fbpx

Fighting SPAM with Exim on WHM/cPanel

Background

WHM/cPanel has the excellent MTA called Exim. The default settings are pretty good for keeping SPAM away, but every now and again a particularly conniving spammer will find a way around your defences. This article was born after yet another incident (Y.A.I.). In this particular case, the spammer triggered the emails slowly so as to avoid detection. Most of them had dating site messages, some quite suggestive about nude pictures. The text of each message was cleverly altered so as to avoid obvious repeat patterns, e.g. one would have “She might really like you” whereas another would say “She may really be fond of you”. You get the point.

So the aim of this article is to document a list of commonly used command to delete messages in the Exim queue.

Deleting based on body text

grep -lr 'the attached pictures' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm

Replace the attached pictures with your search text.

Deleting based on sender

Typically one would delete based on sender in the Mail Queue management area of WHM, but if you spammer has spoofed the FROM: address you need to do manual work in the queue. Here is one command that will get rid of a message based on the sender:

exiqgrep -i -f [email protected].com | exim -Mrm

Anatomy of the above exiqgrep command

Exiqgrep is like grep but just for the Exim queue
-i means return messages IDs only
-f is the sender’s address
The output is then piped (|) to the exim removal command
– Mrm This option requests Exim to remove the given messages from the queue

References

Share this article

Share on facebook
Share on twitter
Share on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top