In this article I'll review how you can investigate your VPS (Virtual Private Server) or dedicated server for possible sources of outgoing spam. This can help ensure that your mailing IP's reputation isn't being negatively affected causing delivery problems for your legitimate users.

If you've read my previous article on 535 incorrect authentication errors you should already know how to track down IP addresses of malicious users attempting to login to your email accounts so that they can relay spam with them. However if someone has successfully obtained one of the passwords for your email accounts, that method won't work for locating them, as they won't be showing authentication errors since they're logging in without issues.

A good way to keep tabs on this type of malicious activity is by knowing that typically one email account isn't going to have too many IP addresses connecting to it. Now that's not to say you might not have a few for each account, as people will connect from their home, office, and possibly mobile phone to send email. But if you notice that IP addresses are connecting from multiple geographical locations this is a good indication that your email account's password has been compromised and possibly sold to a spammer that is now using multiple computers as part of a bot net spread across the world.

In order to follow the steps I'll discuss in this article, you'll need to have root access to either your VPS or dedicated server so that you have access to the Exim mail logs.

Locating multiple IP address logins for mail accounts

Using the steps that follow I'll show how you can keep tabs on how many IP addresses are connecting to your mail server per email address. Then you can take a look to see if they seem malicious and block them at your server's firewall to prevent further delivery attempts.

  1. Login to your server via SSH as the root user.
  2. Run the following command to pull email accounts being connected to from multiple IP addresses from the Exim mail log:

    grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq | awk '{print $1}' | uniq -c | awk '{ if ($1 > 1) print $0}'

    Code breakdown:

    grep "A=courier_login" /var/log/exim_mainlog Locate successful email logs in the Exim mail log.
    sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' Use the sed -e command to first strip out the H=example.com (UserComputer) [ section from the log, then follow with another -e flag to also take off the ]:1234 section surrounding the user's IP address.
    awk '{print $5,$6}' Use the awk command to only print the $5th and $6th columns, which is the email address and IP address.
    sort | uniq | awk '{print $1}' | uniq -c Sort all the data by the email addresses, then only show unique entries so you should get user@example.com 123.123.123.123 and user@example.com 124.124.124.124 for instance. Use awk to only print the $1st column which is the email address, then uniquely count them.
    awk '{ if ($1 > 1) print $0}' Use the awk command with an if statement so that if the $1st column has a count higher than 1 it prints out the total line. This should show how many unique IP addresses a given email address has been accessed over.

    You should get back something that looks like this:

    4 user01@example.com
    2 user02@example.com
    4 user03@example.com
    2 user04@example.com
    3 user05@example.com

  3. If you see that you have a lot of users that have mail logins from multiple unique IP addresses you can run the following command to get a look at exactly what IPs they're connecting from:

    grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c

    Code breakdown:

    grep "A=courier_login" /var/log/exim_mainlog Locate successful email logs in the Exim mail log.
    sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' Use the sed -e command to first strip out the H=example.com (UserComputer) [ section from the log, then follow with another -e flag to also take off the ]:1234 section surrounding the user's IP address.
    awk '{print $5,$6}' Use the awk command to only print the $5th and $6th columns, which is the email address and IP address.
    sort | uniq -c Sort all the data by the email addresses and then provide a unique count of each IP that connected to that account.

    In this case the user01@example.com account had been connected to from 4 different unique IP addresses, so this command will output how many times each of those IPs connected:

    7 user01@example.com 123.123.123.123
    1 user01@example.com 123.123.123.124
    2 user01@example.com 123.123.123.125
    1 user01@example.com 123.123.123.126

Updating email passwords and blocking IPs

Now that you know there are several unique IP addresses connecting to one email account of yours, you can check the location of those IP addresses with an online service such as GeoIPTool.com. If you know the person owning the email account lives in the US and you're seeing IPs sending out mail from that account from China and Russia, chances are the account has been compromised and is being used to send out spam.

Using the steps below you can block those bad IP addresses from being able to attempt to access your server again, and you can also update the email account's password so that if they attempt to relay more spam through the account they'll get an authentication error.

  1. In our example above we had the following IP addressess all relaying through our one user01@example.comaccount:

    123.123.123.123
    123.123.123.124
    123.123.123.125
    123.123.123.126

    If we wanted to block all of these at our server's firewall after determining they are malicious IPs we can run the following command:

    for IP in 123.123.123.123 123.123.123.124 123.123.123.125 123.123.123.126; do apf -d $IP "Spamming with user@example.com"; done

    You should get back the following:

    apf(23740): (trust) added deny all to/from 123.123.123.123
    apf(23796): (trust) added deny all to/from 123.123.123.124
    apf(23859): (trust) added deny all to/from 123.123.123.125
    apf(23929): (trust) added deny all to/from 123.123.123.126

  2. Because these IPs successfully logged into your mail server to relay mail with the user01@example.com account, you'll also want to be sure to follow our guide on how to change your email password in cPanel to prevent them from attempting further messages from a different IP address.

You should now understand how to track down email accounts on your server that are being connected to from multiple IP addresses. This should help ensure that your email accounts are not compromised and possibly sending out spam or other malicious material. You should also know how to block those IP addresses from accessing your server, and update your email account's password to prevent further access to these malicious users.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!