Basic information
1) Print a count of the messages in the queue: exim -bpc
2) Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient): exim -bp
3) Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm
4) Print what Exim is doing right now: exiwhat
5) Test how exim will route a given address:
root@localhost# exim -bt alias@localdomain.com
user@thishost.com
<– alias@localdomain.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@thishost.com
user@thishost.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@remotehost.com
router = lookuphost, transport = remote_smtp
host mail.remotehost.com [1.2.3.4] MX=0
6) Display all of Exim’s configuration settings: exim -bP
Searching the queue with exiqgrep
7) Use -f to search the queue for messages from a specific sender: exiqgrep -f [luser]@domain
8) Use -r to search the queue for messages for a specific recipient/domain:exiqgrep -r [luser]@domain
9) Print messages older than 1 day: exiqgrep -o 86400
10) Print messages older than 1 hour : exiqgrep -o 3600
11) Print just the message-id of the entire queue: exiqgrep -i
Managing the queue
12) Remove a message from the queue: exim -Mrm <message-id>
13) Remove all frozen messages: exiqgrep -z -i | xargs exim -Mrm
Remove deffered mailqueues <> : exim -bp | grep “<>” | awk ‘{print $3}’ | xargs exim -Mrm
Remove mailque of a domain exiqgrep -i -f domainname| xargs exim -Mrm
14) Remove all messages older than five days (86400 * 5 = 432000 seconds):
root@localhost# exiqgrep -o 432000 -i | xargs exim -Mrm
Remove all mails in the mail queue exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash
or exim -bp|grep “<“|awk {‘print $3’}|xargs exim -Mrm
15) Freeze all queued mail from a given sender: exiqgrep -i -f luser@example.tld | xargs exim -Mf
16) View a message’s headers: exim -Mvh <message-id>
17) View a message’s body: exim -Mvb <message-id>
18) View a message’s logs: exim -Mvh <message-id>
19) One can search for messages sent from a particular IP address:
root@localhost# exigrep ‘<= .* \[12.34.56.78\] ‘ /path/to/exim_log
20) Search for messages sent to a particular IP address:
root@localhost# exigrep ‘=> .* \[12.34.56.78\]’ /path/to/exim_log
21) To delete all queued messages containing a certain string in the body:
root@localhost# grep -lr ‘a certain string’ /var/spool/exim/input/ | \
sed -e ‘s/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g’ | xargs exim -Mrm
Refer : http://bradthemad.org/tech/notes/exim_cheatsheet.php
http://www.inmotionhosting.com/support/email/exim/locate-spam-activity-by-subject-with-exim
Find the malcious script running on the server.?
1. Login to server via ssh as root
run the command
2. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n
while running the above command we get the output like this
25 /home/userna5/public_html
7866 /home/userna5/public_html/data
Now we can run the following command to see what scripts are located in that directory:
3. ls -lahtr /userna5/public_html/data
In thise case we got back:
drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
-rw-r–r– 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./
So we can see there is a script called mailer.php in this directory
we can null root that script or
4. access log to see what IP addresses are accessing this script using the following command:
grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n
generate the o/p like this
2 123.123.123.124
7860 123.123.123.123
Then block the ip in server firewall
Refer http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim for more details.