Exim – Find a list of the most commonly used scripts

Posted by & filed under Server Admin.

I had to deal with a malicious script that was inserted into a website today and was sending out spam. Typically I have a few tools I run, but I couldn’t locate this particular infection. Time to take another angle, Exim logs. The following shows the most used script directories which will help narrow down the suspects substantially.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Exim Useful Commands

Posted by & filed under Uncategorized.

I. Useful Commands (do not include brackets!)

See the mail queue count:

>

exim -bpc

View the mail queue with email IDs:

>

exim -bp

Force delivery of specific email by ID:

>

exim -M [email id]

Force a queue run:

>

exim -qf

Force a queue run and attempt to flush frozen emails:

>

exim -qff

View log of email by ID:

>

exim -Mvl [email ID]

View body of email by ID:

>

exim -Mvb [email ID]

View header of email by ID:

>

exim -Mvh [email ID]

Remove message without error code (no bounce) by ID:

>

exim -Mrm [email ID]

Fail a message from the queue (with bounce) by ID:

>

exim -Mg [email ID]

II. Configuring A Better “log_selector” In Exim Configuration For Extended Logging!

By default Exim on cPanel does not come with a very extensive logging setup enabled (log_selector) in it’s /etc/exim.conf. Generally without reconfiguring this line you will not be able to easily figure out most of the issues going on with your mail. It’s very hard to find a spammer or source of a particular email from your server. The reason for this default is probably because cPanel developers figure most people won’t need to parse logs as their target administrators are relatively “green” to Linux and the default also keeps log sizes very small. I recommend editing /etc/exim.conf and replacing the existing “log_selector” line (or adding it if none exists) with:

>

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Then you should run:

>

service exim restart

This will restart exim and you should see much more detailed logs in /var/log/exim_mainlog!

III. Exim Tips & Tricks.

Many of these tips and tricks should be used with the extended logging setup discussed in section II.

Show exim queue stats by domain:

>

exim -bp | exiqsumm | grep -v ‘\-\-’ | grep -v ‘Volume’ | grep -v ‘^$’ | sort -bg | awk ‘{print “Volume: ” $1 ” \t Domain: ” $5}’

SMTP connection counter:

>

grep ‘SMTP connection’ /var/log/exim_mainlog | grep ‘TCP/IP’ | awk ‘{print $7}’ | cut -d [ -f 2 | cut -d ] -f 1 | sort -bg | uniq -c | sort -bg

Find spammers sending mail from their /home/ directory (through a script):

>

grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

Flush the exim queue (empty it!):

>

for i in `exiqgrep -i`; do exim -Mrm $i; done

IV. RBL and Whitelist Filtering bypass.

To bypass RBL filtering for a specific domain you can add that domain to /etc/rblbypass. You can add a remote IP address of a host that is being rejected by a RBL to /etc/whitelist to bypass RBL filtering for a specific incoming IP.

V. Open Extra SMTP Port via cPanel.

You may find that a customer’s ISP blocks port 25 to prevent outbound spam from their network. In this case you could open a second port for him or her to use to get around the ISP.

  1. In your WHM go to Service Configuration -> Service Manager.
  2. Scroll to the bottom where you will see: Exim on another port.
  3. Check both boxes (Enable and Monitor) and fill in the box for port 26 (or your other port of choice!)
  4. Save the configuration and you should be set!

You can test it out with telnet or an email client that sends through SMTP.

VI. Where to go from here.

Aside from this guide I also recommend studying the Exim documentation and learning everything you can about how email works and to make sure you are fully understanding how to read email headers. It’s simple to read headers, but from my work as a systems administrator I know a lot of admins (even good ones) fail to do so properly or are unsure of their conclusions!