Locate spam activity by subject with Exim

InMotion Hosting ContributorInMotion Hosting Contributor 4 Minute Read

In this article I’m going to review how you can locate possible spam activity by subject on your VPS (Virtual Private Server) or dedicated server using the Exim mail log.

If you’ve read my previous article on how to find email accounts being used to spam, you should already know how to track down spam activity by looking for email accounts that send out mail from multiple IP addresses. Now we’re going to cover finding spam activity by looking at duplicate subjects that are happening on your server.

To be able to follow along with this guide you’ll need to already have root access to your VPS or dedicated server so that you have access to the Exim mail log.

Locate duplicate subjects in Exim mail log

Using the steps below

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate duplicate subjects from your Exim mail log:

    awk -F"T="" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d" -f1 | sort | uniq -c | sort -n
    Code breakdown:

    awk -F”T=”” ‘/<=/ {print $2}’ /var/log/exim_mainlog Use the awk command with the -Field seperator set to T=” and looking for deliveries leaving the server noted by <=, then print out the $2nd set of data which is the subject of the message.
    cut -d” -f1 Use the cut command with the -delimiter set to double quotes and return the -field of data before the 1st ocurrence. This makes it so we only get back the subjects and nothing else.
    sort | uniq -c | sort -n Sort the subjects by name, then uniquely count them up, and finally sort them again numerically from lowest to highest.

    You should get back something that looks like this:

    285 Out of Office
    303 [Forum reply] Please moderate
    578 New Account
    1764 Melt Fat Naturally
    So in this case we can see that by far the subject Melt Fat Naturally is the most duplicated subject currently in the Exim mail log.

  3. Now we can search to see what user has been sending out this possible spam message with the following command:

    grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n
    Code breakdown:

    grep “Melt Fat Naturally” /var/log/exim_mainlog Use the grep command to search for our subject in the Exim mail log.
    awk ‘{print $6}’ Use the awk command to print out the $6th column of data which is the sending email account.
    sort | uniq -c | sort -n Sort the email accounts by name, then uniquely count them, and finally sort them again numerically from lowest to highest.

    You should end up with some results like this:

    1 [email protected]
    1762 [email protected]
    So in this case we can see that it looks like the [email protected] account was used to relay this spam message.

  4. You can now locate all of the IP addresses the [email protected] account has been sending mail from, and possibly block them at your server’s firewall if the activity looks malicious to you.Use the following command to find all the IP addresses the account has been relaying mail with:

    grep "<= [email protected]" /var/log/exim_mainlog | grep "Melt Fat Naturally" |
    grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -n

    Note: The two lines above should be written as a single line.

    Code breakdown:

    grep “<= [email protected]” /var/log/exim_mainlog Use the grep command to find outgoing messages from the [email protected] account.
    grep “Melt Fat Naturally” Use grep again to only show messages with the subject we’re looking for.
    grep -o “[[0-9.]*]” Use grep one last time with the -only matching flag, to only pull the IP address from the Exim mail log.
    sort -n | uniq -c | sort -n Sort all of the IP addresses numerically, then uniquely count them up, and finally sort them numerically again from lowest to highest duplicates.

    You should get back something related to this:

    1762 [123.123.123.123]
    So we can see that all 1,763 messages the [email protected] user sent out, all came from the same 123.123.123.123 IP address.

  5. Now we can go ahead and block this IP address from our server at the server’s firewall by running the following command:

    apf -d 123.123.123.123 "Sending weight loss spam from [email protected]"

  6. It would also be recommended to change the email password in cPanel for the email account being used to send this spam. As otherwise the spammer could possibly come back from another computer with a different IP address and still attempt to relay spam out through your account.

You should now have learned how to use the Exim mail log on your VPS or dedicated server to track down duplicate subjects being sent out from your server. Then using that knowledge how to track down the responsible user and IP address sending those messages in case they were spamming and needed to be stopped.

Share this Article
InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting
Related Articles

Need More Help?

Current Customers

Get Support: Log into AMP
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.