Finding accounts that are sending spam in Exim's mainlog

Call Us 0800 107 7979

Service Status

Back to knowledgebase

10 November 2021

cPanel servers use Exim as the Mail Transfer agent. The main Exim log file is (appropriately) named exim_mainlog. The entries in the log are terse but contain a wealth of information. If you are unfamiliar with the log, my article about Exim log files and exigrep is a good introduction.

In this article I want to look at some commands you can use if you suspect an account on your server is sending spam. You don’t need to fully understand Exim’s logs, but having at least some knowledge does help if you want to tweak the example commands. Similarly, it is useful to know the basics of grep.

Finding compromised mailboxes

There are two common reasons for spam issues: either a mailbox has been compromised or there is a malicious script in a website directory. For compromised mailboxes you can produce a count of email addresses that have sent emails. Any mailboxes that have sent a large number of emails can then be investigated further. This command shows the top 10 email addresses that have sent emails today (10 November 2021):

# grep ^"2021-11-10.*dovecot_login:" /var/log/exim_mainlog \
| awk -F 'A=dovecot_login:' 'split($2, addr, / /) { print addr[1] }' \
| sort | uniq -c | sort -nr | head
   2570 mail@example.com
     83 foo@bar
     69 bar@foo
...

The above command first retrieves all lines that start with the string “2021-11-10” and also contain the string dovecot_login:. It then uses some Awk magic to filter out the email addresses that logged in. The third line produces the sorted count.

The above output shows that mail@example.com has been sending a rather large number of emails. To check the emails that were sent from the address you can use a command like this:

# grep ^"2021-11-10.*dovecot_login:mail@example.com" /var/log/exim_mainlog \
| awk -v OFS='\t' -F 'A=dovecot_login:|T="' 'split($1, ts, / /) split($2, addr, / /) \
{ print ts[2], addr[1], $NF }'
17:44:13   mail@example.com   Online pharmacy!!!
17:44:13   mail@example.com   Online pharmacy!!!
17:44:13   mail@example.com   Online pharmacy!!!
...

The first line retrieves all today’s logins for mail@example.com. The output is then passed to an Awk command that prints the time, email address and email subject. Usually, that gives you enough information to determine whether or not the emails are legitimate.

Finding compromised websites

Compromised websites are often used to relay spam. Emails sent via scripts are also logged in exim_mainlog. The entries always include the string cwd= followed by the path to the directory from which the email was sent. Unfortunately, the log doesn’t tell you which script sent an email – it only shows you the script’s directory.

This command lists all directories from which emails were sent today:

# grep ^"2021-11-10.*cwd=" /var/log/exim_mainlog \
| grep -vE "cwd=/var/spool/exim|cwd=/etc/csf" \
| awk -F 'cwd=' 'split($2, dir, / /) { print dir[1] }' \
| sort | uniq -c | sort -nr | head
    344 /home/example/public_html
    141 /home/foo/public_html
    116 /home/bar/public_html
...

The second grep command excludes directories you don’t need to check, such as /var/spool/exim and /etc/csf. Normally, you are mostly interested in mail sent from user directories.

The log entries don’t contain a lot of information. You can get a full list of relay attempts, including the times, but that is as good as it gets. In particular, the log doesn’t include the recipients and email subjects:

# grep cwd=/home/example/public_html /var/log/exim_mainlog
2021-11-09 11:14:15 cwd=/home/example/public_html 3 args: /usr/sbin/sendmail -t -i
2021-11-09 11:14:15 cwd=/home/example/public_html 3 args: /usr/sbin/sendmail -t -i
2021-11-09 11:14:15 cwd=/home/example/public_html 3 args: /usr/sbin/sendmail -t -i
...

If the entries look suspicious then you can next check the access log for the domain. Often, the culprit is a contact form that is being abused by a spambot.

Featured Blogs

Identifying Common Server Issues and How to Avoid Them

22nd July 2024

By catalyst2 Team

To maintain a smooth operation of any online business or digital service you need a server that is efficient and that you can rely on. Here at catalyst2 we understand the challenges that businesses face daily; purely to keep their business alive so the challenges that are faced in addition to this when server issues …

Read Article

Why Server Backups are a Safety Net in the Digital World

15th July 2024

By catalyst2 Team

Data is the foundation for businesses as it provides insights into customer behaviour and trends, as well as business performance and efficiency. So, businesses have the tools they need to make informed decisions and plan strategically. For businesses that are just starting out or that are smaller, data is a catalyst to help identify growth …

Read Article

What are Flexible Servers and When are They Beneficial?

