How to find spam scripts in exim
Hi Guys
In this article, I am gonna tell you how to find spam scripts in Exim.
How does spam get sent from my server?
You might have a “tell a friend” feature on your website, or another email alerting system on your site. If you’re not careful these can sometimes be exploited by bots for spamming purposes. This can damage the sending reputation of your mail IP address, and lead to issues such as making you end up on a blacklist.
How do I stop spam coming from my server?
Exim, or the MTA (Mail Transfer Agent) on your server handles email deliveries. All email activity is logged including mail sent from scripts. It does this by logging the current working directory from where the script was executed.
Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.
Locate top scripts sending into Exim.
In the steps below I’ll show how to locate the top scripts on your server sending mail. If any scripts look suspicious, you can check the Apache access logs to find how a spammer might be using your scripts to send spam.
Step 1. Login to your server via SSH as the root user.
Step 2. # exim -bpc ( You could see the no.of mails in the queue )
Step 3. # exim -bp ( You could see the mails in queue with sender information ).
Step 4. You can see the some frozen mails or frequent mails from the domain.
Step 5. If you are using a cPanel as your control panel you can find the user information by using /etc/userdomains
Step 6. # grep domain name /etc/userdomains ( grep the frequent mail sender domain name ) You can find the user of that domain ).
Step 7. Run the following command
# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
You can see the some paths areĀ starting with /home/user. You should search on the path you will get some PHP scripts that is encrypted and base64 format.
Delete the PHP scripts
Step 8. # pkill -u username ( kill the user who runs the script. )
Step 9 .# service exim restart ( Restart the exim )
Hopefully you’ve learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to investigate if malicious activity is going on, and how to block it.
I was able to find good advice from your blog articles.