Fighting SPAM with Exim on WHM/cPanel


WHM/cPanel has the excellent MTA called Exim. The default settings are pretty good for keeping SPAM away, but every now and again a particularly conniving spammer will find a way around your defences. This article was born after yet another incident (Y.A.I.). In this particular case, the spammer triggered the emails slowly so as to avoid detection. Most of them had dating site messages, some quite suggestive about nude pictures. The text of each message was cleverly altered so as to avoid obvious repeat patterns, e.g. one would have “She might really like you” whereas another would say “She may really be fond of you”. You get the point.

So the aim of this article is to document a list of commonly used command to delete messages in the Exim queue.

Deleting based on body text

grep -lr 'the attached pictures' /var/spool/exim/input/ | sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim -Mrm

Replace the attached pictures with your search text.

Deleting based on sender

Typically one would delete based on sender in the Mail Queue management area of WHM, but if you spammer has spoofed the FROM: address you need to do manual work in the queue. Here is one command that will get rid of a message based on the sender:

exiqgrep -i -f [email protected].com | exim -Mrm

Anatomy of the above exiqgrep command

Exiqgrep is like grep but just for the Exim queue
-i means return messages IDs only
-f is the sender’s address
The output is then piped (|) to the exim removal command
– Mrm This option requests Exim to remove the given messages from the queue


Share this article

Leave a Reply

Your email address will not be published.

Scroll to Top