Find Spammer in Exim
Tuesday, September 9th, 2014
- Login to your server via SSH as the root user.
- Run the following command to pull the most used mailing script’s location from the Exim mail log:grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n
- Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:
grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n
Reference
http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim