5.1.4 How to determine who is sending spam to VPS/Dedicated. Blocking mail for a specific site

On almost all of our servers we use a service called Exim to send mail.

Exim is the so-called MTA (Mail Transfer Agent), a message transfer agent, in common parlance - a mailer or mail server, used in many operating systems of the UNIX family.

Each letter that passes through the postal service has its own identifier or otherwise unique letter number. Message IDs in Exim queues are uppercase and lowercase alphanumeric sequences, such as “1TrXS1-0003SL-3h”, and are used by most queue administration and logging commands in Exim.

Basic commands for working with Exim

Now let’s look at a short list of SSH commands for managing mail and mail queue.

Important: All commands must be executed as root and are only available for VPS/Dedicated.

Display the number of messages in the mail queue (what we see in monitoring): exim -bpc

Prints a list of messages in the queue. The following are displayed: queuing time, size, message ID, sender, recipient:

  1. exim -bp

An example of such a list:

4h 791 1TrXgs-0004t8-0W noelle_foreman@artemida2012.kiev.ua

4h 1.8K 1TrXgu-0004tZ-5w

Accordingly, the identifiers of these two messages are: 1TrXgs-0004t8-0W and 1TrXgu-0004tZ-5w.

In all the examples presented, [id] is the unique identifier of the letter you need. Remove a message from the queue:

  1. exim -Mrm [id]

(Example: exim -Mrm 1TrXgs-0004t8-0W, will remove the message with the passed identifier from the queue)

View message headers:

  1. exim -Mvh [id]

View message body:

  1. exim -Mvb [id]

View message logs:

  1. exim -Mvl [id]

Delete all blocked messages in the mail queue:

$ exipick -z -i | xargs exim -Mrm

Remove all messages from the mail queue where the sender’s domain is domain:

  1. exipick -f @domain -i | xargs exim -Mrm

Remove all messages from the mail queue where the recipient’s domain is domain:

  1. exipick -r @domain -i | xargs exim -Mrm

Delete all messages from the mail queue:

  1. exipick -i | xargs exim -Mrm

If there are several hundred thousand messages in the queue, it will be faster to delete the queue with the commands:

  1. rm -rfv /var/spool/exim4/input/
  2. rm -rfv /var/spool/exim4/msglog/

How to determine where spam is coming from on a server

Now let’s look at how to find who is sending spam and how on the server and how to block it?

To do this, you need to run the following chain of commands.

1. List messages in the mail queue using the command

  1. exim -bp

2. Visually determine in the list which domain or mailbox the mail is coming from. This is usually easily seen due to the large amount of mail sent from one mailbox. Also, you can determine where exactly the spam is coming from by analyzing the logs, body and header of several similar letters using the commands described above.

3. If spam comes from a hacked mailbox, disable it, or change the mailbox password in its properties in the Mailboxes section.

If spam is sent by site - The found WWW domain must either be blocked or mail blocked for this WWW domain. The site will work in this case - only mail sent by the PHPmail script will not work - for the PHP CGI and PHP Apache operating modes this is done differently:

  • for php apache mode, in the general config apache2 (/etс/apache2/apache2.conf) of the server under root, find the Virtualhost block of the desired domain and in the line
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f

change the word sendmail to sendmoil in the /usr/sbin/sendmail path. Or do the same in the WWW domains section in the properties of the apache2 config. After this, you need to restart the apache2 service for the changes to take effect. After this, PHPmail only for this site and only in PHP Apache mode will not work and scripts will not be able to send letters.

  • for the PHP CGI mode under the site owner user in the file php-bin/php.ini in the line
sendmail_path = "/usr/sbin/sendmail -t -i -f

change the word sendmail to sendmoil in the path /usr/sbin/sendmail. In this case, there is no need to reload anything and the specified blocking will apply to ALL WWW domains of this user that work in PHP CGI mode, and not to any specific one.

Once again, I would like to note that such blocking only applies to scripts and crowns with the help of which mail is distributed - mailboxes created on the same domain will work.

Advanced methods for identifying spam senders

If you are unable to determine who is sending spam using the queue, you can use several more commands:

  1. tail -n 1000 /var/log/nginx/access.log | grep POST

Will display a list of POST requests of all sites in which it is possible to identify a malicious file that generates a newsletter.

The newsletter can also be sent by connecting via SSH. To determine the hacked user, use the command:

  1. p.s. | grep ssh

Which will list all SSH connections to the server. Then type the command:

  1. w

Which will display all active connections. Usually the user who is not in the output of this command, but is in the output of the previous command, is hacked - in this case, simply change the password of the user or his FTP account.


  1. killall -u user

will close all open SSH connections for user user.

If instead of a user login there are numbers or a user’s FTP account, which is not visible in Users, you can find it in the /etc/group or /etc/passwd file.

Also, the mailing script may be in the tmp and var/tmp folders - these folders should also be checked and cleaned.

You can also send spam by running scripts via cron. You can quickly view all crons of all users in the folder /var/spool/cron/crontabs.

It also happens that the sender of spam indicates different non-existent mailboxes on your email domain - this is also one of the mailing methods. In order to prevent the appearance of such letters, you need to set the Default Action field to “Ignore and delete” in the Mail domain properties.

If Exim but postfix is installed on the server, you can use the following commands.

Mail queue output:

  1. mailq

Cleaning the mail queue:

  1. postsuper -d ALL

Also, in the ISPManager4 control panel, to work with the mail queue, it is possible to install and use a plugin called Mail Queue. You can install the plugin only from under root in the Plugins section - click Install at the top right, select ispmque from the list and install it. After this, refresh the control panel and a new section Mail Queue will appear in the Tools section. In this section, you can completely view the entire queue and all records of each letter in the queue, as well as clear the queue and resend individual letters, that is, essentially everything is the same as the method described above via SSH.