how to use Email EXIM Queue finder

 


The Email EXIM Queue finder permits you to search an email in exim Queue. Here we can see how it could be used to investigate the content of a possible outgoing spam
detected by ASSP Deluxe (in case of you receive the email with subject "ASSP Deluxe : possible outgoing SPAM activity detected")


Suppose you receive an email like this from ASSP Deluxe

2033 email sent ::= > /home/gztdny/public_html/wp-content/uploads
:: Example email ::
2012-01-31 02:06:27 1Rrvn3-00041M-SX <= toby_campbell@gazetedun.net U=gztdny P=local S=1400 T="Hello"
2012-01-31 02:06:28 1RsDuq-0003tS-To <= toby_campbell@gazetedun.net U=gztdny P=local S=1400 T="Hello"
2012-01-31 02:06:28 1RsFBS-0002ZA-UM <= toby_campbell@gazetedun.net U=gztdny P=local S=1400 T="Hello"


You want know which is the content (header and body) of the email sent from your user gztdny using the email toby_campbell@gazetedu.net using the email subject "Hello" becauase you want know if the email is unsolicited .

Open your ASSP WHM interface, click the "Email EXIM Queue finder" , and enter the email toby_campbell@gazetedu.net , now click "Search Queue" .

You should receive a result like this

Click one of these email , for example /var/spool/exim/input/3/1Rrvn3-00041M-SX-H and you should be able to read the email Header and Body of the email.
If you found an email like this ..

1Rrvn3-00041M-SX-H
gztdny 2461 2459
<brandon_cantrell@gazetedu.net>
1328015643 0
-ident gztdny
-received_protocol local
-body_linecount 23
-max_received_linelength 76
-auth_id gztdny
-auth_sender gztdny@dsh.unix1.info
-allow_unqualified_recipient
-allow_unqualified_sender
-local
-sender_set_untrusted
XX
1
bevelcnc@aol.com

198P Received: from gztdny by dsh.unix1.info with local (Exim 4.69)
(envelope-from <brandon_cantrell@gazetedu.net>)
id 1RsDX9-002ulv-D1
for bevelcnc@aol.com; Tue, 31 Jan 2012 05:14:03 -0800
021T To: bevelcnc@aol.com
015 Subject: Hello
060F From: "Brandon Cantrell" <brandon_cantrell@gazetedu.net>
018 MIME-Version: 1.0
071 Content-Type: multipart/mixed; boundary="==5f01c2ee5634bd51a30c7737=="
052I Message-Id: <E1RsDX9-002ulv-D1@dsh.unix1.info>
038 Date: Tue, 31 Jan 2012 05:14:03 -0800


1Rrvn3-00041M-SX-D
--==5f01c2ee5634bd51a30c7737==
Content-Type: multipart/related; boundary="==5b840872ac47adf68f6f0cbe==";
type="text/html"

--==5b840872ac47adf68f6f0cbe==
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: base64

CjxkaXY+Q2FuIHlvdSBiPFNQQU4gc3R5bGU9J2Zsb2F0OiByaWdodDsnPiBsbCA8L1NQQU4+ZWxp
ZXZlIGl0PyBZb3UncmUgbm90IGdvaW5nIHRvIHBheSBhIGxvdCBmb3IgcGlsPFNQQU4gc3R5bGU9
J2Zsb2F0OiByaWdodDsnPiBmYSA8L1NQQU4+bHMuIDxicj4gCk1ha2UgeW91ciBsaWZlIGhlYTxT
UEFOIHN0eWxlPSdmbG9hdDogcmlnaHQ7Jz4gdG4gPC9TUEFOPmx0aGllciBmb3IgYXBwcm9wcmlh
dGUgcHJpYzxTUEFOIHN0eWxlPSdmbG9hdDogcmlnaHQ7Jz4gbHAgPC9TUEFOPmUgaGVyZSE8L2Rp
dj4KPGgxPjxhIGhyZWY9Imh0dHA6Ly9yZWNhbGwuc2Fsa28ub3JnLnVhL2NhY2hlL3Ixd28zLmh0
bWwiPlZsYWc8U1BBTiBzdHlsZT0nZmxvYXQ6IHJpZ2h0Oyc+IHVzIDwvU1BBTj5yYSAkMC45MCBD
bGE8U1BBTiBzdHlsZT0nZmxvYXQ6IHJpZ2h0Oyc+IG1rIDwvU1BBTj5saXMgJDEuODA8L2E+PC9o
MT4K


--==5b840872ac47adf68f6f0cbe==--

--==5f01c2ee5634bd51a30c7737==--

the body is encoded base64. Using a base64 decoded we can decode the base 64 content , you can use this service for example.
Enter the coded section and click "decode the data from a Base64 string (base64 decoding)" and cick "convert source data"

