exim: Check current PHP Script Spam process



This post is very useful for those System Administrator or System Engineer who wish to monitor over hundred of servers which could get the spamming PHP script immediately from your server.

The following example was written based on cPanel exim4 and you may stored them in a .sh file.

Full script will be as below,

egrep -R "X-PHP-Script"  /var/spool/exim/input/*|awk '{print $2}'|sort|uniq -c|sort -nr awk '{if ($1 >=10) print $1, $2}'> spam.txt

a=`sed -n '$=' spam.txt`

if [ $a -gt 0 ]
  cat spam.txt | mail -s "Spam Detection `hostname`" $recipient

rm -f spam.txt


Line 2 – Define recipient.
Line 3 – Search keyword ‘X-PHP-Script’ from exim folder and only print when they appear for more than 10 times.
Line 5-10 – Print only if it is exists and email to recipient.
Line 12 – Remove the temporary file.