Introduction
In this article, we will be exploring a means to determine what email accounts are sending a large number of emails. This is meant to guide you in the right direction. A further, more in-depth review of the server should be performed by the system administrator or web host.
Procedure
You will first want to check your Exim queue. You can use the command:
exim -bpc
This will tell you the number of emails that are in the queue.
You will then want to find the email accounts that are sending the emails.
grep Sender /var/log/exim_mainlog | awk '{print $8}' | cut -d'=' -f2 | sort | uniq -c |sort -rn
This will then provide you a list of the accounts and the number of times that email was referenced in your mail log.
MSP
We do have a script that will allow you to have a more friendly output than the method above, though it is less customizable than modifying or creating your own one-liner. You can further review the script and its functions in the link below.
https://github.com/CpanelInc/tech-MSP
An example usage of this script would be:
/usr/local/cpanel/3rdparty/bin/perl <(curl -s "https://raw.githubusercontent.com/CpanelInc/tech-SSE/master/msp.pl") --auth
This would then provide an output very similar to what you see below:
[root@server ~]# /usr/local/cpanel/3rdparty/bin/perl <(curl -s "https://raw.githubusercontent.com/CpanelInc/tech-SSE/master/msp.pl") --auth
Checking Mail Authentication statistics...
------------------------------------------
Setting I/O priority to reduce system load: best-effort: prio 6
Emails sent via Password Authentication:
5 __cpanel__service__auth__icontact__yf6djdw31tjwsg7k
Directories where email was sent via sendmail/script:
132 /var/spool/exim
10 /
1 /home/cPanelInstall/username
Users who sent mail via local SMTP:
None
Subjects by commonality:
10 Mail delivery failed: returning message to sender
2 [10-0-40-40.domain.tld] You must reboot the server to enable quotas.
2 [cl92.sean.test] \342\232\240 1 service generated warnings while checking SSL certificates.
1 [10-0-40-40.domain.tld] PowerDNS Configuration updated.
1 [cl92.sean.test] New account: sean (example.com)
1 [cl92.sean.test] New addon domain: \342\200\234testaddon.com\342\200\235 for \342\200\234sean\342\200\235
1 [cl92.sean.test] New addon domain: \342\200\234cpaaddondomain.com\342\200\235 for \342\200\234sean\342\200\235
1 [10-0-40-40.domain.tld] \342\232\240 1 service generated warnings while checking SSL certificates.
1 [cl92.sean.test] Hostname change status
As you can see it breaks it down similarly, with additional information within.
Please keep in mind that you will want to have your system administrator or web host further review the server and ensure the accuracy of the results.