Skip to main content

SPAMMING 1

1) pidof exim
2) Below command will show you the no of emails sent by particular domain:
exim -bp | exiqsumm | more
3)
exim -bpr | grep “<*@*>” | awk “{print $4}”|grep -v “<>” | sort | uniq -c | sort -n | less
This will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
4)
exim -bpr | grep “<*@*>” | awk “{print $4}”|grep -v “<>” |awk -F “@” “{ print $2}” | sort | uniq -c | sort -n | less
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
5)
Find the script which is sending the mass mails :-
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
You can see the script there, if not seeing there just read the mail id file with your favorite test editor
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
These list the current working directory of exim when processing a message :-
grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
grep “<= ” /var/log/exim_mainlog|grep -v “<= <>”|awk ‘{print $5,$7}’|cut -d”:” -f1|sort|uniq -c|sort -n
grep -rl xxxx /var/spool/exim/input |xargs rm -f

========================================================================

Locate spam activity by subject with Exim


awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n

You should get back something that looks like this:
285 Out of Office
303 [Forum reply] Please moderate
578 New Account
1764 Melt Fat Naturally


Now we can search to see what user has been sending out this possible spam message with the following command:
grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $5}' | sort | uniq -c | sort -n

You should end up with some results like this:
1 test@example.com
1762 user01@example.com

You can now locate all of the IP addresses
grep "<= user01@example.com" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n

Now deny the IP using your firewall rules.

========================================================================

Find spam script location with Exim



Run the following command to pull the most used mailing script's location from the Exim mail log:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


You should get back something like this:
15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data

Comments

Post a Comment

Popular posts from this blog

SystemD commands

[root@centos7 ~]# systemctl -t target UNIT                   LOAD   ACTIVE SUB    DESCRIPTION basic.target           loaded active active Basic System cryptsetup.target      loaded active active Encrypted Volumes getty.target           loaded active active Login Prompts graphical.target       loaded active active Graphical Interface local-fs-pre.target    loaded active active Local File Systems (Pre) local-fs.target        loaded active active Local File Systems multi-user.target      loaded active active Multi-User System network-online.target  loaded active active Network is Online network.target         loaded active active Network nfs-client.target      loaded active active NFS client services nss-user-lookup.target loaded active active User and Gr...
Post a Comment
Read more

How to tweak linux server harddisk using hdparm

hdparm switches explained http://manpages.ubuntu.com/manpages/intrepid/man8/hdparm.8.html   First of all you have to install hdparm in linux. apt-get install hdparm #hdparm /dev/sda /dev/sda: readonly = 0 (off) readahead = 120 (on) geometry = 8850/255/63, sectors = 142182912, start = 0 Hard disk Performance Information # hdparm -tT /dev/hda /dev/hdd: Timing cached reads: 496 MB in 2.00 seconds = 247.42 MB/sec Timing buffered disk reads: 60 MB in 3.03 seconds = 19.81 MB/sec Hard drive set to low, slow settings # hdparm -cuda /dev/hda /dev/hda: IO_support = 0 (default 16-bit) unmaskirq = 0 (off) using_dma = 0 (off) readahead = 256 (on) Use below tweaks to increase disk read write performance. For sda drive ~]# hdparm -a 2048 /dev/sda /dev/sda: setting fs readahead to 2048 readahead = 2048 (on) For sdb drive [root@439298a ~]# hdparm -a 2048 /dev/sdb /dev/sdb: setting fs readahead to 2048 readahead = 2048 (on) ]# echo “anticipatory” >...
Post a Comment
Read more

Modsecurity block rule for XMLRPC and wp-login attack

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134  <Locationmatch "/wp-login.php">  SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"  SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"  SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"  SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"  </Locationmatch>  SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234  <Locationmatch "/xmlrpc.php">  SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 5 m...
Post a Comment
Read more