Tuesday , 16 January 2018
Latest topics!!

How to find email sending scripts location?

Command line tips & tricks to find out Spam emailing scripts location!

Are you really getting struggled for dealing Spam issues? Read this blog post to get relaxed, and stay away from Spamming! Spamming can occur in many ways. In this article, I’m going to explain the steps to identify and mitigate Spamming through scripts.

This can occur in many ways. An outdated scripts, plugin, theme etc on your websites can help hackers to get in and send spam emails from your server using scripts. We strongly recommend you to update all scripts on your website first!

Electronic spamming is the use of electronic messaging systems to send unsolicited messages (spam), especially advertising, as well as sending messages repeatedly on the same site. Sending a lot of Spam emails from the server can cause the IP address get blacklisted in RBLs. So all emails (including genuine emails) get bounced from different end users!

In our server, we use Exim as MTA (Mail Transfer Agent). Exim have different command-line options to identify the spamming from email queue. In most cases we will get the details from the email header itself, also we can check the body of that email and the email log by using different command-line options.

Command to check total number of emails in mail queue

Yeah, it’s very important to check the email queue regularly. Please use the following command to list the total number of emails in mail queue:

exim -bpc

To know more information, use the following command:

exim -bp

Sample output

# exim -bp

0m 502 1VHFNl-0003bf-GB <sender@sender.com>
recipient@gmail.com

0m 568 1VHFNl-0003bn-Tq <sender@sender.com>
recipient@gmail.com

44h 763 1VGaIo-0002ec-RM <sender@sender.com>
recipient@gmail.com

10h 5.9K 1VH6AW-0001Um-Rz <> *** frozen ***
no-reply@facebook.com

You can use the following command to check more details about emails in queue.

exim -Mvh 

This will display emails header information. From there, we can see whether it was sent from any account or through any vulnerable script. See an example pasted below:

208P Received: from user by ecr.my-server.net with local (Exim 4.88)
        (envelope-from <user@ecr.my-server.net>)
        id 1cm2fI-002sPJ-4C
        for piect@eaneunlock.top; Thu, 09 Mar 2017 13:19:53 -0500
037T To: piect@easyeunlock.top
029  Subject: Welcome to My Board
051  X-PHP-Script: user.tv/smf/two/tedex.php for 5.39.93.96
033F From: "My Board" <board@user.tv>
027* Return-Path: user@user.tv
038  Date: Thu, 09 Mar 2017 18:19:52 -0000
014  X-Mailer: SMF
018  Mime-Version: 1.0
085  Content-Type: multipart/alternative; boundary="SMF-62052ed9f7577e37f8b2ee282c566755"
032  Content-Transfer-Encoding: 7bit
055I Message-Id: <E1cm2fI-002sPJ-4C@ecr.my-server.net>
038  X-OutGoing-Spam-Status: No, score=0.8

Please note the line starts with “X-PHP-Script.” You can see the actual script location from this result. Yeah, that’s the script sending emails out from your server.

Please null route (chmod 000) or delete that file from the server.

Here we go to find all scripts which are/were sending emails from the server. You can execute the following command on your shell as root user:

grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

That’s it!
Check those folders for suspicious scripts 🙂

Our servers are highly tweaked to reduce these types of Spamming issues.

Have questions? Click here for any server assistance. We are available at 24*7*324 🙂
Happy hosting!!

About Albert

Linux server Admin @ TwinBee I am here to help you guys!! Post a comment here if you have any questions. Or go to http://twinbeeservers.com/support.php

Leave a Reply

Your email address will not be published. Required fields are marked *

*