exim: Check current PHP Script Spam process

exim-logo

 

This post is very useful for those System Administrator or System Engineer who wish to monitor over hundred of servers which could get the spamming PHP script immediately from your server.

The following example was written based on cPanel exim4 and you may stored them in a .sh file.

Full script will be as below,

#!/bin/bash
recipient=user[at]domain.com
egrep -R "X-PHP-Script"  /var/spool/exim/input/*|awk '{print $2}'|sort|uniq -c|sort -nr awk '{if ($1 >=10) print $1, $2}'> spam.txt

a=`sed -n '$=' spam.txt`

if [ $a -gt 0 ]
 then
  cat spam.txt | mail -s "Spam Detection `hostname`" $recipient
fi

rm -f spam.txt

Explanation:

Line 2 – Define recipient.
Line 3 – Search keyword ‘X-PHP-Script’ from exim folder and only print when they appear for more than 10 times.
Line 5-10 – Print only if it is exists and email to recipient.
Line 12 – Remove the temporary file.