Exim: How To Clear SPAM
Table of Contents
Compability
Exim usually can be found on any server installed with cPanel. By default, MTA for cPanel is Exim. There are some case (rarely) a custom server or VPS installing Exim MTA from user end.
How Many Spam
To check (counts) of spam emails, can be done as follow :
# exim -bpc
To know which ID that generating spam, can be done as follow there are 2 ways :
# exim -Mvh 1XSY5g-0001kh-N6
Where xx how much amount you wish to define by.
How to Remove Frozen Spam
Frozen Spam Definition
Mails sent to invalid recipient, non existent mail accounts which are undelivered to the recipient & still sit in the mail queue for quite long time. Most of frozen email is to be sure spam emails.
To remove Frozen spam from mail queue :
# exim -bpu | grep frozen | awk {'print $3'} | xargs exim -Mrm
Check Email Content with Exim[edit]
To check email content (body) clogged within the queue :
# exim -Mvb 1gJtQD-000nEo-Kx
To check email header clogged within the queue :
# exim -Mvh 1gJtQD-000nEo-Kx
Remove Spam Mail from Queue
This command will remove spam based on specific email.
# exiqgrep -i -f email_address | xargs exim -bpr | awk {'print $3'} | xargs exim -Mrm
For example, we found the spam source which is originally from script below called telolet.php, marked as bold.
026F From: <[email protected]> 030R ReplyTo: <[email protected]> 033* ReturnPath: <[email protected]> 028* Sender: <[email protected]> 018 MIMEVersion: 1.0 059I MessageID: <[email protected]> 038 Date: Sat, 99 Sep 2099 666:999:666 +0800 040 ContentType: text/plain; charset=UTF8 032 ContentTransferEncoding: 8bit 014 XPriority: 3 026 XMSMailPriority: Normal 017 XMailer: telolet 018 XMimeOLE: telolet 046 XphpBBOrigin: telolet://telolet.com/telolet/telolet/telolet.php 061 XAntiAbuse: Board servername =?UTF8?B?cHZvbGxlci5uZXQ=?= 025 XAntiAbuse: User_id 1 049 XAntiAbuse: Username =?UTF8?B?QW5vbnltb3Vz?= 038 XAntiAbuse: User IP telolet
Removing Spam Email originating from script :
# grep -lr 'telolet.php' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm
By ran command above, it will remove all mail queue that have syntax telolet.php.
There are some changes that email is compromised and used to spam large scale of spam. Therefore you just need to replace telolet.php into the IP address of culprit or define the user email account. Don’t forget to reset suspected email account and inform customer about it.