CjxkaXY+Q2FuIHlvdSBiPFNQQU4gc3R5bGU9J2Zsb2F0OiByaWdodDsnPiBsbCA8L1NQQU4+ZWxp
ZXZlIGl0PyBZb3UncmUgbm90IGdvaW5nIHRvIHBheSBhIGxvdCBmb3IgcGlsPFNQQU4gc3R5bGU9
J2Zsb2F0OiByaWdodDsnPiBmYSA8L1NQQU4+bHMuIDxicj4gCk1ha2UgeW91ciBsaWZlIGhlYTxT
UEFOIHN0eWxlPSdmbG9hdDogcmlnaHQ7Jz4gdG4gPC9TUEFOPmx0aGllciBmb3IgYXBwcm9wcmlh
dGUgcHJpYzxTUEFOIHN0eWxlPSdmbG9hdDogcmlnaHQ7Jz4gbHAgPC9TUEFOPmUgaGVyZSE8L2Rp
dj4KPGgxPjxhIGhyZWY9Imh0dHA6Ly9yZWNhbGwuc2Fsa28ub3JnLnVhL2NhY2hlL3Ixd28zLmh0
bWwiPlZsYWc8U1BBTiBzdHlsZT0nZmxvYXQ6IHJpZ2h0Oyc+IHVzIDwvU1BBTj5yYSAkMC45MCBD
bGE8U1BBTiBzdHlsZT0nZmxvYXQ6IHJpZ2h0Oyc+IG1rIDwvU1BBTj5saXMgJDEuODA8L2E+PC9o
MT4K

You will receive this decoded section

<div>Can you b<SPAN style='float: right;'> ll </SPAN>elieve it? You're not going to pay a lot for pil<SPAN style='float: right;'> fa </SPAN>ls. <br>
Make your life hea<SPAN style='float: right;'> tn </SPAN>lthier for appropriate pric<SPAN style='float: right;'> lp </SPAN>e here!</div>
<h1><a href="http://recall.salko.org.ua/cache/r1wo3.html">Vlag<SPAN style='float: right;'> us </SPAN>ra $0.90 Cla<SPAN style='float: right;'> mk </SPAN>lis $1.80</a></h1>

which is a clear unsolicited message sent from user gztdny . You can now get actions to stop the outgoing spammer ; you may suspend user gztdny i.e.
and remove all messages currently in queue using a command like this
 

# grep -lr 'string to match' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm


Simply replace string to match with a string inside the email (for example you can use some char from the base64 code, i.e. CjxkaXY+Q2F) . In this link you can find other useful commands to maange your Queue.
 

Another example of ougoing spam activity sent using a script

Suppose you receive an email notification from ASSP Deluxe about a spam activity in /home/user/public_html , or looking the EMAIL QUEUE page you
think there is an outgoing acivity in /home/user/public_html ( usually sent from user@hostname ) .

You should first execute a search in EXIM main log in this way

 grep -A1 "cwd=/home/user/public_html" /var/log/exim_mainlog

suppose you receive this as result

2014-12-22 18:53:47 cwd=/home/user/public_html 3 args: /usr/sbin/sendmail -t -i
2014-12-22 18:53:47 1Y3DjP-003Wba-93 <= user@hostname.domain.com U=user P=local S=2011 id=261501.20141223045346@gmail.com T="59086..67...Responsible? Goal-oriented? Wish to earn? Join Us!" for morgan.kier11@yahoo.com

You have found an outgoing spam sent from a script located in /home/user/public_html and with subject "9086..67...Responsible? Goal-oriented? Wish to earn? Join Us!"

Now you should find the script which sent the email ; first you can run the following command to see what scripts are located in that directory:

ls -lahtr /home/user/public_html

If you can't find the malicious script which was sending the email by analyzing the command result above
you can check the Apache log for the user.

Open the file /home/user/access-logs/customerdomain.com using an editor like pico

pico /home/user/access-logs/customerdomain.com

Now... you already know the email want sent at 18:53:47  22 Dec , so search in the Apache log any script activity at 18:53:47 22 Dec and you may find something like this

37.130.227.133 - - [22/Dec/2014:18:53:47 -0600] "GET /bmyprofap_back.php?ping HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

You have found the script used to send the spam , bmyprofap_back.php .
At this point delete the file /home/user/public_html/bmyprofap_back.php or chmod 000 the file /home/user/public_html/bmyprofap_back.php
and you have stopped the outgoing script activity.

You can also block  in firewall the malicious spammer ip , in this case 37.130.227.133 .
 

How to receive a list of email sent using a script

If you suspect a script outgoing spam activity and you didn't receive an email notification because the outgoing activity was very low , the command below could help

grep cwd /var/log/exim_mainlog | egrep -v "cwd=/ |/var/spool|cwd=/usr|cwd=/root|cwd=/etc" | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n