EXIM

Exim Commands


  • Print a count of the messages in the queue:

root@localhost# exim -bpc
 

  • Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):

 
root@localhost# exim -bp
 

  • Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):

 
root@localhost# exim -bp | exiqsumm
 

  • Print what Exim is doing right now:

 
root@localhost# exiwhat

 

  • Use -f to search the queue for messages from a specific sender:

 
root@localhost# exiqgrep -f [luser]@domain
 

  • Use -r to search the queue for messages for a specific recipient/domain:

 
root@localhost# exiqgrep -r [luser]@domain
 

  • Deliver a message from queue

 
root@localhost# exim -M <message-id>
 

  • View a message's headers:

 
root@localhost# exim -Mvh <message-id>
 

  • View a message's body:

 
root@localhost# exim -Mvb <message-id>
 

  • To delete all queued messages containing a certain string in the body:

 
root@localhost# grep -lr 'a certain string' /var/spool/exim/input/ | \
                sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
 

  • Remove all messages send from particular sender joe@example.com:

 
root@localhost# exiqgrep -i -f '<joe@example.com>' | xargs exim -Mrm 


    

  • 
Forcefully deliver all messages from queue:
    

    • 



 


 root@localhost# exim -qff 


 


 



CLEAR ALL MESSAGES FROM QUEUE



 

exim -bp | awk '$6~"frozen" {print $3 }' | xargs exim -Mrm



grep -lr 'nobody@' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -rl 'From: Mail Delivery System' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm 



grep -rl 'X-Spam-Status: Yes' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -rl 'Subject: Mail delivery failed' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -rl 'Message rejected' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -rl 'retry time not reached for any host' /var/spool/exim/input/ |
\sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -lr 'Cialis' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -lr 'viagra' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -lr 'Pharmaceutical' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -lr '***SPAM***' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -rl 'From: Mail Delivery System' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -rl 'Subject: ALL DRUGS HERE' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm



grep -lr 'DRUGS' /var/spool/exim/input/ | \sed -e
's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm









SPAMMING DETECTION



 



exim -bpr | grep -Eo "<[^ ]*@[^ ]*>" | sort | uniq -c







grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5





tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c





awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1







To find out the php script used for spamming:







 find /home/xyz/ -name '*.php'|xargs grep -w "mail(" 







This
 will search for any  PHP files containing the mail() function. From 
there, you can get an  idea of which scripts are sending emails out. 






    

  • Below script will help to list the exact script that is generating spam 
emails from under and account . Script refining on the way will let you 
know if I reach some conclusion , you guys too can contribute . I 
recently knew that it is easier to search in /var/spool/exim for the 
spammer than from logs
    • 


==========

egrep "X-PHP" /var/spool/exim/* -iR

==========



[root@localhost] exim >> egrep "X-PHP" /var/spool/exim/* -iR

/var/spool/exim/input/G/1UKUZG-00066Z-Mv-H:054  X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/f/1UKfVf-00053j-QC-H:054  X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/C/1UKmWC-0006KB-Qr-D:X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/C/1UKmWC-0006Jt-Jb-H:054  X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/z/1UKhfz-00059w-PM-H:054  X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/z/1UKmPz-0005ej-S5-D:X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/z/1UKmPz-0005eS-Lh-H:054  X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk

/var/spool/exim/input/Z/1UKRKZ-00030u-N7-H:079  X-PHP-Script: tcfgfusbgcbcvjm.ritenour.k12.mo.us/sendmail.php for 116.32.74.15

/var/spool/exim/input/v/1UKemv-0007Rv-JA-H:054  X-phpBB-Origin: phpbb://stathamspartans.com/smacktalk


















 


 

























































No comments:















Post a Comment


























        

      









Subscribe to:
Comments (Atom)