EXIM Outgoing SPAM Detection

Note that this is of course not a one-step solution to dealing with outgoing SPAM – but it does help, and saves manual labour. The script itself is very simple, and what it does is:

It runs the following command:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

It then parses the output of the above. If any output is above your pre-defined limit, it will send an e-mail alert.

There are two configuration files. One is whitelist.txt – in this file, you’ll add the full path to any script you wish to whitelist (which then won’t generate alerts). Use this for scripts that are above the limit, but that you’ve verified are not sending out SPAM. Add each exception on a new line.

The second is mail_addr.txt, in which you add each e-mail you want alerts sent to. Each e-mail should be added on a new line.
Quote Originally Posted by Example mail_addr
[email protected]
[email protected]

The folder “logs” will contain the output of the script, basically any users above the limit that aren’t white-listed.

Here is the setup Instructions.
1. Open fetch.sh with your favorite text editor

Set this to whatever number of e-mails the script should trigger alerts at. Defaults to 500.

Full path to the list of e-mails alerts should be sent to

Full path to the whitelist text file.

Temporary file, can be left as default.
Edit the path to reflect where you want logs stored.

2. Place the script at your desired location on the server, and set up a cron job for it to run.
The script can be called with parameters as well.
This is an example cron, running the script every 6 hours, with a limit of 1000.
0 */6 * * * /your/script/location/fetch.sh -l 1000