How to check culprit user(s) in huge exim mail queue

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
Anyone know how to check what user(s) are taking up the 700k+ (yes, 700,000+) emails in the exim queue? Either a command via ssh or using ConfigServer Mail Queues plugin?

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Have you tried viewing a few of the messages to see the message contents and message headers?

Code:
exim -Mvb messageID
exim -Mvh messageID
Thank you.
 

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
There's over 700,000 in the queue. I wiped the out last week, happened again today. I need to trace which user these mass emails are coming from. I want to know how to pull a stat/count of top user incoming/outgoing specifically in the queue but not sure how.
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
576
19
143
cPanel Access Level
Root Administrator
Hello,

The first step as cPanelMichael has explained is to view the headers and body of a particular message ID. That will help in determining if you're dealing with a compromised account or not. Likewise you can also grep for the messageID in the /var/log/exim_mainlog file to determine how/where it originated and why it's getting stuck in the queue.

Start there and it should lead you to a solution.
 

acenetgeorge

Well-Known Member
PartnerNOC
Mar 6, 2008
68
4
58
Southfield, MI
cPanel Access Level
DataCenter Provider
Check the /var/log/exim_maillog, and see if you see any patterns. Maybe grep the outlook for "<=" (the sending address) or look for "courier_login" or "dovecot_login" to see if maybe you have a compromised email account password. You could also look for "exceeded" or "failed" or "quota".

If you do not have any mail send limits, you may want to limit the hourly rate. We use 600, so we do something like this to look for accounts sending out a lot of spam:

Code:
exigrep exceeded /var/log/exim_mainlog | grep 600
There are all sorts of things you can search for in the mail logs to help track this down. Pattern recognition comes in VERY handy when digging through large logs.