This is the missing piece of software that cPanel have yet to add. Created to detect malware / virus infected / hacked email accounts that attempt to use a legitimate email and send out spams. It costed me multiple time, but biggest was USD 90+ on mailgun with 197k of spam emails being billed upon me. I couldn't wait any longer. Please join me to maintain this :)
It scans /var/log/exim_mainlog on interval basis, and logs all email activity being received from authenticated user. Take note that it only support dovecot_plain at the moment. If you need other type of login, i may add it soon.
Before starting, please go through this steps to limit the number of emails allowed per hour per domain.
https://documentation.cpanel.net/display/CKB/How+to+Prevent+Spam+with+Mail+Limiting+Features
- login to whm
- development > Manage Api Token
- create an api token, grant "Everything", and copy token (for API_TOKEN)
- add this to /etc/rc.local (on cpanel as root): replace xxxxx, your-email with your configurations
cd /root/eximmon &&
API_TOKEN=xxxxx NOTIFY_EMAIL=your-email EXIM_LOG=/var/log/exim_mainlog ./eximmon start > out.log &
- to see logs
tail -f /root/eximmon/out.log
- for helps
./eximmon help
- MAX_PER_MIN=4
- MAX_PER_HOUR=100
- NOTIFY_EMAIL=email
- EXIM_LOG=/var/log/exim_mainlog
- WHM_API_HOST=node.servername.com
- start - continue from last position or start from yesterday, and repeats from last position
- run - continue from last position or start from beginning for one time
- rerun - continue from a specific date
- skip - skip all existing data and repeats for new logs
- reset - reset all data, huh, what?
- suspend - suspend outgoing email
- unsuspend - unsuspend outgoing email
- info - get information of a domain
- test-notify - test send notification mail
- copy exim_mainlog to local machine
scp root@yourserver.com:/home/user/exim_mainlog ./
- clone repository
cd $GOPATH/src
git clone git@github.com:u007/eximmon.git
- install required dependencies
go get
- first time run
go run main.go start
- to build for production
GOOS=linux go build -o bin/eximmon main.go
- 2019 Mar 23 - Fixed dovecot_login, added rerun
- 2018 Sep 25 - First public respository up
- count numbers of external relayed recipients per email
- support for other type of dovecot_login methods
- auto delete old data directory by date on every 100 runs
- query email to show list of dates with hour and mins count
Add this in cronjob, will delete any directory older than 30days. Remember to change /path-to to your eximmon parent directory of "data"
0 1 * * * find /path-to/data/*/ -type f -name '*' -mtime +30 -exec rm -Rf {} \;
- feel free to report bugs here
- if you need additional features, feel free to add into issue list
- if you need support, contact me @ james@mercstudio.com