Exim commands

Basic information

1) Print a count of the messages in the queue:  exim -bpc

2) Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient): exim -bp

3) Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):

    root@localhost# exim -bp | exiqsumm

4) Print what Exim is doing right now: exiwhat

5) Test how exim will route a given address:

root@localhost# exim -bt alias@localdomain.com

user@thishost.com

<– alias@localdomain.com

router = localuser, transport = local_delivery

root@localhost# exim -bt user@thishost.com

user@thishost.com

router = localuser, transport = local_delivery

root@localhost# exim -bt user@remotehost.com

router = lookuphost, transport = remote_smtp

host mail.remotehost.com [1.2.3.4] MX=0

 

6) Display all of Exim’s configuration settings: exim -bP

Searching the queue with exiqgrep

7) Use -f to search the queue for messages from a specific sender: exiqgrep -f  [luser]@domain

8) Use -r to search the queue for messages for a specific recipient/domain:exiqgrep -r  [luser]@domain

9) Print messages older than 1 day: exiqgrep -o 86400

10) Print messages older than 1 hour : exiqgrep -o 3600

11) Print just the message-id of the entire queue: exiqgrep -i

 

Managing the queue

12) Remove a message from the queue: exim -Mrm <message-id>

13) Remove all frozen messages: exiqgrep -z -i | xargs exim -Mrm

Remove deffered mailqueues <> : exim -bp | grep “<>” | awk ‘{print $3}’ | xargs exim -Mrm

Remove mailque of a domain exiqgrep -i -f domainname| xargs exim -Mrm

14) Remove all messages older than five days (86400 * 5 = 432000 seconds):

     root@localhost# exiqgrep -o 432000 -i | xargs exim -Mrm

Remove all mails in the mail queue  exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

or       exim -bp|grep “<“|awk {‘print $3’}|xargs exim -Mrm

15) Freeze all queued mail from a given sender: exiqgrep -i -f luser@example.tld | xargs exim -Mf

16) View a message’s headers: exim -Mvh <message-id>

17) View a message’s body: exim -Mvb <message-id>

18) View a message’s logs: exim -Mvh <message-id>

19) One can search for messages sent from a particular IP address:

root@localhost# exigrep ‘<= .* \[12.34.56.78\] ‘ /path/to/exim_log

 

20) Search for messages sent to a particular IP address:

root@localhost# exigrep ‘=> .* \[12.34.56.78\]’ /path/to/exim_log

21) To delete all queued messages containing a certain string in the body:

root@localhost# grep -lr ‘a certain string’ /var/spool/exim/input/ | \
               sed -e ‘s/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g’ | xargs exim -Mrm

Refer : http://bradthemad.org/tech/notes/exim_cheatsheet.php

http://www.inmotionhosting.com/support/email/exim/locate-spam-activity-by-subject-with-exim

Find the malcious script running on the server.?

1. Login to server via ssh as root

run the command

2. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

while running the above command we get the output like this

25 /home/userna5/public_html

7866 /home/userna5/public_html/data

Now we can run the following command to see what scripts are located in that directory:

3. ls -lahtr /userna5/public_html/data

In thise case we got back:

drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../

-rw-r–r– 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php

drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

 

So we can see there is a script called mailer.php in this directory

we can null root that script or

4. access log to see what IP addresses are accessing this script using the following command:

grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

generate the o/p like this

2  123.123.123.124

7860  123.123.123.123

Then block the ip in server firewall

Refer http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim for more details.