Spam is most often considered to be electronic junk mail or junk newsgroup postings. It may be defined even more generally as any unsolicited email.

Generally, spamming can happen in three ways.

1. By hacking an email account which has a simple password, which is easy to guess.

2. By uploading script on the server which sends out mails at regular intervals.

3. Via forum or newsletters scripts which are sending mass emails.

A fix to a spamming issue means :

* Block the IP address if it is an incoming spamming.(Make use of iptables or csf, apf)

* Change the password, disable mailing list and scripts or even suspend the account, if it is an outgoing spamming.

Case 1:

1) Go for the command ‘exim ­bpc’, this will count the number of mails waiting in the mail queue.

For example:

# exim -­bpc
3600

2) Once you find a high number on the queue, check for live spamming by going for the command

#exim -­bp | tail ­-10

For example:

0m 1.5K 1XV6jK­0005iy­RF <user@domain.com>

user@example.com

0m 1.5K 1XV85i­000223­B6 <user@domain.com>

user@example1.com

0m 1.5K 1XV9T1­0003ET­D3 <user@domain.com>

user@example2.com

3) Check for each mail’s header by hitting the command, ‘exim ­Mvh message ID’.

For example:

#exim ­-Mvh 1XV6jK­0005iy­RF

————————————-

1XV6jK­0005iy­RF­H

user 614 32007

<user@domain.com>

1411165962 0

­ident user

­received_protocol local

­body_linecount 23

­max_received_linelength 98

­auth_id user

­auth_sender user@domain.com

­allow_unqualified_recipient

­allow_unqualified_sender

­local

XX

1

user@example.com
id 1XV6jK­0005iy­RF

for user@example.com; Sat, 20 Sep 2014 06:32:42 +0800

060T To: =?UTF­8?B?bXlybmFpdTM=?= <user@example.com>

099 Subject:

=?UTF­8?B?V2VsY29tZSB0byAiQXNpYSBQYWNpZmljIFBsYW5lIFNwb3R0ZXJzIEZvcnVt?=

=?UTF­8?B?Ig==?=

026F From: <user@domain.com>

030R Reply­To: <user@domain.com>

033* Return­Path: <user@domain.com>

028* Sender: <user@domain.com>

018 MIME­Version: 1.0

059I Message­ID: <593045bb511db542f2a9955da9509c67@pvollering.com>

038 Date: Sat, 20 Sep 2014 06:32:42 +0800

040 Content­Type: text/plain; charset=UTF­8

032 Content­Transfer­Encoding: 8bit

014 X­Priority: 3

026 X­MSMail­Priority: Normal

017 X­Mailer: phpBB3

018 X­MimeOLE: phpBB3

046 X­phpBB­Origin: phpbb://www.domain.com/phpbb/ucp.php

061 X­AntiAbuse: Board servername ­ =?UTF­8?B?cHZvbGxlci5uZXQ=?=

025 X­AntiAbuse: User_id ­ 1

049 X­AntiAbuse: Username ­ =?UTF­8?B?QW5vbnltb3Vz?=

038 X­AntiAbuse: User IP ­ xxx.xxx.xxx.xxx

————————————-
Here, please look into the field auth_id where the authentication id is ‘user’ which is being used to send spam emails. Here the cpanel account ‘user’ is used to send spam via scripts.

4) The next step is to locate the spam script under this account.

If the mails are sent by PHP script, the following commands will show the script which is used to send the email.

#cd /var/spool/exim/input

#egrep “X­PHP­Script” * ­R

The message IDs and the location of the scripts will be listed. Just cat the message ID to view the message header and the spamming script.

Also, you can run the following command to pull the most used mailing script’s location.

#grep cwd /var/log/exim_mainlog | grep ­v /var/spool | awk ­F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort |

#uniq ­c | sort ­n

For example:

.
.

2644 /home/domain/public_html/phpbb

We can see /home/domain/public_html/phpbb has more outgoing emails in the list.

Also from the email header pasted above, you can see that the spam script location is www.domain.com/phpbb/ucp.php

Now you can go ahead with null ­routing the particular script.

For example:

#cd /home/domain/public_html/phpbb

#chown root: ucp.php

#chmod 000 ucp.php
5) Now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

For example:

#grep “ucp.php” /home/domain/access­logs/domain.com | awk ‘{print $1}’ | sort ­n | uniq ­c | sort ­n

You should get back something similar to this:

.
.

