Live Chat 
(+972) 079-5599-110
In this tutorial we will teach you how to investigate your VPS (Virtual Private Server) or dedicated server for possible sources of outgoing spam. This process should help make sure that your mailing IP’s reputation doesn’t get negatively affected thereby causing delivery problems for your legitimate users.
If you have seen our last tutorial about 535 incorrect authentication errors, then you probably already know how to track down an IP address of any malicious user who tries to login into your email accounts. However, if someone has managed to get one of the passwords for your email accounts, the previously shown method will not work for locating them since they are not going to be showing authentication errors by logging in without issue.
A great way to keep tabs on this type of malicious activity is by making sure that you have one email account which has very few IP addresses connecting to it; that’s not to say you won’t have a couple for every account since people are going to be connecting to them from the home, their office, and probably the mobile phone to send email. It can mean that you can monitor for IP addresses that are connecting from several geographical locations however and this is a great sign that your email account’s password has been compromised and possibly sold to a spammer which now uses several computers as part of a bot net spread across the world.
For the following tutorial you will require root access to either your VPS or dedicated server in order to access the Exim mail logs.
Locating several IP address logins for mail accounts
With the steps below, you can keep tabs on the number of IP addresses which are connecting to your mail server per email address. After that, you can look to see if they are malicious and then proceed to block them at your server’s firewall to prevent any more delivery attempts.
Login to your server with SSH as the root user.
Execute the command below in order to pull email accounts that are connected from several IP addresses from the Exim mail log
grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq | awk '{print $1}' | uniq -c | awk '{ if ($1 > 1) print $0}'You will receive a similar output to the one below.
4 [email protected] 2 [email protected] 4 [email protected] 2 [email protected] 3 [email protected]
If you happen to have many users that have mail logins from several unique IP addresses, you could use the following command to see what IPs they are connecting from.
grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -cIn this situation the ‘[email protected]’ has been using 4 different unique IP addresses; this command is going to output the amount of the IPs connected:
7 [email protected] 123.45.67.89 1 [email protected] 123.45.67.88 2 [email protected] 123.45.67.87 1 [email protected] 123.45.67.86
Updating email passwords and blocking IPs
Since you now know that there are a couple of unique IP addresses connecting to one email account, you can then check the location of these IP addresses with an online service such as ‘GeoIPTool.com‘.
If, for example, you know the person who owns the email account lives in the US but you saw IPs actually sending mail out through that account from China or Russia, the odds are that the account may have been compromised and may be being used to send out spam.
With the steps below you can block these bad IP addresses from being able to access your server again. Note that you could also update the email account’s password so that, if they try to relay any spam using the account, they will receive an authentication error.
In the example above we saw all of the IP addresses relaying through our one ‘[email protected]’ account.
123.45.67.89 123.45.67.88 123.45.67.87 123.45.67.86
If you were to decide they were malicious and block all of those at our server’s firewall, you can run the following command.
for IP in 123.45.67.89 123.45.67.88 123.45.67.87 123.45.67.86; do apf -d $IP “Spamming with [email protected]”; done
You should then receive the following output.
apf(23740): (trust) added deny all to/from 123.45.67.89 apf(23796): (trust) added deny all to/from 123.45.67.88 apf(23859): (trust) added deny all to/from 123.45.67.87 apf(23929): (trust) added deny all to/from 123.45.67.86
Since those IPs successfully logged into your mail server to relay mail with the ‘[email protected]’ account then you may want to also check out our guide on how to change your email password in cPanel which may stop them from trying any more messages using a different IP address.
You can now track these email accounts down on your server, helping you to make sure that your email accounts are not compromised to send out spam or other malicious material.
You can also block those IP addresses from accessing your server, and update your email account’s password to stop further access to those malicious users.