Top 5 users sending maximum emails
============================================
grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5
eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'
Top 5 mail receivers:
============================================
egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5
eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'
Script to check path for the script used for spamming
============================================
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
If there is large number of hits from an IP,block the IP
============================================
tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c
Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
============================================
exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
============================================
exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n
v
Following command will show path to the script being utilized to send mail
============================================
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
Command to delete frozen mails
============================================
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
If anyone is spamming from /tmp
============================================
tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done the IP to send mail but rejected by the server.
============================================
tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2} '|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5
Shows the connections from a certain ip to the SMTP server
============================================
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails in queue
============================================
exim -bp | exiqsumm | more
If spamming from outside domain then you can block that domain or email id on the server
============================================
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com” then seen finish endif
Check mail stats
============================================
exim -bp | exiqsumm | more
Check if any php script is causing the mass mailing with
============================================
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
To Remove particular email account email
============================================
exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm
---------------------------------------------------------------------------------------------------------------------
1) Script to check how many emails sent for an account for particular date
exigrep name@domain.com /var/log/exim_mainlog|grep 2015-08-27 |grep Completed|wc -l
2)Search for emails for particular time.
cat /var/log/exim_mainlog | grep "2013-04-22 06:" | grep "<= name@domain.com" | wc -l
3)Command to check whether there is any PHP scripts sending emails under any account.
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
4)Command to check the mailing scripts.
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
# count of all messages in queue
exim -bpc
# a list of message in the queue (time queued, message size, message id,
sender, recipient)
exim -bp
Example output
1 4d 1.2K 1Ka6u5-00032Z-Eb <from@example.com>
2 to@example.com
3
4 62h 1.2K 1KaRH0-0007QZ-B5 <from@example.com>
5 to@example.com
6
7 3h 22K 1KbLHr-0004ev-An <from@example.com>
8 to@example.com
#Finding the files with the find command
find /var/spool/exim -name "1Ka6u5-00032Z-Eb*"
# lists messages from a specified sender
exiqgrep -f [user]@domain
# lists messages to a specified recipient
exiqgrep -r [user]@domain
# List all queued messages, grouped by sender address
exim -bpr | grep -Eo "<[^ ]*@[^ ]*>" | sort | uniq -c
# List all queued messages, grouped by recipient address
exim -bpr | grep -Eo "^\s*[^ ]*@[^ ]*$" | sort | uniq -c
# Remove all messages older than 12hrs (43000 seconds)
exiqgrep -o 43000 -i | xargs exim -Mrm
# Remove all frozen messages from the queue
exiqgrep -z -i | xargs exim -Mrm
# Remove all messages from a particular sender
exiqgrep -i -f name@domain.com | xargs exim -Mrm
# Remove all messages from a sender that are older than 12hrs
exiqgrep -o 43000 -i -f name@domain.com | xargs exim -Mrm
#Processing all messages in queue to force deliver
exim -qff
============================================
grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5
eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'
Top 5 mail receivers:
============================================
egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5
eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'
Script to check path for the script used for spamming
============================================
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
If there is large number of hits from an IP,block the IP
============================================
tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c
Following command will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
============================================
exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
============================================
exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" |awk -F "@" '{ print $2}' | sort | uniq -c | sort -n
v
Following command will show path to the script being utilized to send mail
============================================
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
Command to delete frozen mails
============================================
exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm
If anyone is spamming from /tmp
============================================
tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done the IP to send mail but rejected by the server.
============================================
tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2} '|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5
Shows the connections from a certain ip to the SMTP server
============================================
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails in queue
============================================
exim -bp | exiqsumm | more
If spamming from outside domain then you can block that domain or email id on the server
============================================
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com” then seen finish endif
Check mail stats
============================================
exim -bp | exiqsumm | more
Check if any php script is causing the mass mailing with
============================================
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to check which script is here causing problem for you.
To Remove particular email account email
============================================
exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm
---------------------------------------------------------------------------------------------------------------------
1) Script to check how many emails sent for an account for particular date
exigrep name@domain.com /var/log/exim_mainlog|grep 2015-08-27 |grep Completed|wc -l
2)Search for emails for particular time.
cat /var/log/exim_mainlog | grep "2013-04-22 06:" | grep "<= name@domain.com" | wc -l
3)Command to check whether there is any PHP scripts sending emails under any account.
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
4)Command to check the mailing scripts.
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
# count of all messages in queue
exim -bpc
# a list of message in the queue (time queued, message size, message id,
sender, recipient)
exim -bp
Example output
1 4d 1.2K 1Ka6u5-00032Z-Eb <from@example.com>
2 to@example.com
3
4 62h 1.2K 1KaRH0-0007QZ-B5 <from@example.com>
5 to@example.com
6
7 3h 22K 1KbLHr-0004ev-An <from@example.com>
8 to@example.com
#Finding the files with the find command
find /var/spool/exim -name "1Ka6u5-00032Z-Eb*"
# lists messages from a specified sender
exiqgrep -f [user]@domain
# lists messages to a specified recipient
exiqgrep -r [user]@domain
# List all queued messages, grouped by sender address
exim -bpr | grep -Eo "<[^ ]*@[^ ]*>" | sort | uniq -c
# List all queued messages, grouped by recipient address
exim -bpr | grep -Eo "^\s*[^ ]*@[^ ]*$" | sort | uniq -c
# Remove all messages older than 12hrs (43000 seconds)
exiqgrep -o 43000 -i | xargs exim -Mrm
# Remove all frozen messages from the queue
exiqgrep -z -i | xargs exim -Mrm
# Remove all messages from a particular sender
exiqgrep -i -f name@domain.com | xargs exim -Mrm
# Remove all messages from a sender that are older than 12hrs
exiqgrep -o 43000 -i -f name@domain.com | xargs exim -Mrm
#Processing all messages in queue to force deliver
exim -qff
No comments:
Post a Comment