Cpanel/WHM FAQs

Home | Webstats | Frontpage | Disk Quota | FTP Problems | MySql | Exim Notes | Basic Commands | TCP Wrappers | Kernel Compilation| Nagios| Harddisk Restoration| Cpanel Scripts| IPTables| Webmail| Mail Client
Search Query

RSS site feed|Webmaster Stuff|International Calling Cards|Linux Recovery|Server Recovery|Hard Drive Recovery|Raid Recovery

Exim is an open source mail transfer agent (MTA), which is a program responsible for receiving, routing, and delivering e-mail messages (this type of program is sometimes referred to as an Internet mailer, or a mail server program). There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.

Here, I try to explain some of the commonly found errors in exim with cpanel and methods to prevent spamming. I will keep this page updated.

How to detect a spammer

There are various methods in exim to detect a spammer either it is from an account inside the server or from the outside. Let's go through some of the methods to prevent spamming.
eximstats
/usr/sbin/eximstats -t5 /var/log/exim_mainlog > teststats
(t5 is an option which shows the top 5 count)
The above command gives the following details:

* Top 5 local destinations by volume
* Top 5 local destinations by message count
* Top 5 sending hosts by volume
* Top 5 sending hosts by message count

and other stats such as total number of mails received and delivered...top 5 sender (username) etc...
Click Here to know more about this command

eximstats -nr -ne /var/log/exim_mainlog Shows the stuff without the mess.
Sometimes, the eximstats command wont help us to detect the spamming caused by an account inside our server if that acount use some cron jobs or some php scripts that will execute as nobody. There are various methods to detect 'nobody' spammers. Here I mention some of those techniques

If we like to check the IPs from which emails coming to a non-existant email account or some issues with the domainname in the server, use the command

tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2} '|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5


If we like to know the IPs from which maximum number of connections occured to our SMTP server, use the commnd

netstat -plan|grep :25|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Replace the port number 25 with other ports if you like to know the IP requests to other services (For eg, in the case of apache, use port 80 instead of 25)
/usr/sbin/sendmail The scripts use /usr/sbin/sendmail file to send emails. We could easily detect a nobody spammer if we made some tweakings to sendmail.
1) #service exim stop
2) #mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
3) #vi /usr/sbin/sendmail
4) Add the below enteries to the sendmail file.
#######################################

#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info \n";

}
my $mailprog = '/usr/sbin/sendmail.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $! \n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

#######################################

5) #chmod +x /usr/sbin/sendmail
6) #chattr +i /usr/sbin/sendmail ( Not resistant against the upcp and exim4 scripts Sad )
7) #touch /var/log/spam_log
8) #chmod 0777 /var/log/spam_log
9) #service exim start
10)#tail -f /var/log/spam_log
11) Now edit the lograte file so that the spam log doesn't grow over size.
#vi /etc/logrotate.conf

FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Now scan your spam log when th load is high and it is exim which is taking up the load and enjoy catching the original Nobody spammers Wink!!!

There is a Option in WHM to prvent nobody emails under 'Tweak Settings' option.
If your server is blacklisted by AOL, please visit http://postmaster.aol.com/tools/whitelist_guides.html to whitelist it.

Please send comments on these web pages to sumith at sumith.net

copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Sumith Sreedhar
Verbatim copying and redistribution of this entire page are permitted provided this notice is preserved.

Valid HTML 4.01!