![[FCO]FreeCoursesOnline](https://onehack.us/uploads/default/original/3X/b/4/b4d2fc8468becec1e9976784dba394e5a378ec81.jpg){kind=small}
i have check my server exim -bpc command and the frozen message auto generating in every few seconds and i clear all messages then again auto generate frozen message so how to block it?
First of all investigate why mails are frozen.
The exim documentation says:
Freezing occurs when a bounce message encounters a permanent failure because the sender address of the original message that caused the bounce is invalid, so the bounce cannot be delivered. This is probably the most common case, but there are also other conditions that cause freezing, and frozen messages are not always bounce messages.
By default, frozen bounce messages will be deleted after 2 days and other messages after 7 days.
This post on stackoverflow shows a good way to search for reasons why messages are frozen.
How to Find a spam script location with Exim
Run the following command to pull the most used mailing scriptâs location from the Exim mail log:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -Fâcwd=â â{print $2}â | awk â{print $1}â | sort | uniq -c | sort -n
You should get back something like this:
15 /home/user/public_html/about-us
25 /home/user/public_html
78 /home/user/public_html/data
Now we can run the following command to see what scripts are located in that directory:
ls -lahtr /user/public_html/data
In thise case we got back:
drwxr-xr-x 17 user user 4.0K Jan 20 10:25 âŚ/
-rw-rârâ 1 user user 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 user user 4.0K Jan 20 11:27 ./
So we can see there is a script called mailer.php in this directory
Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:
grep âmailer.phpâ /home/user/access-logs/example.com | awk â{print $1}â | sort -n | uniq -c | sort -n
You should get back something similar to this:
2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
78 123.123.123.123
We can see the IP address 123.123.123.123 was using our mailer script in a malicious nature.
If you find a malicious IP address sending a large volume of mail from a script, youâll probably want to go ahead and block them at your serverâs firewall so that they canât try to connect again.
This can be accomplished with the following command:
apf -d 123.123.123.123 âSpamming from script in /home/user/public_html/dataâ
Hope this will work for you. If not then try posting EXIM log here for future audit.
Thank you so much.
1 Like
now i checked 1k frozen message available and all generating one domain [email protected] so i don;t need this domain mail service so how to block this particular email domain to generate frozen messages ? any command to do block