Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Fix spamming in cpanel exim server  (Read 4585 times)

0 Members and 1 Guest are viewing this topic.

joseletk

  • Guest
Fix spamming in cpanel exim server
« on: June 09, 2018, 09:33:49 pm »
Spam is most often considered to be electronic junk mail or junk newsgroup postings. It may be defined even more generally as any unsolicited email.

Generally, spamming can happen in three ways.

1. By hacking an email account which has a simple password, which is easy to guess.

2. By uploading script on the server which send out mails at regular intervals.

3. Via forum or newsletters scripts which are sending mass emails.

* Block the IP address if it is an incoming spamming.(Make use of iptables or csf, apf)

* Change the password, disable mailing list and scripts or even suspend the account, if it is an outgoing spamming.

Case 1:

1) Go for the command ‘exim ­bpc’, this will count the number of mails waiting in the mail queue.

For example:

# exim -­bpc
3600

2) Once you find a high number on the queue, check for live spamming by going for the command

#exim -­bp | tail ­-10

For example:

0m 1.5K 1XV6jK­0005iy­RF <user@domain.com>

user@example.com

0m 1.5K 1XV85i­000223­B6 <user@domain.com>

user@example1.com
-------------------------------
3) Check for each mail’s header by hitting the command, ‘exim ­Mvh message ID’.

For example:

#exim ­-Mvh 1XV6jK­0005iy­RF

————————————-

1XV6jK­0005iy­RF­H

user 614 32007

<user@domain.com>

1411165962 0

­ident user
------------------------------
Here, please look into the field auth_id where the authentication id is ‘user’ which is being used to send spam emails. Here the cpanel account ‘user’ is used to send spam via scripts.

4) The next step is to locate the spam script under this account.

If the mails are sent by PHP script, the following commands will show the script which is used to send the email.

#cd /var/spool/exim/input

#egrep “X­PHP­Script” * ­R

The message IDs and the location of the scripts will be listed. Just cat the message ID to view the message header and the spamming script.

Also, you can run the following command to pull the most used mailing script’s location.

#grep cwd /var/log/exim_mainlog | grep ­v /var/spool | awk ­F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort |

#uniq ­c | sort ­n

For example:

.
.

2644 /home/domain/public_html/phpbb

We can see /home/domain/public_html/phpbb has more outgoing emails in the list.

Also from the email header pasted above, you can see that the spam script location is www.domain.com/phpbb/ucp.php

Now you can go ahead with null ­routing the particular script.

For example:

#cd /home/domain/public_html/phpbb

#chown root: ucp.php

#chmod 000 ucp.php

5) Now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

For example:

#grep “ucp.php” /home/domain/access­logs/domain.com | awk ‘{print $1}’ | sort ­n | uniq ­c | sort ­n

You should get back something similar to this:

.
.

10408 xxx.xxx.xxx.xxx

We can see the IP address xxx.xxx.xxx.xxx which has used our script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you can block them at your server’s firewall so that they can’t try to connect again using the commands given below.

In csf: csf ­-d xxx.xxx.xxx.xxx

In iptables: iptables ­-I INPUT -­s xxx.xxx.xxx.xxx -­j DROP

In apf: apf ­-d xxx.xxx.xxx.xxx
And finally save the rule which you have added.

6) Clear the spam email using the command given below

#exim ­-bp | grep “user” | awk ‘{print $3}’ | xargs exim -Mrm

Case 2:

1) Follow step (1) and (2) as in case 1

2) Please use the following command to sort the mails in the queue on the basis of number of mails and the corresponding email account.
This will list the mail IDs and its weight in the increasing order of their weight in the queue, that is, mail IDs with higher number of mails in the mail queue will be listed at the last.

#exim -­bpr | grep “<*@*>” | awk ‘{print $4}’|grep ­v “<>” | sort | uniq ­c | sort ­n

For example:

The output will look like:

1 test@example.com

1762 user@domain.com

3) Now you can read the email headers under the email account user@domain.com with the command

#exim -­bp | grep user@domain.com | tail ­-10

This will list you the output as given below:

0m 1.5K 1XV6jK­0005iy­RF <user@domain.com>

0m 1.5K 1XV85i­000223­B6 <user@domain.com>
-----------------------------------------------------------
4) Check for each mail’s header by hitting the command, ‘exim ­-Mvh message ID’.

For example:
# exim -­Mvh 1XV6jK­0005iy­RF
————————————-
Please look into the field auth_id ie authentication email address ‘user@domain.com’ which is being used to send spam emails.

Now, you should reset the password of the email account as soon as possible.

5) You can check the maillog to check the IP address from where this email address has been accessed.

For example :

#grep user@domain.com /var/log/maillog | awk ‘{print $10}’ | sort ­n | uniq ­c | sort ­n
941 rip=192.168.0.x,

2632 rip=xxx.xxx.xxx.xxx,
Now you can block them at your server’s firewall so that they can’t try to connect again using the commands given below.

In csf: csf ­-d xxx.xxx.xxx.xxx

In iptables: iptables ­-I INPUT ­-s xxx.xxx.xxx.xxx -­j DROP

In apf: apf ­-d xxx.xxx.xxx.xxx
And finally save the rule which you have added.

6) Please use the following command to clear the emails from a particular account.

#exim ­-bpu | grep ­e “frozen” ­e “user@domain.com” | awk ‘{print $3}’ | xargs exim ­-Mrm

Please replace “user@domain.com” with the actual email address.

Case 3:

If email are sent via newletters or forms, you can ask the customer to add any verification methods in page. One of the authentication methods is catpcha.
Redirect them to a developer to enable captcha on their contact forms.

==================================================================================================