10th July 2024

By catalyst2 Team

The word ‘server’ is frequently used in everyday discussions in IT departments within organisations, but unless you work in the tech industry, you might not be familiar with what it really means. A server is the backbone of all digital operations. It is there to manage tasks like data storage, processing requests, delivering content across …

Read Article

Why Server Uptime Matters for Your Business Website

4th July 2024

By catalyst2 Team

While many businesses still have physical workspaces or brick-and-mortar stores, the importance of a digital presence shouldn’t be overlooked. In addition to using things like social media channels to boost your brand awareness and interact with your customers, having a website offers several benefits. In today’s digital world, the performance of your website is crucial …

Read Article

How to Protect Your Website Against Digital Disasters

27th June 2024

By catalyst2 Team

More so than ever before, having a high-performing website is essential to the ongoing success of a business. Regardless of which industry you operate in, a website is a powerful tool that can improve brand recognition, drive growth and support customer engagement. Not to mention, it allows for online sales and can remove geographical barriers …

Read Article

Does a Server Impact Website Traffic?

23rd May 2024

By catalyst2 Team

Regardless of which industry sector you operate in or what type of products and services you offer, having a website is non-negotiable in today’s digital world. More so than ever before, people turn to the internet to find businesses that can assist them with their specific needs and if you don’t have a website, you …

Read Article

A Beginner’s Guide to Managing Your Website Server

17th May 2024

By catalyst2 Team

When it comes to website management, there is a key component that business owners often overlook; server management. Your website server plays a crucial role in your online presence, it facilitates the delivery of your web pages to users and without a server, your website simply wouldn’t be visible online. So, it’s crucial to ensure …

Read Article

Exploring the Costs Associated With a Website

14th February 2024

By catalyst2 Team

In the digital age, getting a website is more than just a way to build an online presence, it’s a vital business investment. Not only do large retail businesses need a website, but smaller local businesses can also benefit from taking their business online. Recognising this importance, many businesses are now dedicating significant resources towards …

Read Article

The Importance of Dedicated Servers for E-Commerce Websites

26th January 2024

By catalyst2 Team

In the fast-paced world of e-commerce, having a reliable website is an essential factor in success. Whether you also have a brick-and-mortar store or solely a digital shop, ensuring your website is performing at its best can have a direct impact on your bottom line. Factors such as website uptime, ease of navigation and speed …

Read Article

Things to Consider During a Website Review

10th January 2024

By catalyst2 Team

Designing a website requires careful consideration and several reviews during the development stages to ensure everything is perfect. Once live, it can be easy to assume that no further updates are needed and your website will continue to perform well, however, this isn’t always the case. Regularly reviewing your website is essential to ensure its …

Read Article

What our clients say

Great real person support – direct phone number, usually the same individual so any problems are handled by the same people. Excellent.

Daniel Chandler, Vindico UK Ltd

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_5562310_11	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_ashkii	session	No description available.
_wicasa	3 months	No description available.
AnalyticsSyncHistory	1 month	No description
cookid	3 months	No description available.
cookietest	session	No description
crisp-client/domain-detect/1644827320973	session	No description
crisp-client/domain-detect/1644827348275	session	No description
crisp-client/domain-detect/1644827428415	session	No description
crisp-client/domain-detect/1644827479357	session	No description
crisp-client/domain-detect/1644827596454	session	No description
crisp-client/domain-detect/1644827724838	session	No description
crisp-client/domain-detect/1644827824383	session	No description
crisp-client/domain-detect/1644827878659	session	No description
crisp-client/domain-detect/1644828716243	session	No description
crisp-client/domain-detect/1644828846246	session	No description
crisp-client/domain-detect/1644829369013	session	No description
crisp-clientsession30cc6953-ebcf-4bc6-b649-c44eb446409e	6 months	No description
dbmFP	3 months	No description available.
dbmPK	3 months	No description available.
li_gc	2 years	No description

Finding accounts that are sending spam in Exim’s mainlog

Finding compromised mailboxes

Finding compromised websites

Featured Blogs

What our clients say

Great real person support – direct phone number, usually the same individual so any problems are handled by the same people. Excellent.

Daniel Chandler, Vindico UK Ltd