1. 1. Go to your home path

cd /home

1. 1. Find your log files

find ./ -type f -size +1k -name "php-mail.log"

After this find operation, you can see your log files. It means, users that have this log file are could be the potential spammer.

1. 1. Tailf your log file.

tailf /home/user/.php/php-mail.log

1. 1. You can see spammer scripts.!!

mail() on [/home/user/domains/domain.com.tr/public_html/modules/mod_users_latest/files.php(1947) : eval()'d code:775]: To: user@hotmail.com -- Headers: Date: Sat, 28 Jan 2017 15:51:47 +0300 From: Flora <user@domain.com.tr> Message-ID: <3f796c9fb6de893f060882897f360bea@domain.com.tr> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_3f796c9fb6de893f060882897f360bea" Content-Transfer-Encoding: 8bit

1. 1. Remove this peace of shit.

rm /home/user/domains/domain.com.tr/public_html/modules/mod_users_latest/files.php

You can easiliy get rid of these spammer scripts using this method. Don’t forget to clear your mail queue after this operation.

The post Finding spammer php script in DirectAdmin appeared first on VeriTeknik.

exim -bpru | tr '\n' + | sed -e "s/++/=/g" | tr -d + | tr = '\n' | grep "spammer@email.com" | awk {'print $3'} | xargs exim -Mrm

Simple replace the spammer@email.com address with the potential spammer.
Don’t forget that this command uses the whole queue list to process. Sometimes if you have hundreds of thousands of email from this spammer in queue, it will get hard to process them all for the system. So instead of using the whole queue list, we can break it down to pieces with the head command.

The command below will break it down to pieces of 5000, so if you have more than 5000, you should run this command several times.

exim -bpru | head -n 5000 | tr '\n' + | sed -e "s/++/=/g" | tr -d + | tr = '\n' | grep "spammer@email.com" | awk {'print $3'} | xargs exim -Mrm

To delete all mails from the queue, simply use this command.

exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh

The post Delete Mail From Queue in Exim appeared first on VeriTeknik.

Whilst doing that, we realized the server was getting a lot of incoming mails as forgery. So, it is possible to get the IP list of the possible forgerers.

To do this, we need to check the lines that indicate an INCOMING message, and that claims it uses our mail server itself as a sender, but actually connects through a different IP address.

Exim uses the notation for incoming messages, so it is easy to catch.
It also uses the notation H=IP.ADD.RE.SS to state the IP address (or the hostname) of the incoming message. The beauty in this is that, it also gets the real IP address and checks if they match, if they don’t match, then it brackets the H= value like this H=(IP.ADD.RE.SS) and right after that, gives the real IP address with boxed brackets. [REAL.IP.ADD.RESS]

To detect forgeries done in a time period, and getting ONLY the IP address is crutial when you want check those IP addresses with others tools and scripts. So here’s an example grep line :

grep -ohP "(?

The example above, assumes that your mailserver’s IP Address is 10.1.31.33, of course this won’t be the case since it’s a local ip, so change that with yours.
It also checks for attempts in March 2012, you can also edit this, since we’re using the Perl compatible regular expressions (the -P option of grep) than we can use .. as wildcards for 2 characters (the day indicator).
Since we’re checkig for more than 1 file, (mainlog*) grep will output the filenames too, the -h option is to suppress that.
Also, we’re piping the output to uniq, so that we don’t get multiple results for the same IP address.
Now you can simply redirect these IP addresses to your script/tool or save them for other purpose.

The post Detecting Possible Mail Forgers in EXIM appeared first on VeriTeknik.