Find Track Down That Filthy Spammer AND BLOCK THEM!

| December 11, 2016

What Your Will Learn Here

  1. How to get a list of scripts that are emailing on your server.
  2. Get the IP address of the spammer
  3. Block the IP address

Log Into Your Server

Log into your server via SSH. These are terminal commands and cannot be performed from your cPanel or WHM. If you want to track and kill a spammer you have to be better at the game than he is.

Step one enter this command into your terminal.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

You will get back something like this

Only cool people share!

15 /home/username1/public_html/about-us
25 /home/username2/public_html
12324 /home/username3/public_html/data

We see that username3 has more emails than all the other. In fact its ridiculous!

Enter this command to see what scripts are on that directory.

ls -lahtr /username3/public_html/data

We get back something like this.

drwxr-xr-x 17 username3 username3 4.0K Jan 20 10:25 ../
-rw-r--r-- 1 username3 username3 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 username3 username3 4.0K Jan 20 11:27 ./

Look at the dirty little script called mailer.php in the directory! To verify that it is a mailer script you can nano into it.

nano username3/public_html/mailer.php

This just lets you look inside that file and see what is going on there. If you see a mailer script in there you know that is the problem. You can edit that file and make it useless to the spammer.

Now that we know that this mailer.php script was the culprit we can access our Apache logs and see what IP address was accessing it.

grep "mailer.php" /home/username3/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n

You will get back a list like this.

2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
12324 123.123.123.123

You can plainly see that ip address 123.123.123.123 was the IP address accesing that script to email spam.Block the SOB by entering this into your terminal.

apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"

For more info see http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim

Find Track Down That Filthy Spammer AND BLOCK THEM! was last modified: December 14th, 2016 by Maximus Mccullough

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.