Reading & Understanding the Exim Log
| <= | Indicates the arrival of a message for incoming mail |
| => | Shows a normal message delivery for outgoing mail |
| -> | Additional address for the same delivery, i.e. an Email forwarder. |
| >> | cutthrough is a router precondition This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes. |
| *> | delivery suppressed by -N |
| ** | delivery failed; address bounced |
| == | delivery deferred; temporary problem |
| <> | For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id> |
You will also find entries like the below table in the main log such as:
| R= | The address immediately following “<=” is the envelope sender address. A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id> |
| T= | The relay used to transmit the message. Example: T=remote_smtp T=local_delivery |
| H= | Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25 |
| U= | The MTA used. |
| I= | Followed by a colon and the port number, the I= is the local interface on which the mail was received. |
| P= | This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:. |
| A= | If A= is present, then SMTP AUTH was used for the delivery. |
| S= | Is the delivery size of the message |
| M8S= | 8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the “<=” line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively. |
| ID= | Represents the incoming message ID |
| T= | Topic |
| from | From whom the mail was received |
| for | Who the email is for |
Telnet Tricks
- a network protocol that allows a user on one computer to log onto another computer or system. Restrictions will apply
Delete ALL Mail from sender@domain.ext
- you can add -v to the below command to provide more of a 'verbose' output.
- you can do this in a slightly different way where a Bounce Back email is generated for each item. This emphasizes to the end user how much harm their compromised mailbox may be causing. Also this will commonly get the attention of the user.
Remove ALL Messages older then a set time
- (Below is 5 Days - 86400 (seconds in a day) x 5 (Days) = 432000)
Remove A Single Message from the Queue
Remove ALL Frozen Messages from the Queue
Remove ALL Messages from the Queue
Dealing with SPAM on EXIM Servers
Tail a domains Access Logs
Look for suspicious activity, a file or an IP. Example:
Next, BLOCK THAT IP!!! & delete the script IF MALICIOUS!! & ONLY IF MALICIOUS!!!
If you are uncertain set the files permissions to 000 and note the account in which you modified so no other agent is left in the dark for changes you made.
Generate IP address list preceded by the number of times it hits a site
be sure to replace the <access.log> Location with your Actual Log File location.
Generate a list of last 10000 hits to a website
be sure to replace the <access.log> Location with your Actual Log File location and the number of hits CAN be changed
Generate a list of files or directories being called upon
be sure to replace the <access.log> Location with your Actual Log File location and the number of hits CAN be changed
Grep access logs for a specific file or folder
Grep mail logs for Current Working Directories sending mail
You can also use this to return a slightly different result
This should return a list like so:
Once you have the results you can run the following to determine WHAT .php Scripts are in that directory
You should have a returned result like so: (you may have more files)
Knowing the file name is phpfile.php we can then investigate who is accessing this file, sending SPAM, and put a stop to them
To do this we grep the access logs for the file with the following command
You should get a result lke below that will show the culprit IP. You can take Your choice of necessary action to stop this user
Here we can see the IP 11.22.11.22 is the user whom most accesses the mailing script or file. We can then take the necessary action to do one, some or all of the following:
Find all Forwarders and Auto Responders
Top 5 Senders by email address
Number can be adjusted for different number of accounts: "head -10" for top 10 Senders
Most Common Subject and How many sent (Top 5)
Print a count of the messages in the queue:
root@localhost# exim -bpc
Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):
root@localhost# exim -bp
Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm
Print what Exim is doing right now:
root@localhost# exiwhat
Test how exim will route a given address:
root@localhost# exim -bt alias@localdomain.com
user@thishost.com
<-- alias@localdomain.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@thishost.com
user@thishost.com
router = localuser, transport = local_delivery
root@localhost# exim -bt user@remotehost.com
router = lookuphost, transport = remote_smtp
host mail.remotehost.com [1.2.3.4] MX=0
Run a pretend SMTP transaction from the command line, as if it were coming from the given IP address. This will display Exim's checks, ACLs, and filters as they are applied. The message will NOT actually be delivered.
root@localhost# exim -bh 192.168.11.22
Display all of Exim's configuration settings:
root@localhost# exim -bP
Exim includes a utility that is quite nice for grepping through the queue, called exiqgrep. Learn it. Know it. Live it. If you're not using this, and if you're not familiar with the various flags it uses, you're probably doing things the hard way, like piping `exim -bp` into awk, grep, cut, or `wc -l`. Don't make life harder than it already is.
