Exim spam hunting – essential one liners

Anyone who looks after an Exim MTA that relays outgoing SMTP at some point finds their installation has been abused by spammers. Given the poor security practices of many users, busy servers will see compromised mailboxes quite regularly.

As a sysadmin you probably find out about it in one of two ways:

  • During the attack, you find your mail queue full to bursting with spam
  • You don’t detect the attack and you find your server’s IP address on one of the many DNS based RBL services.

Of course, there are ways to detect exim spam activity in progress but I’ll cover that another time. For now, I’m going to provide a few useful one-liners to help you deal with the immediate problem. The examples below assume a cPanel/exim setup using Dovecot for relay authentication (the most common scenario), but can be easily adapted.

Detect mailbox auth brute force attack

Like any good sysadmin you have installed some form of brute force prevention on your server (CSF/LFD, APF/BFD, or even just cPHulk in cPanel). The problem with most solutions (free one’s at least) is that they won’t warn you if an authenticated service is the subject of a low level distributed attack. In a distributed attack, the attacker has many, maybe thousands of IP addresses at his disposal. If he is careful to only make 2 or 3 login attempts using each unique IP address then he slips under the radar.

This one liner will count up all of the unique IP addresses that have failed to authenticate correctly with each mailbox. It can give you a clue why a mailbox was compromised, or which mailbox owner you should perhaps warn to strengthen their security.

Dealing with exim spam in the mail queue

Never just empty the queue – you might as well turn your server off. By doing this any legitimate messages never reach their destination, and the sender has no clue what happened.

Finding the culprit

The first thing to do is search the exim queue to summarise how the mail was sent. As some exim configurations allow users to use any email address in the From: field getting a simple summary of sender’s addresses in the queue won’t always provide clarity:

A more thorough, but slower, way to identify the culprit requires a quick search through the message headers (or logs) using either of these commands:

These might take a minute or two if the queue is particularly large. Although there are small differences between the output of the above one-liners, both will help you track down roque senders.

Trying to find out why you were blacklisted

In this case, all you can do is analyse the existing exim logs (/var/log/exim_mainlog on a cPanel server) to look for suspicious usage patterns.

Who sent the most email via scripts?

This one-liner will reveal the amount of mail sent from all web scripts (PHP mail() or other sendmail method) for the current day:

Again, this can take several seconds or more to run on a busy server, but it will reveal the locations of the scripts that have sent the most mail.

Who sent the most mail using mailbox authentication?

There are times when one-liners get a little long to call them one-liners – and this is one of those times. It may not be pretty, but you can paste this into the command line, or create an alias in your .bashrc or .bash_profile

Essentially this counts up all of the recipients and unique IP addresses used for each authenticated sender. This information should help you determine which mailboxes are behaving suspiciously.

Removing the culprit’s messages from the queue

The output of the above will list either mailbox accounts or cPanel user account names. Either way, you can now surgically remove all messages from the queue for the problem user with:

Replace AUTHID with the cpanel login username or the mailbox address (user@domain) that is being used to send spam.

One Response to Exim spam hunting – essential one liners

  1. Chris November 16, 2015 at 14:30 #

    Hi Support, the script at “Who sent the most mail using mailbox authentication?” is not working, their are syntax errors, will you be able to see what is the issue and let me know what is the correct perl script to use? I would really love to use it. Please help, regards Chris

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.