10408 xxx.xxx.xxx.xxx

We can see the IP address xxx.xxx.xxx.xxx which has used our script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you can block them at your server’s firewall so that they can’t try to connect again using the commands given below.

In csf: csf ­-d xxx.xxx.xxx.xxx

In iptables: iptables ­-I INPUT -­s xxx.xxx.xxx.xxx -­j DROP

In apf: apf ­-d xxx.xxx.xxx.xxx
And finally save the rule which you have added.

6) Clear the spam email using the command given below

#exim ­-bp | grep “user” | awk ‘{print $3}’ | xargs exim -Mrm
­­­­­­­­­­­­­­­­­­­

Case 2:

1) Follow step (1) and (2) as in case 1

2) Please use the following command to sort the mails in the queue on the basis of a number of mails and the corresponding email account.
This will list the mail IDs and its weight in the increasing order of their weight in the queue, that is, mail IDs with a higher number of mails in the mail queue will be listed at the last.

#exim -­bpr | grep “<*@*>” | awk ‘{print $4}’|grep ­v “<>” | sort | uniq ­c | sort ­n

For example:

The output will look like:

1 test@example.com

1762 user@domain.com

3) Now you can read the email headers under the email account user@domain.com with the command

#exim -­bp | grep user@domain.com | tail ­-10

This will list you the output as given below:

0m 1.5K 1XV6jK­0005iy­RF <user@domain.com>

0m 1.5K 1XV85i­000223­B6 <user@domain.com>

0m 1.5K 1XV9T1­0003ET­D3 <user@domain.com>

0m 1.5K 1XV9Ti­0003KJ­55 <user@domain.com>

0m 1.5K 1XVArh­0000DU­6Z <user@domain.com>

4) Check for each mail’s header by hitting the command, ‘exim ­-Mvh message ID’.

For example:
# exim -­Mvh 1XV6jK­0005iy­RF

————————————-

mailnull 47 12

<user@domain.com>

1411184761 0

­helo_name webmail.domain.com

­host_address 127.0.0.1.3544

­host_name localhost.localdomain

­host_auth dovecot_login

­interface_address 127.0.0.1.25

­received_protocol esmtpa

­body_linecount 215856

­max_received_linelength 76

­auth_id user@domain.com

XX

1

info@companyname.com

250P Received: from localhost.localdomain ([127.0.0.1]:35444 helo=webmail.chai.in)

by sp12.twist.in with esmtpa (Exim 4.82)

(envelope­from <user@domain.com>)

id 1XVBcX­0000CX­3r

for info@companyname.com; Sat, 20 Sep 2014 11:46:04 +0800

018 MIME­Version: 1.0

078 Content­Type: multipart/mixed;

boundary=”=_8c49e7e215e784f10d84aad1fd14fc83″

038 Date: Sat, 20 Sep 2014 11:46:01 +0800

028F From: user@domain.com

025T To: info@companyname.com

068 Subject: Request quotation for Operable wall at S’Poly(T1A610)­ OLS

059I Message­ID: <a49d791ef84993a11e09c3fae7d8c187@chai.in>

032 X­Sender: user@domain.com

036 User­Agent: Roundcube Webmail/1.0.1

————————————-
Please look into the field auth_id ie authentication email address ‘user@domain.com’ which is being used to send spam emails.

Now, you should reset the password of the email account as soon as possible.

5) You can check the maillog to check the IP address from where this email address has been accessed.

For example :

#grep user@domain.com /var/log/maillog | awk ‘{print $10}’ | sort ­n | uniq ­c | sort ­n
941 rip=192.168.0.x,

2632 rip=xxx.xxx.xxx.xxx,
Now you can block them at your server’s firewall so that they can’t try to connect again using the commands given below.

In csf: csf ­-d xxx.xxx.xxx.xxx

In iptables: iptables ­-I INPUT ­-s xxx.xxx.xxx.xxx -­j DROP

In apf: apf ­-d xxx.xxx.xxx.xxx
And finally save the rule which you have added.

6) Please use the following command to clear the emails from a particular account.

#exim ­-bpu | grep ­e “frozen” ­e “user@domain.com” | awk ‘{print $3}’ | xargs exim ­-Mrm

Please replace “user@domain.com” with the actual email address.

Case 3:

If email is sent via newsletters or forms, you can ask the customer to add any verification methods in the page. One of the authentication methods is captcha.
Redirect them to a developer to enable captcha on their contact forms.

 

If you suspect your server has spamming, contact our Server Admin team and they can fix it today.