you can find the details of the days. To find the details for a specific date, you need to use the command as:

# grep 2012-11-12 exim_mainlog|eximstats

In this case, the output I observed was the following:

Deliveries per hour (each dot is 121 deliveries)
————————————————

00-01 206 .
01-02 140 .
02-03 50
03-04 36
04-05 33
05-06 30
06-07 37
07-08 29
08-09 26
09-10 40
10-11 41
11-12 6044 ………………………………………….
12-13 2270 ………………
13-14 166 .
14-15 197 .
15-16 142 .
16-17 684 …..
17-18 256 ..
18-19 119
19-20 72
20-21 58
21-22 6
22-23 71
23-24 5

So, this is what we need to look for details specifically.

3) Find the specific part from the logs.

This is relatively easy as all needed is to run the grep command as:

# grep “2012-11-12 11” exim_mainlog

Sample entries I observed were the following:

2012-11-12 11:01:44 1TXwSG-0002xj-0m <= a@g.com U=a P=local S=1051 T="REMAX November Offer| Exclusive Properties For Sale At Lower Price" for n@a.com
2012-11-12 11:01:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TXwSG-0002xj-0m
2012-11-12 11:01:44 cwd=/home/a/public_html/el.com/wp-content/themes 3 args: /usr/sbin/sendmail -t -i
2012-11-12 11:01:44 1TXwSG-0002xj-0m SMTP connection outbound 1352736104 1TXwSG-0002xj-0m a.com n@g.com

There were thousands of such entries and this server had been blacklisted almost everywhere.

You can also search in logs for cwd= pattern. If you need to find out the volume it is better to use eximstats.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s