HestiaCP uses Exim4 by default for email delivery, so the simplest way to determine if any account is sending SPAM is to check the email queue and service logs. Below are some Exim commands to verify the email queue and logs that will help in identifying SPAM sending from the server.
Index:
- Verification of emails in queue
- Review of emails in queue
- Deletion of emails in queue
- Retrieving information from Exim logs
- Other Exim options
Verification of emails in queue
The following command will display the total number of emails in the queue:
# exim -bpc
Display the total count of frozen emails in the queue:
# exim -bp | grep frozen | wc -l
Display the IDs of frozen emails:
# exim -bp | grep frozen | awk {'print $3'}
The following command results in the detailed list of all emails in the queue:
# exim -bp
It will provide the message ID, sender, recipient, size, and date of the email. From here, the information obtained such as the message ID will be useful in identifying SPAM using the header, body, and log. Example output:
12h 743 3FD-0002ec-FM <sender@domain.com> recipient@example.com
1m 532 1Nl-0022bf-DS <sender@domain.com> recipient@example.com
4m 568 1AF-0033an-tQ <sender@domain.com> recipient@example.com
The first field is the age in the queue, the second is the email size, the third is the message ID, and the fifth is the sender and recipient mailboxes.
Review of emails in queue
You can use the message ID to find the header, body, and log of the email. For example, with the following command, you can view the header of the email:
# exim -Mvh message_ID
From the displayed output, you can verify the from address to the to address, subject, date, dash, etc.
With the following command, you can review the body of the email:
# exim -Mvb message_ID
And with the following command, it will display the log of the email:
# exim -Mvl message_ID
From this log, you will obtain details of the original user who logged in to send the email.
This command shows the total count of emails sent by a specific user in the queue.
# exiqgrep -f user@domain.com | wc -l
Display the total count of frozen emails in the queue:
# exim -bp | grep frozen | wc -l
This command will print the summary of emails in the queue:
# exim -bp | exiqsumm
Example:
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
1 6041 11h 11h facebook.com 1 763 45h 45h domain.com
---------------------------------------------------------------
2 6804 45h 11h TOTAL
Deletion of emails in queue
Delete an email from the queue by its ID:
# exim -Mrm message_ID
Delete all emails from a specific domain:
# exiqgrep -i -r domain.com | xargs exim -Mrm
Delete all emails from a specific mailbox:
# exiqgrep -i -f user@domain.com | xargs exim -Mrm
Delete all frozen emails:
# exiqgrep -z -i | xargs exim -Mrm
Retrieving information from Exim logs
Display summary of exim logs:
# eximstats /var/log/exim4/mainlog*
Messages delivered by mailbox:
# zgrep user@example.com /var/log/exim4/mainlog* | grep delivery
Display logs of a message:
# zgrep message_ID /var/log/exim4/mainlog*
Other Exim options
Check current actions of Exim:
# exiwhat
Force/flush the queue:
# exim -qff
We hope this tutorial has been helpful. Have you tried it? Leave us your comments! 🙂
Remember, if you have any questions about this or any other issue related to your servers in Clouding, don't hesitate to write to support@clouding.io We're here to help you!