InMotion Hosting Support Center

In this article I'll review how you can investigate your VPS (Virtual Private Server) or dedicated server for possible sources of outgoing spam. This can help ensure that your mailing IP's reputation isn't being negatively affected causing delivery problems for your legitimate users.

If you've read my previous article on 535 incorrect authentication errors you should already know how to track down IP addresses of malicious users attempting to login to your email accounts so that they can relay spam with them. However if someone has successfully obtained one of the passwords for your email accounts, that method won't work for locating them, as they won't be showing authentication errors since they're logging in without issues.

A good way to keep tabs on this type of malicious activity is by knowing that typically one email account isn't going to have too many IP addresses connecting to it. Now that's not to say you might not have a few for each account, as people will connect from their home, office, and possibly mobile phone to send email. But if you notice that IP addresses are connecting from multiple geographical locations this is a good indication that your email account's password has been compromised and possibly sold to a spammer that is now using multiple computers as part of a bot net spread across the world.

In order to follow the steps I'll discuss in this article, you'll need to have root access to either your VPS or dedicated server so that you have access to the Exim mail logs.

Locating multiple IP address logins for mail accounts

Using the steps that follow I'll show how you can keep tabs on how many IP addresses are connecting to your mail server per email address. Then you can take a look to see if they seem malicious and block them at your server's firewall to prevent further delivery attempts.

  1. Login to your server via SSH as the root user.
  2. Run the following command to pull email accounts being connected to from multiple IP addresses from the Exim mail log:

    grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq | awk '{print $1}' | uniq -c | awk '{ if ($1 > 1) print $0}'

    Code breakdown:

    grep "A=courier_login" /var/log/exim_mainlog Locate successful email logs in the Exim mail log.
    sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' Use the sed -e command to first strip out the (UserComputer) [ section from the log, then follow with another -e flag to also take off the ]:1234 section surrounding the user's IP address.
    awk '{print $5,$6}' Use the awk command to only print the $5th and $6th columns, which is the email address and IP address.
    sort | uniq | awk '{print $1}' | uniq -c Sort all the data by the email addresses, then only show unique entries so you should get and for instance. Use awk to only print the $1st column which is the email address, then uniquely count them.
    awk '{ if ($1 > 1) print $0}' Use the awk command with an if statement so that if the $1st column has a count higher than 1 it prints out the total line. This should show how many unique IP addresses a given email address has been accessed over.

    You should get back something that looks like this:


  3. If you see that you have a lot of users that have mail logins from multiple unique IP addresses you can run the following command to get a look at exactly what IPs they're connecting from:

    grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c

    Code breakdown:

    grep "A=courier_login" /var/log/exim_mainlog Locate successful email logs in the Exim mail log.
    sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' Use the sed -e command to first strip out the (UserComputer) [ section from the log, then follow with another -e flag to also take off the ]:1234 section surrounding the user's IP address.
    awk '{print $5,$6}' Use the awk command to only print the $5th and $6th columns, which is the email address and IP address.
    sort | uniq -c Sort all the data by the email addresses and then provide a unique count of each IP that connected to that account.

    In this case the account had been connected to from 4 different unique IP addresses, so this command will output how many times each of those IPs connected:


Updating email passwords and blocking IPs

Now that you know there are several unique IP addresses connecting to one email account of yours, you can check the location of those IP addresses with an online service such as If you know the person owning the email account lives in the US and you're seeing IPs sending out mail from that account from China and Russia, chances are the account has been compromised and is being used to send out spam.

Using the steps below you can block those bad IP addresses from being able to attempt to access your server again, and you can also update the email account's password so that if they attempt to relay more spam through the account they'll get an authentication error.

  1. In our example above we had the following IP addressess all relaying through our one user01@example.comaccount:

    If we wanted to block all of these at our server's firewall after determining they are malicious IPs we can run the following command:

    for IP in; do apf -d $IP "Spamming with"; done

    You should get back the following:

    apf(23740): (trust) added deny all to/from
    apf(23796): (trust) added deny all to/from
    apf(23859): (trust) added deny all to/from
    apf(23929): (trust) added deny all to/from

  2. Because these IPs successfully logged into your mail server to relay mail with the account, you'll also want to be sure to follow our guide on how to change your email password in cPanel to prevent them from attempting further messages from a different IP address.

You should now understand how to track down email accounts on your server that are being connected to from multiple IP addresses. This should help ensure that your email accounts are not compromised and possibly sending out spam or other malicious material. You should also know how to block those IP addresses from accessing your server, and update your email account's password to prevent further access to these malicious users.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Forum Login

You are NOT logged in. You can still browse our Support Center.

To participate within our Community Support Forum:

n/a Points
2016-03-11 3:50 pm

Your command is not working for my log files which use dovecot, not courier. I tried to replace "H=" to "from " in the command but it still does not work. Here is an example of my log file:

exim_mainlog:2016-03-06 23:35:57 [29009] no MAIL in SMTP connection from (localhost) []:46256 I=[]:25 D=0s A=dovecot_plain:__cpanel__service__auth__exim__egat9_i3dzak83zrsg18nweya2vcyosthk2gumtj_zcbl_r7xtxzrqq0dycybmi0 C=EHLO,AUTH,QUIT

I changed the grep portion from A=courier_login to A=dovecot_plain which seemed to fix that part, but I do not know enough about SED to fix the command for me.

Would you be able to be able to provide an update set of commands for this type of log?

n/a Points
2015-11-04 8:50 am

Hello, When i run this command i did'not get anything, when ever i hit enter it comes back to the command line root@myserver [~]# What should i do? I need to find emails used for spam Best Regards Abdi

42,943 Points
2015-11-04 5:52 pm
Hello Abdirizak,

Sorry for the problem with the command. Can you please provide a copy of the command that you used? We need a little more detail in order to determine why the command is not working.

We can then investigate the issue more depth. We appreciate your patience! If you have any further questions or comments, please let us know.

Arnel C.

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

3 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!