Here's the story: You look at you nagios plugin, and see that Exim is
hammering a server. You know you have made it impossible to get that many
connections from the outside. That means that again, someone got hacked and
is being used by people in Russia and the Netherlands to send spam. Sigh,
you've been meaning to make this harder to do, but for now you'll have to fix
the problem. After blocking them, you can follow these steps if you use Exim.
-
Start off seeing if the spammer was dumb enough to use the same from address:
exim -bpa|awk '/<.*@.*>/ {print $4}'|sort|uniq -c|sort -n -k1
-
If he was, see if you can find whether it came from this server, and is sitting in the queue because it can't be delivered, or if someone outside sent spam, and claimed it came from a domain on this server.
exim -bpa|grep |less
Grab one of the message ids. They look something like 1LSpaA-0004vs-Am. Typically this is the 3rd field.
-
First look at the logs.
exim -Mvl
-
If that doesn't help, look at the headers.
exim -Mvh
-
If you couldn't tell for sure that it was spam by the subject in the
header, then use your super powers, and read some of the mail.
exim -Mvb |less
If it talks about virgins, enlargements, bank accounts in Nigeria or has random words, it is spam. If it has a part telling them, “Click here to unsubscribe,” it is probably spam, but use your best judgment. The fact that there are zillions of these messages almost guarantees it.
-
Now, start cleaning the messages out.
exim -bpa|awk '/some part of the bad address/ {print $3}'|xargs exim -Mrm
-
Get rid of frozen messages.
exim -bpa|awk '/frozen/ {print $3}'|xargs exim -Mrm
-
Get rid of spam that we sent, that got returned.
exim -bpa|awk '/<>/ {print $3}'|xargs exim -Mrm
-
Now see how many messages are left.
exim -bpc
A good number will be less than 400. Above that, you can probably do
some more cleaning.
If you need to still clean, start again at the top of this list. If the
count by address doesn't work for you, you may need to just look at the list
of mail, and use your system administrator's intuition to get an idea for what
might be happening. Sometimes you can spot a pattern that will help you.
exim -bpa|less
Happy spam hunting!