Exim - Find Spam
To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.
exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
List mail ID's for that account:
exim -bpr | head -1000 | grep "spoofed-email@suspicious-domain.com" | head -4
Looking up info on mail with ID:
find /var/spool/exim/ -name 1XgdkD-0001XD-8b | xargs head -1
How many Frozen mails on the queue:
/usr/sbin/exim -bpr | grep frozen | wc -l
Deleteing Frozen Messages:
/usr/sbin/exim -bpr | grep frozen | awk {‘print $3′} | xargs exim -Mrm
Find a CWD:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Code breakdown:
grep cwd /var/log/exim_mainlog | Use the grep command to locate mentions of cwd from the Exim mail log. This stands for current working directory. |
---|---|
grep -v /var/spool | Use the grep with the -v flag which is an invert match, so we don't show any lines that start with /var/spool as these are normal Exim deliveries not sent in from a script. |
awk -F"cwd=" '{print $2}' | awk '{print $1}' | Use the awk command with the -Field seperator set to cwd=, then just print out the $2nd set of data, finally pipe that to the awk command again only printing out the $1st column so that we only get back the script path. |
sort | uniq -c | sort -n | Sort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest. |
To remove a message from a sender in the queue:
exiqgrep -ir email@domain.com | xargs exim -Mrm
To remove a message from the queue:
exim -Mrm {message-id}
To remove all messages from the queue, enter:
exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash