Dovecot command to find the login that create spoof,
egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1
Output will be,
dovecot_login count: account address
grep "email accountt" /var/log/exim_mainlog | less . Find the entry corresponding to,
=-=-=-==-
2013-09-24 16:16:26 [13665] 1VObqE-0003YP-AR <="spoof email account" =dovecot_login:Local account hacked S=682 id=20130925000607.D72B1D9DA45EA24D
=-=-
=-=-
Delete the spoof email address with the command,
exim -bp | grep "spoof domain name" | awk {'print $3'} | xargs exim -Mrm
Change the email ID password of Local account hacked which will fix the issue.
Check that the queue is not increasing after this process,
=-=
exim -bpc
===-
To find the "cwd" , ie current working directory from which spamming generate, use the below script,
=-=-=-=-=-=-
grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
=-=-=-=--=
egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1
Output will be,
dovecot_login count: account address
grep "email accountt" /var/log/exim_mainlog | less . Find the entry corresponding to,
=-=-=-==-
2013-09-24 16:16:26 [13665] 1VObqE-0003YP-AR <="spoof email account" =dovecot_login:Local account hacked S=682 id=20130925000607.D72B1D9DA45EA24D
=-=-
=-=-
Delete the spoof email address with the command,
exim -bp | grep "spoof domain name" | awk {'print $3'} | xargs exim -Mrm
Change the email ID password of Local account hacked which will fix the issue.
Check that the queue is not increasing after this process,
=-=
exim -bpc
===-
To find the "cwd" , ie current working directory from which spamming generate, use the below script,
=-=-=-=-=-=-
grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n
=-=-=-=--=