HELP : My server emails sending too many spam

[muwicaksono]

Hello, i've got spam mails from my server and keeps so many emails hold in the mail queue. When I checked the IP reputation it turned out to be blacklisted by sorbs & outlook filter too.

 

[andrew.n]

You should look into the headers of the mails and see which account is sending those.

 

[cPRex]

If you're familiar with SSH, you can run this command to scan the mail logs and see if any directories are sending spam:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

That will give you a list, sorted by the number of emails sent from that location. Just make sure to ignore common areas, like CSF or system notifications.

 

[quietFinn]

For my experience the 1st thing to do is to find out if the emails are LOCAL RELAY or AUTH RELAY, i.e. if the emails are sent FROM the server or THROUGH the server.

 

[jana-its]

For my experience the 1st thing to do is to find out if the emails are LOCAL RELAY or AUTH RELAY, i.e. if the emails are sent FROM the server or THROUGH the server.

Hello, I have spam through the server and my firewall and Exim stopped the sender. how I can catch the spammer or the exploit. I use ImunifyAV and no malware was found.

 

[cPRex]

@jana-its - if you scroll up just a bit, you'll see a command that can help you search the Exim logs on the machine for more details about where the message may have originated from. Tring that is always a good first step.

 

[martin MHC]

deleted. See below

 

[martin MHC]

If you're familiar with SSH, you can run this command to scan the mail logs and see if any directories are sending spam:

That will give you a list, sorted by the number of emails sent from that location. Just make sure to ignore common areas, like CSF or system notifications.

@cPRex I have done this for our own issues of suspecting spam is being send from the server to accounts on the server, the results are as follows:

1 /home/account1
1 /home/account2
1 /root
388 /etc/csf
392 /

My query is this:

Should "/" be sending any sort of emails?
Should "/root" be sending any sort of emails?

Does the location indicate the file that is sending the emails rests in that directory? For instance, how would I go about sourcing the cause code of the 392 emails from "/" if it's not an expected sender?

thank you.

 

[cPRex]

Sure, / is just giving you the total number. /root is a bit odd as I don't see that one come up often. And yes, the location listed indicates something in that directory triggered the message to be sent.

Remember, we're trying to track down spam that's getting your server IP flagged at a provider or otherwise hurting your reputation. One email isn't going to do that.

 

[martin MHC]

Sure, / is just giving you the total number. /root is a bit odd as I don't see that one come up often. And yes, the location listed indicates something in that directory triggered the message to be sent.

Remember, we're trying to track down spam that's getting your server IP flagged at a provider or otherwise hurting your reputation. One email isn't going to do that.

oh of course, It's because it didn't add up I didn't think it was a sum value! Awesome, thanks.