In this article I'm going to show you how to find email forwarders or autoresponders that your users have setup on your VPS (Virtual Private Server) or dedicated server.

This is good information to know, as the sending reputation of your server's IP address can be affected by the mailing activity of your users. It's very typical that a user might simply be forwarding all of their email to another service such as AOL or Yahoo, and if they are sending too much mail to these services, or forwarding mail with characteristics of spam to these services, it can begin to affect the delivery of your other users on your server reaching those services in a timely manner.

Also in some cases, autoresponders can be used for spamming purposes. For instance a spammer can forge the from address of a message they send to you, with the email address of the user they would like to spam, then your autoresponder will attempt to send to that forged from address. So knowing how to find excessive amounts of autoresponder replies can be helpful as well to help protect you server's mail IP address reputation.

Please note that in order to follow along with the steps below, you'll need to have root access on either your VPS or dedicated server so that you have access to the Exim mail log.

Find users with the most email forwarders or autoresponders

Using the steps below I'll walk you through finding which users on your server have the largest amount of either email forwarders or autoresponders getting sent out.

  1. Login to your server via SSH as the root user.
  2. Run the following command to get the highest count of email forwarders or autoresponders:

    grep "=> .*@.*@.*" /var/log/exim_mainlog | awk '{print $6,$5}' | sort | uniq -c | sort -n

    Code breakdown:

    grep "=> .*@.*@.*" /var/log/exim_mainlog Locate lines in the Exim mail log that indicate the message is not a normal delivery, and is either being forwarded or an autoresponder.
    awk '{print $6,$5}' Use the awk command to print out the $6th column which is the local email account, followed by the $5th column which is the email forward or autoresponder.
    sort | uniq -c | sort -n Sort the users, then uniquely count them up, and finally sort them by lowest to highest.

    You should get back something that looks like this:

    1468 <webmaster@example.com> webmaster@gmail.com
    1499 <sales@example.com> sales@yahoo.com
    1554 <info@example.com> info@aol.com
    2479 user@example.com |/usr/local/cpanel/bin/autorespond

    In this case, we can see that the user@example.com user has had about 2,479 autoresponder messages, and the info@example.com user had 1,554 emails forwarded off to info@aol.com.

    Now if you see there is a particular mail forwarder getting excessively used, you might want to consider disabling the forwarder. A better option would be to directly check the email account info@example.com, instead of having it forward all of the mail to the info@aol.com. This way you're not flooding AOL with a lot of messages from your server automatically, possibly leading to them rate-limiting or even blacklisting your other users on the same server from mailing AOL users.

  3. If as in our case, you notice one user like user@example.com has a ton of autoresponder replies going out, you can check to see what email addresses are sending into the account that are causing all of these.

    Run the following command to get a log of just that user's mail activity:

    grep user@example.com /var/log/exim_mainlog > EMAIL_LOG

    After you've got that email user's activity saved to the EMAIL_LOG file, use the following command to parse each message ID for that user to determine what address originally sent the message that triggered the autoresponder:

    for eximID in `awk '/autorespond/ {print $3}' EMAIL_LOG`; do grep $eximID EMAIL_LOG | awk '/<=/ {print $5}'; done | sort | uniq -c | sort -n

    Code breakdown:

    for eximID in `awk '/autorespond/ {print $3}' EMAIL_LOG`; Start a bash for loop, where the variable eximID is getting set for lines that we've used the awk command to ensure they include the word autorespond, and the column getting printed is the $3rd one which is the Exim message ID. This loop will read through each line in our EXIM_LOG file.
    do grep $eximID EMAIL_LOG Locate the Exim message IDs with the $eximID variable from our EMAIL_LOG file.
    awk '/<=/ {print $5}' Use the awk command to look for incoming deliveries indicated by <=, then print out the $5th column of data which is the email address of the user sending the message in.
    ; done | sort | uniq -c | sort -n Completes our for loop with the done command, the takes all of the data outputted and sorts it by the email addresses, uniquely counts them, and then sorts it from lowest to highest.

    You should get back something that looks like this:

    10 notification@facebookmail.com
    25 update@facebookmail.com
    28 sales@example.com
    2211 no-reply@example.com

    So in this case we can clearly see that no-reply@example.com sent 2,211 messages into the user@example.com account causing an excessive amount of autoresponder replies.

    Now that you've looked at this data, you'll want to go ahead and remove the EMAIL_LOG file we created with the following command:

    rm -rf EMAIL_LOG

You should now understand how to use the Exim mail log to track down users that are using excessive amounts of email forwarders or autoresponders.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Support Center:
Email Address
Optional, but our team may contact you for more information.
Like this Article?

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Write New!
Do you want to publish a tutorial to our support center?

News / Announcements

SSL Certficate Warnings
Updated 2014-04-14 11:34 am EST
Hits: 1896
Heartbleed 0-day OpenSSL security bug
Updated 2014-04-14 04:43 pm EST
Hits: 5137

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!