Skip to main content

SPAMMING 1

1) pidof exim
2) Below command will show you the no of emails sent by particular domain:
exim -bp | exiqsumm | more
3)
exim -bpr | grep “<*@*>” | awk “{print $4}”|grep -v “<>” | sort | uniq -c | sort -n | less
This will show you the maximum no of email currently in the mail queue have from or to the email address in the mail queue with exact figure.
4)
exim -bpr | grep “<*@*>” | awk “{print $4}”|grep -v “<>” |awk -F “@” “{ print $2}” | sort | uniq -c | sort -n | less
That will show you the maximum no of email currently in the mail queue have for the domain or from the domain with number.
5)
Find the script which is sending the mass mails :-
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
You can see the script there, if not seeing there just read the mail id file with your favorite test editor
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
These list the current working directory of exim when processing a message :-
grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
grep “<= ” /var/log/exim_mainlog|grep -v “<= <>”|awk ‘{print $5,$7}’|cut -d”:” -f1|sort|uniq -c|sort -n
grep -rl xxxx /var/spool/exim/input |xargs rm -f

========================================================================

Locate spam activity by subject with Exim


awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n

You should get back something that looks like this:
285 Out of Office
303 [Forum reply] Please moderate
578 New Account
1764 Melt Fat Naturally


Now we can search to see what user has been sending out this possible spam message with the following command:
grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $5}' | sort | uniq -c | sort -n

You should end up with some results like this:
1 test@example.com
1762 user01@example.com

You can now locate all of the IP addresses
grep "<= user01@example.com" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n

Now deny the IP using your firewall rules.

========================================================================

Find spam script location with Exim



Run the following command to pull the most used mailing script's location from the Exim mail log:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


You should get back something like this:
15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data

Comments

Popular posts from this blog

How to tweak linux server harddisk using hdparm

hdparm switches explained http://manpages.ubuntu.com/manpages/intrepid/man8/hdparm.8.html   First of all you have to install hdparm in linux. apt-get install hdparm #hdparm /dev/sda /dev/sda: readonly = 0 (off) readahead = 120 (on) geometry = 8850/255/63, sectors = 142182912, start = 0 Hard disk Performance Information # hdparm -tT /dev/hda /dev/hdd: Timing cached reads: 496 MB in 2.00 seconds = 247.42 MB/sec Timing buffered disk reads: 60 MB in 3.03 seconds = 19.81 MB/sec Hard drive set to low, slow settings # hdparm -cuda /dev/hda /dev/hda: IO_support = 0 (default 16-bit) unmaskirq = 0 (off) using_dma = 0 (off) readahead = 256 (on) Use below tweaks to increase disk read write performance. For sda drive ~]# hdparm -a 2048 /dev/sda /dev/sda: setting fs readahead to 2048 readahead = 2048 (on) For sdb drive [root@439298a ~]# hdparm -a 2048 /dev/sdb /dev/sdb: setting fs readahead to 2048 readahead = 2048 (on) ]# echo “anticipatory” >...

Modsecurity block rule for XMLRPC and wp-login attack

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134  <Locationmatch "/wp-login.php">  SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"  SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"  SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"  SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"  </Locationmatch>  SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234  <Locationmatch "/xmlrpc.php">  SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 5 m...

Apache tuning documentation

Apache bench marking ======================= Things or checklist to be considered before the test     CPU: avoid power-saving mode. cpufreq-set -g performance.     File descriptors: raise the limit to (at least) the number of concurrent connections you wish to handle, using ulimit -n in your shell, or setrlimit(RLIMIT_NOFILE) in your server. Beware, some systems forbid you to raise the limit, you might need to investigate a bit to find how to unlock it.     Disable the logs of your server (you do not want to lose time logging thousands of requests instead of answering them).     Raise /proc/sys/net/somaxconn to the number of concurrent connections you want to handle. To understand why this is necessary, read the technical report or the excellent paper Measuring the Capacity of a Web Server (Banga and Druschel, Usenix 97). More on the fascinating topic of the accept() queue can be found in accept()able Strategies for Im...