Check for bulk/spam emails.
The 1st thing you should check for is the number of emails in the Exim queue using the below command:
Then check if the emails are from same source:
As you can see all the emails were sent a few minutes before I checked (0m), so there is definitely a bulk emailer/spammer. See if there is a cPanel user in the name "euser".
If there is one, suspend/block him.
If you don't get much details. Check the header of one of the emails, using the below command.
for eg:
Analyze the subject, from and to email address to locate the spammer.
Mailnull spammers, won't show up in the above headers most of the time. However an SSH connection is opened and we can identify them after seeing the netstat output.
Suspend the "euser" in that case and disable SSH access for him.
If you still don't find any spammers, enable extended logging for Exim. Read http://www.webhostgear.com/118.html
Also check the exim logs using the message_id to find more details.
Prevent Spamming
To prevent spamming, you should enable SpamFilters, SpammAssassin and anti-virus in the server. Read
http://www.sput.nl/software/exim.html http://wiki.exim.org/SpamFiltering and http://www.webhostgear.com/338.html
The 1st thing you should check for is the number of emails in the Exim queue using the below command:
Code: [Select]
exim -bpcThen check if the emails are from same source:
Code: [Select]
exim -bp
Quote
0m 1.6K 1Ryd9X-000aSt-8N <euser@host.hostname.com>
user1@aol.com
0m 1.6K 1Ryd9X-000aTK-NT <euser@host.hostname.com>
user2@sbcglobal.net
0m 1.6K 1Ryd9X-000aTT-Ui <euser@host.hostname.com>
user3@aol.com
0m 1.6K 1Ryd9Y-000aUC-Tp <euser@host.hostname.com>
user4@aol.com
0m 1.6K 1Ryd9Z-000aUN-59 <euser@host.hostname.com>
user5@aol.com
0m 1.6K 1Ryd9Z-000alM-P0 <euser@host.hostname.com>
user6@aol.com
As you can see all the emails were sent a few minutes before I checked (0m), so there is definitely a bulk emailer/spammer. See if there is a cPanel user in the name "euser".
Code: [Select]
grep euser /etc/userdomainsIf there is one, suspend/block him.
If you don't get much details. Check the header of one of the emails, using the below command.
Code: [Select]
exim -Mvh message_idfor eg:
Code: [Select]
exim -Mvh 1Ryd9Z-000alM-P0Analyze the subject, from and to email address to locate the spammer.
Mailnull spammers, won't show up in the above headers most of the time. However an SSH connection is opened and we can identify them after seeing the netstat output.
Quote
tcp 0 0 127.0.0.1:32587 127.0.0.1:25 ESTABLISHED 547580/sshd: euser
tcp 0 0 127.0.0.1:32568 127.0.0.1:25 ESTABLISHED 547580/sshd: euser
tcp 0 0 127.0.0.1:32458 127.0.0.1:25 ESTABLISHED 547580/sshd: euser
tcp 0 0 127.0.0.1:32541 127.0.0.1:25 ESTABLISHED 547580/sshd: euser
Suspend the "euser" in that case and disable SSH access for him.
If you still don't find any spammers, enable extended logging for Exim. Read http://www.webhostgear.com/118.html
Also check the exim logs using the message_id to find more details.
Quote
exigrep message_id /var/log/exim_mainlog
exigrep 1Ryd9Z-000alM-P0 /var/log/exim_mainlog
Prevent Spamming
To prevent spamming, you should enable SpamFilters, SpammAssassin and anti-virus in the server. Read
http://www.sput.nl/software/exim.html http://wiki.exim.org/SpamFiltering and http://www.webhostgear.com/338.html
No comments:
Post a Comment