Locating possible spam activity by subject with Exim

In this tutorial we will be showing you how to easily find any possible spam activity by subject on your VPS or dedicated server with the Exim mail log.
If you have seen our last tutorial about finding email accounts that are used for spam, you will already know how to track down spam activity by searching for email accounts which send out mail from several IP addresses. In this tutorial, we will be covering how you can find spam activity by looking at duplicate subjects that are going on in your server.
In order to use this tutorial, you will need root access on your VPS or dedicated server, in order to access the Exim mail log.

Locating duplicate subjects in Exim mail log

1. 1. Login to your server using SSH and as root user.
   2. Execute the command below to locate duplicate subjects from your Exim mail log.

awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort –n

You should receive a similar output to the one shown here.
Output:

 285 Out of Office
 303 [Forum reply] Please moderate
 578 New Account
 1764 Melt Fat Naturally

This means that the subject ‘Melt Fat Naturally’ is the one with most duplicates by far of those currently in the Exim mail log.
We may now look for the user who has been sending out this possible spam message, do this by executing the following command.

grep "Melt Fat Naturally" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -n

You should receive a similar output to the one shown here.
Output:

 1 [email protected]
 1762 [email protected]

This shows that ‘[email protected]’ was the account being used to relay this spam message.
You can now find every IP that was used by ‘[email protected]’ and possibly block them on your server’s firewall if their activity seems malicious to you.
With the following command, you can see every IP address that the account has been sending mails with.

grep "<= [email protected]" /var/log/exim_mainlog | grep "Melt Fat Naturally" | grep -o "\[[0-9.]*\]" | sort -n | uniq -c | sort -n

You should receive a similar output to the one shown here.

1762 [123.45.67.89]

Now you should be able to see that all 1,960 messages that ‘[email protected]‘ sent out, were coming from the same ‘123.45.67.89’ IP address.
The next thing to do is to block this IP from the server at the server’s firewall by executing the following command.

apf -d 123.123.123.123 "Sending weight loss spam from [email protected]"

It is also recommended to change the email password in cPanel for the email that was used to send this spam. If you don’t change the password, the spammer will be able to come back with a different computer and a different IP address and continue to relay spam out through your account.
This is how you can use the Exim mail log on your VPS or dedicated server to track down duplicate subjects that were sent out from your server. With this knowledge, you can track down any responsible user and their IP address that sends these messages allowing you to block them, preventing spamming.