In this article I'm going to review how you can locate possible spam activity by subject on your VPS (Virtual Private Server) or dedicated server using the Exim mail log.

If you've read my previous article on how to find email accounts being used to spam, you should already know how to track down spam activity by looking for email accounts that send out mail from multiple IP addresses. Now we're going to cover finding spam activity by looking at duplicate subjects that are happening on your server.

To be able to follow along with this guide you'll need to already have root access to your VPS or dedicated server so that you have access to the Exim mail log.

Locate duplicate subjects in Exim mail log

Using the steps below

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate duplicate subjects from your Exim mail log:

    awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n

    Code breakdown:

    awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog Use the awk command with the -Field seperator set to T=\" and looking for deliveries leaving the server noted by <=, then print out the $2nd set of data which is the subject of the message.
    cut -d\" -f1 Use the cut command with the -delimiter set to double quotes " and return the -field of data before the 1st ocurrence. This makes it so we only get back the subjects and nothing else.
    sort | uniq -c | sort -n Sort the subjects by name, then uniquely count them up, and finally sort them again numerically from lowest to highest.

    You should get back something that looks like this:

    285 Out of Office
    303 [Forum reply] Please moderate
    578 New Account
    1764 Melt Fat Naturally

    So in this case we can see that by far the subject Melt Fat Naturally is the most duplicated subject currently in the Exim mail log.

  3. Now we can search to see what user has been sending out this possible spam message with the following command:

    grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $5}' | sort | uniq -c | sort -n

    Code breakdown:

    grep "Melt Fat Naturally" /var/log/exim_mainlog Use the grep command to search for our subject in the Exim mail log.
    awk '{print $5}' Use the awk command to print out the $5th column of data which is the sending email account.
    sort | uniq -c | sort -n Sort the email accounts by name, then uniquely count them, and finally sort them again numerically from lowest to highest.

    You should end up with some results like this:

    1 test@example.com
    1762 user01@example.com

    So in this case we can see that it looks like the user01@example.com account was used to relay this spam message.

  4. You can now locate all of the IP addresses the user01@example.com account has been sending mail from, and possibly block them at your server's firewall if the activity looks malicious to you.

    Use the following command to find all the IP addresses the account has been relaying mail with:

    grep "<= user01@example.com" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n

    Code breakdown:

    grep "<= user01@example.com" /var/log/exim_mainlog Use the grep command to find outgoing messages from the user01@example.com account.
    grep "Melt Fat Naturally" Use grep again to only show messages with the subject we're looking for.
    grep -o "\[[0-9.]*\]" Use grep one last time with the -only matching flag, to only pull the IP address from the Exim mail log.
    sort -n | uniq -c | sort -n Sort all of the IP addresses numerically, then uniquely count them up, and finally sort them numerically again from lowest to highest duplicates.

    You should get back something related to this:

    1762 [123.123.123.123]

    So we can see that all 1,763 messages the user01@example.com user sent out, all came from the same 123.123.123.123 IP address.

  5. Now we can go ahead and block this IP address from our server at the server's firewall by running the following command:

    apf -d 123.123.123.123 "Sending weight loss spam from user01@example.com"

  6. It would also be recommended to change the email password in cPanel for the email account being used to send this spam. As otherwise the spammer could possibly come back from another computer with a different IP address and still attempt to relay spam out through your account.

You should now have learned how to use the Exim mail log on your VPS or dedicated server to track down duplicate subjects being sent out from your server. Then using that knowledge how to track down the responsible user and IP address sending those messages in case they were spamming and needed to be stopped.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve our Support Center:
Email Address
Optional, but our team may contact you for more information.
Like this Article?

Post a Comment

Name:
Email Address:
Comment:
Are you a bot?
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

Write New!
Do you want to publish a tutorial to our support center?

News / Announcements

SSL Certficate Warnings
Updated 2014-04-14 11:34 am EST
Hits: 2221
Heartbleed 0-day OpenSSL security bug
Updated 2014-04-14 04:43 pm EST
Hits: 5643

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!