forked from rootmarkjoy/Daily-Commands
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathExim Commands
101 lines (76 loc) · 4.37 KB
/
Exim Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
How to Find a spam script location with Exim:-
==============================================
Run the following command to pull the most used mailing script's location from the Exim mail log:-
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
----------------+
You should get back something like this:
15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data
----------------+
We can see /home/userna5/public_html/data by far has more deliveries coming in than any others.
==============================================
Now we can run the following command to see what scripts are located in that directory:-
ls -lahtr /userna5/public_html/data
----------------+
In thise case we got back:
drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
-rw-r--r-- 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./
----------------+
So we can see there is a script called mailer.php in this directory
==============================================
Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:-
grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n
----------------+
You should get back something similar to this:
2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
7860 123.123.123.123
----------------+
We can see the IP address 123.123.123.123 was using our mailer script in a malicious nature.
==============================================
If you find a malicious IP address sending a large volume of mail from a script, you'll probably want to go ahead and block them at your server's firewall so that they can't try to connect again.
---------------+
This can be accomplished with the following command:
apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"
---------------+
==============================================
Run the following command to locate duplicate subjects from your Exim mail log:-
awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n
--------------+
You should get back something that looks like this:
285 Out of Office
303 [Forum reply] Please moderate
578 New Account
1764 Melt Fat Naturally
-------------+
So in this case we can see that by far the subject Melt Fat Naturally is the most duplicated subject currently in the Exim mail log.
==============================================
Now we can search to see what user has been sending out this possible spam message with the following command:-
grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n
-------------+
You should end up with some results like this:
1 test@example.com
1762 user01@example.com
-------------+
So in this case we can see that it looks like the user01@example.com account was used to relay this spam message.
==============================================
You can now locate all of the IP addresses the user01@example.com account has been sending mail from, and possibly block them at your server's firewall if the activity looks malicious to you.
Use the following command to find all the IP addresses the account has been relaying mail with:-
grep "<= user01@example.com" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n
-------------+
You should get back something related to this:
1762 [123.123.123.123]
So we can see that all 1,763 messages the user01@example.com user sent out, all came from the same 123.123.123.123 IP address.
-------------+
==============================================
Now we can go ahead and block this IP address from our server at the server's firewall by running the following command:-
-------------+
apf -d 123.123.123.123 "Sending weight loss spam from user01@example.com"
-------------+
==============================================
exiqgrep -i -f | xargs exim -Mrm =====> (remove all mail with frozen)
/usr/sbin/exim -bpr | grep frozen | awk '{print $3}' | xargs exim -Mrm =====> (Remove frozen mails)
exim -bpr| grep domainname@domain.com| awk '{print $3}'|xargs exim -Mrm =====> (Remove mail queue for particular email account)