First, various flags that control what messages are matched. These can be combined to come up with a very particular search.
Use -f to search the queue for messages from a specific sender:
root@localhost# exiqgrep -f [luser]@domain
Use -r to search the queue for messages for a specific recipient/domain:
root@localhost# exiqgrep -r [luser]@domain
Use -o to print messages older than the specified number of seconds. For example, messages older than 1 day:
root@localhost# exiqgrep -o 86400 [...]
Use -y to print messages that are younger than the specified number of seconds. For example, messages less than an hour old:
root@localhost# exiqgrep -y 3600 [...]
Use -s to match the size of a message with a regex. For example, 700-799 bytes:
root@localhost# exiqgrep -s '^7..$' [...]
Use -z to match only frozen messages, or -x to match only unfrozen messages.
There are also a few flags that control the display of the output.
Use -i to print just the message-id as a result of one of the above two searches:
root@localhost# exiqgrep -i [ -r | -f ] ...
Use -c to print a count of messages matching one of the above searches:
root@localhost# exiqgrep -c ...
Print just the message-id of the entire queue:
root@localhost# exiqgrep -i
One can search for messages sent from a particular IP address:
root@localhost# exigrep '<= .* \[12.34.56.78\] ' /path/to/exim_log
Search for messages sent to a particular IP address:
root@localhost# exigrep '=> .* \[12.34.56.78\]' /path/to/exim_log
This example searches for outgoing messages, which have the "=>" symbol, sent to "user@domain.tld". The pipe to grep for the "<=" symbol will match only the lines with information on the sender - the From address, the sender's IP address, the message size, the message ID, and the subject line if you have enabled logging the subject. The purpose of doing such a search is that the desired information is not on the same log line as the string being searched for.
root@localhost# exigrep '=> .*user@domain.tld' /path/to/exim_log | fgrep '<='
Generate and display Exim stats from a logfile:
root@localhost# eximstats /path/to/exim_mainlog
Same as above, with less verbose output:
root@localhost# eximstats -ne -nr -nt /path/to/exim_mainlog
Same as above, for one particular day:
root@localhost# fgrep YYYY-MM-DD /path/to/exim_mainlog | eximstats
The main exim binary (/usr/sbin/exim) is used with various flags to make things happen to messages in the queue. Most of these require one or more message-IDs to be specified in the command line, which is where `exiqgrep -i` as described above really comes in handy.
Start a queue run:
root@localhost# exim -q -v
Start a queue run for just local deliveries:
root@localhost# exim -ql -v
Remove a message from the queue:
root@localhost# exim -Mrm <message-id> [ <message-id> ... ]
Freeze a message:
root@localhost# exim -Mf <message-id> [ <message-id> ... ]
Thaw a message:
root@localhost# exim -Mt <message-id> [ <message-id> ... ]
Deliver a message, whether it's frozen or not, whether the retry time has been reached or not:
root@localhost# exim -M <message-id> [ <message-id> ... ]
Deliver a message, but only if the retry time has been reached:
root@localhost# exim -Mc <message-id> [ <message-id> ... ]
Force a message to fail and bounce as "cancelled by administrator":
root@localhost# exim -Mg <message-id> [ <message-id> ... ]
Remove all frozen messages:
root@localhost# exiqgrep -z -i | xargs exim -Mrm
Remove all messages older than five days (86400 * 5 = 432000 seconds):
root@localhost# exiqgrep -o 432000 -i | xargs exim -Mrm
Freeze all queued mail from a given sender:
root@localhost# exiqgrep -i -f luser@example.tld | xargs exim -Mf
View a message's headers:
root@localhost# exim -Mvh <message-id>
View a message's body:
root@localhost# exim -Mvb <message-id>
View a message's logs:
root@localhost# exim -Mvl <message-id>
Add a recipient to a message:
root@localhost# exim -Mar <message-id> <address> [ <address> ... ]
Edit the sender of a message:
root@localhost# exim -Mes <message-id> <address>
Credit: http://bradthemad.org/tech/notes/exim_cheatsheet.php
2017 Ⓒ
Bitches