I thought people here might like a look at how to add extended logging to Exim so you can see the directory of any script that is generating emails.

I found it here:

http://www.crucialparadigm.com/resources/tutorials/dedicated-server/extended-exim-logging.php

But there is an unintentional error/confusion in his article so here are the step by step instructions:


1. Open /etc/exim.conf in nano or pico

find "hostlist auth_relay_hosts = *"
(control and w will let you search for it).


2. After hostlist auth_relay_hosts = * add the following (all on one line):

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

3. Restart Exim:
/etc/init.d/exim restart

4. Tail the log to make sure it is working:
tail -f /var/log/exim_mainlog

If an email has been generated from a script, then the directory that script is in will be recorded in the exim_mainlog entry for that email.
SO if you are getting hundreds or thousands of user nobody emails coming off a server you can find the script.

Nine times out of ten its an exploited guestbook, formmail or bulletin board script.

Gordon