Skip to main content

HELP : My server emails sending too many spam

Comments

9 comments

  • andrew.n
    You should look into the headers of the mails and see which account is sending those.
    0
  • cPRex Jurassic Moderator
    If you're familiar with SSH, you can run this command to scan the mail logs and see if any directories are sending spam: grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    That will give you a list, sorted by the number of emails sent from that location. Just make sure to ignore common areas, like CSF or system notifications.
    0
  • quietFinn
    For my experience the 1st thing to do is to find out if the emails are LOCAL RELAY or AUTH RELAY, i.e. if the emails are sent FROM the server or THROUGH the server.
    0
  • jana-its
    For my experience the 1st thing to do is to find out if the emails are LOCAL RELAY or AUTH RELAY, i.e. if the emails are sent FROM the server or THROUGH the server.

    Hello, I have spam through the server and my firewall and Exim stopped the sender. how I can catch the spammer or the exploit. I use ImunifyAV and no malware was found.
    0
  • cPRex Jurassic Moderator
    @jana-its - if you scroll up just a bit, you'll see a command that can help you search the Exim logs on the machine for more details about where the message may have originated from. Tring that is always a good first step.
    0
  • martin MHC
    deleted. See below
    0
  • martin MHC
    If you're familiar with SSH, you can run this command to scan the mail logs and see if any directories are sending spam: That will give you a list, sorted by the number of emails sent from that location. Just make sure to ignore common areas, like CSF or system notifications.

    @cPRex I have done this for our own issues of suspecting spam is being send from the server to accounts on the server, the results are as follows: 1 /home/account1 1 /home/account2 1 /root 388 /etc/csf 392 / My query is this: Should "/" be sending any sort of emails? Should "/root" be sending any sort of emails? Does the location indicate the file that is sending the emails rests in that directory? For instance, how would I go about sourcing the cause code of the 392 emails from "/" if it's not an expected sender? thank you.
    0
  • cPRex Jurassic Moderator
    Sure, / is just giving you the total number. /root is a bit odd as I don't see that one come up often. And yes, the location listed indicates something in that directory triggered the message to be sent. Remember, we're trying to track down spam that's getting your server IP flagged at a provider or otherwise hurting your reputation. One email isn't going to do that.
    0
  • martin MHC
    Sure, / is just giving you the total number. /root is a bit odd as I don't see that one come up often. And yes, the location listed indicates something in that directory triggered the message to be sent. Remember, we're trying to track down spam that's getting your server IP flagged at a provider or otherwise hurting your reputation. One email isn't going to do that.

    oh of course, It's because it didn't add up I didn't think it was a sum value! Awesome, thanks.
    0

Please sign in to leave a comment.