In this article I'll be teaching you how to use the Exim mail log on your VPS (Virtual Private Server) or dedicated server to find possible attempts from spammers to use your scripts, or their own in order to relay spam from your server.

Sometimes you can have a "tell a friend" feature on your website, or other type of email alerting system where users can send you an email. If you're not careful these can sometimes be exploited by malicious users or bots that will try to use it for their own spamming purposes. This can damange the sending reputation of your server's sending mail IP address, and lead to issues for your other users who are doing legitimate email activity.

Luckily Exim which is the MTA (Mail Transfer Agent) on your server which handles email deliveries, logs all activity sent into it from scripts. It does this by logging the current working directory from where the script was executed. Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.

In order to follow along with the steps below you'll need to have root access to either your VPS or dedicated server so that you have access to the Exim mail log.

Locate top scripts sending into Exim

Using the steps below I'll show you how to locate the top scripts on your server that send out email. You can then search the Exim mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam.

  1. Login to your server via SSH as the root user.
  2. Run the following command to pull the most used mailing script's location from the Exim mail log:

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

    Code breakdown:

    grep cwd /var/log/exim_mainlog Use the grep command to locate mentions of cwd from the Exim mail log. This stands for current working directory.
    grep -v /var/spool Use the grep with the -v flag which is an invert match, so we don't show any lines that start with /var/spool as these are normal Exim deliveries not sent in from a script.
    awk -F"cwd=" '{print $2}' | awk '{print $1}' Use the awk command with the -Field seperator set to cwd=, then just print out the $2nd set of data, finally pipe that to the awk command again only printing out the $1st column so that we only get back the script path.
    sort | uniq -c | sort -n Sort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest.

    You should get back something like this:

    15 /home/userna5/public_html/about-us
    25 /home/userna5/public_html
    7866 /home/userna5/public_html/data

    Here we can see that the /home/userna5/public_html/data directory by far has more deliveries coming in than any others.

  3. Now we can run the following command to see what scripts are located in that directory:

    ls -lahtr /userna5/public_html/data

    In thise case we got back:

    drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
    -rw-r--r-- 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
    drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

    So we can see there is a script called mailer.php in this directory

  4. Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

    grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n

    You should get back something similar to this:

    2 123.123.123.126
    2 123.123.123.125
    2 123.123.123.124
    7860 123.123.123.123

    So we can clearly see that the IP address 123.123.123.123 was responsible for using our mailer script in a malicious nature.

  5. If you did find a malicous IP address sending out a large volume of messages from a script on your server you'll probably want to go ahead and block them at your server's firewall so that they can't try to connect again. This can be accomplished with the following command:

    apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"

You should now have learned how to use your server's Exim mail log to see what scripts on your server are causing the most email activity, and also how to investigate to see if any of them are malicious in nature trying to send out spam from your server.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Support Center:
Email Address
Optional, but our team may contact you for more information.
Like this Article?

Comments

Post a comment
n/a Points
2014-03-28 1:43 am

Its vey Useful post , thanks, Thanks

n/a Points
2014-04-21 12:06 pm

Very helpful!!!

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!