Quantity of emails sent shoot up once a week.

**SuperBaby** · 12-26-2008 10:43 AM

I use dyndns.com's smtp to send out all emails to Yahoo email addresses. From the statistic report under dyndns.com, I can see that the emails sent to Yahoo email addresses are usually less than 50 emails per day. But once a week, the emails sent will shoot up to more than 300.

I have many accounts in my server. I cannot possibly look into the crontab of all accounts. Is there a way for me to find out who is sending out bulk mails? Is there a way to check from /var/log/exim_mainlog?

How can I stop this?

**JawadArshad** · 12-26-2008 03:43 PM

Originally Posted by SuperBaby

I use dyndns.com's smtp to send out all emails to Yahoo email addresses. From the statistic report under dyndns.com, I can see that the emails sent to Yahoo email addresses are usually less than 50 emails per day. But once a week, the emails sent will shoot up to more than 300.

I have many accounts in my server. I cannot possibly look into the crontab of all accounts. Is there a way for me to find out who is sending out bulk mails? Is there a way to check from /var/log/exim_mainlog?

How can I stop this?

tail the exim log using 'tail -f /var/log/exim_mainlog' for sometime and notice any scripts usually with the format "cwd=/home/username/public_html" or alternately, you can try this.

grep "cwd=/home/" /var/log/exim_mainlog

This will give you the usernames that are generating mails through scripts.

**SuperBaby** · 12-26-2008 04:15 PM

Thank you for your advice. I tried grep "cwd=/home/" /var/log/exim_mainlog but I don't think the emails were sent by scripts. This is because I only get a few lines of result running this command. Any other thing I can try. Thanks again.

**brianoz** · 12-31-2008 04:19 AM

The only way for something to send messages and not have them appear in exim_mainlog is for them to be sent direct via port 25. Either cpanel or CSF have the ability to block direct port 25 outgoing email and your should ensure that it is ALWAYS blocked (as you can't log it, and spammers love to use this bypass).

You should be grepping exim_mainlog for something like:

Code:

grep '=>.*@yahoo.com' exim_mainlog

which will tell you what emails are being sent to yahoo. Replace "grep" with "exigrep" to see the entire log message for each message.

**SuperBaby** · 01-04-2009 09:47 AM

To BRIANOZ,

My CFS currently has this setting. Is that correct?

# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
SMTP_BLOCK = 1

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option too
SMTP_ALLOWLOCAL = 1

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = 25

**dave6166** · 01-31-2009 08:32 AM

tail the exim log using 'tail -f /var/log/exim_mainlog' for sometime and notice any scripts usually with the format "cwd=/home/username/public_html

**brianoz** · 02-12-2009 12:16 AM

Originally Posted by SuperBaby

My CFS currently has this setting. Is that correct?

Looks correct to me; I'm not a CSF guru though (it's CSF not CFS!).

LinkBack

Thread Tools

Quantity of emails sent shoot up once a week.

AirSpaceHosting Special Promo 50% Off LIMITED QUANTITY!

I need so much help someone should just shoot me...[moved]

don't shoot me/ can we really use the primary i.p. also for a name server???