[SOLVED] how to control Exim Usage in server?

i have check my server exim -bpc command and the frozen message auto generating in every few seconds and i clear all messages then again auto generate frozen message so how to block it?

First of all investigate why mails are frozen.

The exim documentation says:

Freezing occurs when a bounce message encounters a permanent failure because the sender address of the original message that caused the bounce is invalid, so the bounce cannot be delivered. This is probably the most common case, but there are also other conditions that cause freezing, and frozen messages are not always bounce messages.

By default, frozen bounce messages will be deleted after 2 days and other messages after 7 days.
This post on stackoverflow shows a good way to search for reasons why messages are frozen.

How to Find a spam script location with Exim

Run the following command to pull the most used mailing script’s location from the Exim mail log:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

You should get back something like this:

15 /home/user/public_html/about-us
25 /home/user/public_html
78 /home/user/public_html/data

Now we can run the following command to see what scripts are located in that directory:

ls -lahtr /user/public_html/data

In thise case we got back:

drwxr-xr-x 17 user user 4.0K Jan 20 10:25 …/
-rw-r–r– 1 user user 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 user user 4.0K Jan 20 11:27 ./

So we can see there is a script called mailer.php in this directory

Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

grep “mailer.php” /home/user/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

You should get back something similar to this:


We can see the IP address was using our mailer script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.

This can be accomplished with the following command:

apf -d “Spamming from script in /home/user/public_html/data”

Hope this will work for you. If not then try posting EXIM log here for future audit.
Thank you so much.

1 Like

now i checked 1k frozen message available and all generating one domain [email protected] so i don;t need this domain mail service so how to block this particular email domain to generate frozen messages ? any command to do block