Useful exim_mainlog Spam Analysis

December 16, 2014 by · Leave a Comment
Filed under: How To Detect Spammers From exim_mainlog 

A great list of useful utilities to analyze your exim_mainlog file for spammers.

Locating multiple IP address logins for mail accounts

grep “A=courier_login” /var/log/exim_mainlog | sed -e ‘s#H=.* \[##’ -e ‘s#\]:[0-9]*##’ | awk ‘{print $5,$6}’ | sort | uniq | awk ‘{print $1}’ | uniq -c | awk ‘{ if ($1 > 1) print $0}’

If you see that you have a lot of users that have mail logins from multiple unique IP addresses you can run the following command to get a look at exactly what IPs they’re connecting from:

grep “A=courier_login” /var/log/exim_mainlog | sed -e ‘s#H=.* \[##’ -e ‘s#\]:[0-9]*##’ | awk ‘{print $5,$6}’ | sort | uniq -c

http://www.inmotionhosting.com/support/email/email-troubleshooting/locate-email-accounts-being-used-to-spam
=======
Locate 535 incorrect authentication errors

grep “535 Incorrect” /var/log/exim_mainlog | awk -F”set_id=” ‘{print $2}’ | sort | uniq -c | sort -n

Find IP address causing incorrect logins

grep “535 Incorrect” /var/log/exim_mainlog | grep user@example.com | awk ‘{print $1,substr($9,2)}’ | cut -d] -f1 | uniq -c

Block IP address at server’s firewall

apf -d 123.123.123.123 “Failed mail logins to user@example.com”

http://www.inmotionhosting.com/support/email/bounceback-errors/535-incorrect-authentication
=======
Locate duplicate subjects in Exim mail log

awk -F”T=\”” ‘/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n If you see that you have a lot of users that have mail logins from multiple unique IP addresses you can run the following command to get a look at exactly what IPs they're connecting from: grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c You can now locate all of the IP addresses the user01@example.com account has been sending mail from, and possibly block them at your server's firewall if the activity looks malicious to you. Use the following command to find all the IP addresses the account has been relaying mail with: grep "<= user01@example.com" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n http://www.inmotionhosting.com/support/email/exim/locate-spam-activity-by-subject-with-exim

Tags: