Skip to main content

How to find the source of a large amount of email

Aaron Dobberfuhl
  • Updated

Question

How do you find the source(s) of a large amount of email?

 

Answer

Note: This article is meant to guide you in the right direction. A further, more in-depth review of the server should be performed by the system administrator or web host.

You can check the number of emails in the Exim mail queue by running the following command as root:

# exim -bpc

You can determine which accounts are sending email by running the following command in SSH as root:

# awk '/Sender/{print $8}' /var/log/exim_mainlog | cut -d'=' -f2 | sort | uniq -c |sort -rn

This will provide you with a list of email accounts and the number of times the email account was referenced in the Exim log.

MSP

We have a script you can run as the root user that will allow you to have a more friendly output than the method above, though it is less customizable than modifying or creating your own one-liner.

An example usage of this script would be:

# /usr/local/cpanel/3rdparty/bin/perl <(curl -s "https://raw.githubusercontent.com/CpanelInc/tech-SSE/master/msp.pl") --auth

Here is the output from the above usage example: 

CONFIG_TEXT: [root@server ~]# /usr/local/cpanel/3rdparty/bin/perl <(curl -s "https://raw.githubusercontent.com/CpanelInc/tech-SSE/master/msp.pl") --auth
Checking Mail Authentication statistics...
------------------------------------------
Setting I/O priority to reduce system load: best-effort: prio 6

Emails sent via Password Authentication:
     5 __cpanel__service__auth__icontact__yf6djdw31tjwsg7k

Directories where email was sent via sendmail/script:
   132 /var/spool/exim
    10 /
     1 /home/cPanelInstall/username

Users who sent mail via local SMTP:
None

Subjects by commonality:
    10 Mail delivery failed: returning message to sender
     2 [10-0-40-40.domain.tld] You must reboot the server to enable quotas.
     2 [10-0-40-40.domain.tld] \342\232\240 1 service generated warnings while checking SSL certificates.
     1 [10-0-40-40.domain.tld] PowerDNS Configuration updated.
     1 [10-0-40-40.domain.tld] New account: cptest (example.com)
     1 [10-0-40-40.domain.tld] New addon domain: \342\200\234testaddon.com\342\200\235 for \342\200\234cptest\342\200\235
     1 [10-0-40-40.domain.tld] New addon domain: \342\200\234cpaaddondomain.com\342\200\235 for \342\200\234cptest\342\200\235
     1 [10-0-40-40.domain.tld] \342\232\240 1 service generated warnings while checking SSL certificates.
     1 [10-0-40-40.domain.tld] Hostname change status

As you can see, it breaks it down similarly, with additional information.

 

Additional Resources

MSP

How can I prevent email abuse?

Tracking down compromised files that are sending mail.

Related articles

Comments

0 comments

Article is closed for comments.