An webhost server admin knows the frustrations of spamming accounts, the trouble is putting together a toolkit to identify spamming accounts. I'll write a series of posts on how to mostly eliminate spam on cPanel/DirectAdmin servers.
There are a couple of different ways spam is sent:
- Reptitive subject from single IP
- Repetive subject from multiple IPs
- Non-repetitive subject from single IP
- Non-repetitive subject from multiple IPs
These are in order of easy to most difficult to identify and combat. 1 is simple, as we just need to find which IP is sending mail with a particular subject line and then block that IP.
Here is a list of commands you can run on the terminal to identify the spamming account:
Identify number of mails sent with a repetitive subject
awk -F"T="" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d" -f1 | sort | uniq -c | sort -n
Identify which email account sent a specific subject and how many times
grep "ENTER SUBJECT TO SEARCH FOR" /var/log/exim_mainlog | awk '{print $5}' | sort | uniq -c | sort -n
Identify which IP address sent mails with a specifc subject from a particular email address
grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep "ENTER SUBJECT TO SEARCH FOR" | grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -n
Show all IPs that have used a certain email address for sending and show the IP count
grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -n
Show all IPS that used a certain email address for sending
grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq | sort -n
Show all IPS that used a certain email address for sending and strip square brackets around the IP
grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq | sort -n | sed 's/[][]//g'
Block IPs in CSF
If you're using CSF you can run the following commands to output IPs to a .sh file which you can then run and block all violating IPs
grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq | sort -n | sed 's/[][]//g' > ips.txt
Now that all IPs have been output to ips.txt, we can build the block.sh file with the following command:
awk '{print "csf -d " $0}' ips.txt > block.sh