Identify spamming accounts cPanel/DirectAdmin Exim

An webhost server admin knows the frustrations of spamming accounts, the trouble is putting together a toolkit to identify spamming accounts. I'll write a series of posts on how to mostly eliminate spam on cPanel/DirectAdmin servers.

There are a couple of different ways spam is sent:

  1. Reptitive subject from single IP
  2. Repetive subject from multiple IPs
  3. Non-repetitive subject from single IP
  4. Non-repetitive subject from multiple IPs

These are in order of easy to most difficult to identify and combat. 1 is simple, as we just need to find which IP is sending mail with a particular subject line and then block that IP.

Here is a list of commands you can run on the terminal to identify the spamming account:

Identify number of mails sent with a repetitive subject

awk -F"T="" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d" -f1 | sort | uniq -c | sort -n

Identify which email account sent a specific subject and how many times

grep "ENTER SUBJECT TO SEARCH FOR" /var/log/exim_mainlog | awk '{print $5}' | sort | uniq -c | sort -n

Identify which IP address sent mails with a specifc subject from a particular email address

grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep "ENTER SUBJECT TO SEARCH FOR" | grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -n

Show all IPs that have used a certain email address for sending and show the IP count

grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq -c | sort -n

Show all IPS that used a certain email address for sending

grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq | sort -n

Show all IPS that used a certain email address for sending and strip square brackets around the IP

grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq | sort -n | sed 's/[][]//g'

Block IPs in CSF

If you're using CSF you can run the following commands to output IPs to a .sh file which you can then run and block all violating IPs

grep "<= SENDER_EMAIL_ADDRESS" /var/log/exim_mainlog | grep -o "[[0-9.]*]" | sort -n | uniq | sort -n | sed 's/[][]//g' > ips.txt

Now that all IPs have been output to ips.txt, we can build the block.sh file with the following command:

awk '{print "csf -d " $0}' ips.txt > block.sh