InMotion Hosting Support Center

In this article I'm going to review how you can locate possible spam activity by subject on your VPS (Virtual Private Server) or dedicated server using the Exim mail log.

If you've read my previous article on how to find email accounts being used to spam, you should already know how to track down spam activity by looking for email accounts that send out mail from multiple IP addresses. Now we're going to cover finding spam activity by looking at duplicate subjects that are happening on your server.

To be able to follow along with this guide you'll need to already have root access to your VPS or dedicated server so that you have access to the Exim mail log.

Locate duplicate subjects in Exim mail log

Using the steps below

  1. Login to your server via SSH as the root user.
  2. Run the following command to locate duplicate subjects from your Exim mail log:

    awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n

    Code breakdown:

    awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog Use the awk command with the -Field seperator set to T=\" and looking for deliveries leaving the server noted by <=, then print out the $2nd set of data which is the subject of the message.
    cut -d\" -f1 Use the cut command with the -delimiter set to double quotes " and return the -field of data before the 1st ocurrence. This makes it so we only get back the subjects and nothing else.
    sort | uniq -c | sort -n Sort the subjects by name, then uniquely count them up, and finally sort them again numerically from lowest to highest.

    You should get back something that looks like this:

    285 Out of Office
    303 [Forum reply] Please moderate
    578 New Account
    1764 Melt Fat Naturally

    So in this case we can see that by far the subject Melt Fat Naturally is the most duplicated subject currently in the Exim mail log.

  3. Now we can search to see what user has been sending out this possible spam message with the following command:

    grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n

    Code breakdown:

    grep "Melt Fat Naturally" /var/log/exim_mainlog Use the grep command to search for our subject in the Exim mail log.
    awk '{print $6}' Use the awk command to print out the $6th column of data which is the sending email account.
    sort | uniq -c | sort -n Sort the email accounts by name, then uniquely count them, and finally sort them again numerically from lowest to highest.

    You should end up with some results like this:


    So in this case we can see that it looks like the account was used to relay this spam message.

  4. You can now locate all of the IP addresses the account has been sending mail from, and possibly block them at your server's firewall if the activity looks malicious to you.

    Use the following command to find all the IP addresses the account has been relaying mail with:

    grep "<=" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n

    Code breakdown:

    grep "<=" /var/log/exim_mainlog Use the grep command to find outgoing messages from the account.
    grep "Melt Fat Naturally" Use grep again to only show messages with the subject we're looking for.
    grep -o "\[[0-9.]*\]" Use grep one last time with the -only matching flag, to only pull the IP address from the Exim mail log.
    sort -n | uniq -c | sort -n Sort all of the IP addresses numerically, then uniquely count them up, and finally sort them numerically again from lowest to highest duplicates.

    You should get back something related to this:

    1762 []

    So we can see that all 1,763 messages the user sent out, all came from the same IP address.

  5. Now we can go ahead and block this IP address from our server at the server's firewall by running the following command:

    apf -d "Sending weight loss spam from"

  6. It would also be recommended to change the email password in cPanel for the email account being used to send this spam. As otherwise the spammer could possibly come back from another computer with a different IP address and still attempt to relay spam out through your account.

You should now have learned how to use the Exim mail log on your VPS or dedicated server to track down duplicate subjects being sent out from your server. Then using that knowledge how to track down the responsible user and IP address sending those messages in case they were spamming and needed to be stopped.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Support Center Login

Our Login page has moved. Please click the button below to be redirected to the login page.

n/a Points
2017-12-07 9:45 am

I found is the highest ip that send enail spam. how about that?

31,499 Points
2017-12-07 9:58 am is considered the loopback address for your server or computer. This means it is most likely your server that is sending out the spam. I recommend checking any mail scripts, or mailing plugins you may be using to see if it is originating from there. Your mail logs can provide further evidence into the origin these emails.

Thank you,
n/a Points
2016-07-03 4:12 pm

What do you do when one of the IPs belong to your server...?

13,821 Points
2016-07-05 7:33 am
If you let us know, we can look into it further. What Ip address is it?
n/a Points
2016-04-07 8:22 am

Instead of I am seeing just the username test01.  how do i tailor the command to include only the username test01 without the

10,935 Points
2016-04-07 9:40 am
Using the above example you can try adding the following:

grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | cud -d@ -f1 | sort | uniq -c | sort -n
n/a Points
2014-06-16 7:20 am

Exim doesn't always log the subject in /var/log/exim4/mainlog. I'd suggest you just grep through /var/spool/exim4/input/* looking for whatever and pipe that through to exim -Mrm .....

9,968 Points
2014-06-28 4:07 am
Hello David,

Thanks for the great tip! That would be a good way of looking at the live Exim queue for any possible spam, although not quite as effective for tracking down extended spamming issues.

All of our Exim logs always contain the subjects and you can set this up on your servers as well by adding this to your /etc/exim.conf file:

log_selector = +subject

Or you could just log everything as well with:

log_selector = +all

You can read more about all the things you can enable in Exim logs in this reducing or increasing what is logged in Exim guide.

- Jacob
n/a Points
2016-07-06 3:28 pm

Hi Jacob - thanks for the logging hints. I've not seen the log_selector before.... if only I'd known about that years ago... !! :)

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

9 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!