How can I set up a simple Exim processing anaylizer script like this?


Well-Known Member
Mar 13, 2004

I can almost-but-not-quite figure out a shell script for doing this. But in any case, I need a way to do the following, in order to indicate to us if one of our hosted members' has had their email password stolen/hacked.

1 -- Examine /var/log/exim_mainlog searching for "courier_login", e.g. grepping through the newest 200 log entries (for example).

2 -- If the same account has logged in more than 8 times in the last 200 log entries then collect a list of the accessing IP addresses (which are of course right there in the Exim log entries).

3 -- If there are more than 3 different accessing IP addresses (to the same email account) in this list, then send an email notice with a copy of the log in name/account that is being accessed.

Typically email account passwords which are hacked (e.g. from Windows members who have keyloggers installed on their machines, etc.), we find that the email account will then be used from accessing IPs from all over the place. In such cases, each log in seems to come from a different geographic location. So if we could just be informed of these multiple logins, to the same account, from different IPs, then we could certainly get a leg up on quickly stopping this form of abuse.

Is there such an exim monitor already built into cPanel, or a 3rd party script we could install which would do this?

Anyone? Any help?

With regard to scripting, the following will at least loop through the newest 200 exim log entries matching "courier_login", and sorting the results of the IPs that are found logging in:

for i in `tail -200 /var/log/exim_mainlog | awk '/courier_login/' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort

So obviously I need to work out a secondary loop to take these results and look for matches where the login user name is the same but the accessing IP is different. Here's where I am stuck. But of course, this approach is likely awkward at best, as I am no shell scripter by any means.

Thanks much for any assistance, or direction finding with this very important topic of cutting email abuse.


Well-Known Member
May 19, 2011
cPanel Access Level
Root Administrator
Have you explored CSF instead?

It has some useful options like:
  • Block POP3 logins if greater than LT_POP3D times per hour per account per IP address (0=disabled)
  • Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hourper IP
  • Relay Tracking. This allows you to track email that is relayed through the
    # server. There are also options to send alerts and block external IP addresses
    # if the number of emails relayed per hour exceeds configured limits. The
    # blocks can be either permanent or temporary.
  • Connection Tracking. This option enables tracking of all connections from IP
    # addresses to the server. If the total number of connections is greater than
    # this value then the offending IP address is blocked. This can be used to help
    # prevent some types of DOS attack.
  • Process Tracking. This option enables tracking of user and nobody processes
    # and examines them for suspicious executables or open network ports. Its
    # purpose is to identify potential exploit processes that are running on the
    # server, even if they are obfuscated to appear as system services. If a
    # suspicious process is found an alert email is sent with relevant information.
    # It is then the responsibility of the recipient to investigate the process
    # further as the script takes no further action


Well-Known Member
Mar 13, 2004
Thanks, we are using CSF, but it does not have any facility for detecting multiple logins to the same email account from different IP addresses, as I described.