Troubleshoot Spamming 2

ARUN Posted in ATTACK, MAIL, SPAMMING
0

Get details of scripts that are used to send out spam emails :

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

Eximstats

eximstats -t5 /var/log/exim_mainlog > teststats

Script to know the mail count by various accounts

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

The number of mails by a domain

exigrep @domain.com /var/log/exim_mainlog|grep 2009-04-17|grep Completed|wc -l

1)Issue this command: ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.

2)Issue this command: eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.

3)Issue this command: exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.

4)Issue this command:    netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
5)In order to find “nobody” spamming, issue the following command
ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD|sort -n
It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

Command :
grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
This will result in something like :
47 cwd=/root
8393 cwd=/home/sample/public_html/test

Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)

Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.

exim -bpr | exiqsumm -c | head

Then,

exiqgrep -ir <domain> | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at <domain>.

Precautions:
1)Turn on the SMTP tweak. It will block the users to bypass the mail server for sending out spam.
2)Turn on blacklisting ability in whm.
3)Use spamassassin to stop receiving spam mails.

Clear email queues using qmHandle

ARUN Posted in PLESK BACKEND, SPAMMING
0

Used to monitor, delete and clear mail queues in plesk server with qmail.

wget http://optusnet.dl.sourceforge.net/sourceforge/qmhandle/qmhandle-1.3.2.tar.gz

tar -xvzf qmhandle-1.3.2.tar.gz

service qmail stop

service qmail start

./qmHandle

qmHandle -s        -s to see some basic statistics

./qmHandle -h’[email protected]’    –> Delete mails that has  “[email protected]” in header  (Case Insensitive)

SPF record and domain keys

ARUN Posted in SPAMMING, Uncategorized
0

To set SPF records and domain keys in cpanel server login to cpanel >> Email Authentication >> and there you can enable the SPF record and the Domain keys.

Or

/usr/local/cpanel/bin/spf_installer UN

/usr/local/cpanel/bin/domain_keys_installer UN

Or you can use the script

for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/domain_keys_installer $i ;done

Or

To enable Domain keys by default for all the accounts created.

Edit /scripts/postwwwacct and adding:

================

my %OPTS = @ARGV;
my $user = $OPTS{’user’};
/usr/local/cpanel/bin/domain_keys_installer $user

================

 

To install SPF record for all the domains use :

for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/spf_installer $i ;done

Troubleshoot Spamming

ARUN Posted in MAIL, SPAMMING
0

exim -bp |exiqsumm     –> List the number of mails in queue and its size. Also it shows the domain on to which the mail is send. NOTE : Its not the domain from which the mail is send.

exim -bpr | grep frozen | wc -l       —> Shows the number of mails that are frozen

exiqgrep -z -i | xargs exim -Mrm    —>  Remove just the frozen mails.

exiqgrep -i -f [email protected] | xargs exim -Mrm     –> Remove all mails from a particular email address.

exim -Mvh Message ID    —> To view exim mail header

exim -Mvb Message ID    —> To view exim mail body

exim -q -v      —>  Forcefully run mail queue.