ELM - Exim Log Monitor

Spammers suck. Don't get blacklisted.


Spammers suck. The problems they cause are more than just the annoyance of receiving unwanted emails. They break into servers to send spam, using valuable server resources and getting servers blacklisted.

How can we know when our servers are being used to send spam? We used 3 methods:

  1. Receive reports from SpamCop
  2. Receive reports from AOL
  3. Monitor your SMTP server logs

The SpamCop and AOL services are completely free. I found them to be invaluable. For example, we would receive reports regarding unmanaged customers. Additionally, some complaints we our first indication that a customer's account had been hacked. Since many customers were hacked via bad code on their website, the spam reports were the equivalent of someone saying "hey, you have a customer who probably has a public security vulnerability somewhere on their website." That is incredibly useful for a server administrator to know.

The script I wrote to monitor the SMTP server logs was simple and effective. First I configured Exim to log the subject line and the recipient email addresses for all SMTP transactions:

        log_selector = +subject +received_recipients

Next, I wrote a script that used perl's File::Tail module to monitor /var/log/exim_mainlog, polling it every second. If any single log line contained a "@", it counted the total number of "@"s. If that number exceeded a specific amount, the script sent me an email containing the offending log.

We didn't allow customers to send email to large mailing lists from our shared hosting servers, as this caused a heavy server load, and increased the potential to end up on blacklists. So, it was usually obvious when a customer's account was sending spam. The subject lines alone were almost always a dead giveaway.

In the almost 4 years I ran a hosting business, despite countless customers being hacked and some spam getting sent from our network, I can recall just 1 time that we ended up on a blacklist somewhere. It certainly could have been more than that, that's just the only one that comes to mind. We worked around that easily enough by using an iptables SNAT rule to send email from another IP address on the server (which had the appropriate PTR record in place to ensure maximum email deliverability). Things would've been worse if we didn't diligently monitor abuse reports, and listen carefully to our logs.

Here are the subject lines of the emails we caught. Can you tell which ones are spam? Hint: they're all spam.

"ATM SWIFT CARD PAYMENT."
"ATM SWIFT CARD PAYMENT"
"Atm Swift Credit Card Notification"
"AWARD NOTIFICATION!!"
"AWARD NOTIFICATION"
"China National Heavy Duty Truck Group Corp"
"CONTACT AGENT MR. COLLINS MOORE"
"CONTACT MR ERIC MOORE NOW"
"Dear Friend,"
"Dear Friend"
"Dear Friend(Call Mr Brown Hammer +2348076350091)"
"FEDEX COURIER SERVICE"
"From Dr Paul Acquah"
"FROM FEDEX"
"From Nicholas Elmer/Read Carefully And Reply!!"
"From Nicholas Elmer/Read Carefully And Reply"
"gfbfgnjhgf"
"Good Day.."
"GOOD NEWS CONTACT MRS EMILIA ROBBINSON IMMEDIATELY"
"GOOD NEWS CONTACT MRS EMILIA ROBINSON IMMEDIATELY"
""GOOD NEWS" CONTACT MY SECRETARY IMMEDIATELY"
"Greetings To You My Dear Friend!!!"
"Greetings To You My Dear Friend! 251"
"Greetings To You My Dear Friend!!! 251 "
"Greetings To You My Dear Friend! 251"
"hello!"
"Hello"
"HI!!"
"HI"
"INSTRUCTION TO CREDIT YOUR ACCOUNT WITH THE SUM OF $2,500,\n 000.00USD!!!"
"Next Of Kin."
"Please get back to me....."
"Proposal...."
"Proposal"
"Read Carefully And Reply"
"Reply."
"Re: Your Compensation"
"Dear Friend"
"VERIFICATION OF YOUR FUND. CALL CONTACT +234 808 286 2330."
"VITTORIO FONDAZIONE CASH AID"
"WINNING NOTIFICATION"
"Work From Home."