Analyzing Outbound Email by Domain Using Exim Logs with a Look-Back Window
In this article
- 1What Is a Look-Back Window
- 2Script to Identify Top Sending Domains by User
- 3Script Breakdown
- 4Sample Output
- 5Use Cases
When investigating unusual email activity on a cPanel server, analyzing Exim logs for a specific user over a defined time period can help identify potential spam or compromised accounts. This guide demonstrates how to analyze Exim logs using a look-back window to find the top sending domains for a particular user.
What Is a Look-Back Window
A look-back window is a defined period (e.g., the last 7 days) during which logs are analyzed. This allows for focused investigation rather than scanning the entire log history. It is especially helpful for:
-
Detecting recent spam or bulk email bursts.
-
Identifying sending trends by domain.
-
Investigating account compromises or unexpected SMTP usage.
Script to Identify Top Sending Domains by User
Use the following script to analyze Exim logs and find the most active sending domains for a specific cPanel user over the last N days.
# Set the number of days to look back
DAYS=7
# Set path to Exim logs (including rotated logs)
EXIMLOG=/var/log
# Analyze logs for outbound email activity from a specific user
zgrep -h ' U=exampleuser ' $EXIMLOG/exim_mainlog* \
| awk -v window="$(date -d "$DAYS days ago" +%s)" '
{
# Convert date and time fields to epoch time for comparison
ts = $1 " " $2
gsub(/[-:]/," ",ts); split(ts,t," ")
if (mktime(t[1]" "t[2]" "t[3]" "t[4]" "t[5]" "t[6]) < window) next
# Extract sender email address
for (i=1;i<=NF;i++)
if ($i ~ /^S=/) {
addr = substr($i,3)
split(addr,a,"@"); dom=a[2]
if (dom) cnt[dom]++
}
}
END {
for (d in cnt)
printf "%8d %s\n", cnt[d], d | "sort -nr"
}
' | head -20Script Breakdown
| Component | Description | |
|---|---|---|
DAYS=7 |
Define how many days of logs to analyze | |
zgrep -h ' U=exampleuser ' |
Search for log lines associated with a specific cPanel user | |
mktime() |
Converts date-time to epoch format for comparison | |
[email protected] |
Identifies and extracts the sender's email address | |
split(addr,a,"@") |
Extracts the domain part from the sender's email | |
cnt[dom]++ |
Increments a count for each domain found | |
| `sort -nr | head -20` | Displays the top 20 domains by email volume |
Sample Output
24850 exampledomain1.com
3221 exampledomain2.com
1052 example.org
302 testdomain.inUse Cases
-
Detecting outbound spam
-
Monitoring email usage patterns
-
Investigating security incidents
Best Practices
-
Combine with additional filters such as
A=dovecot_login:to trace authentication source -
Monitor mail queue health (
exim -bp | exiqsumm) -
Set up outbound email limits per domain/user
-
Enforce strong passwords and 2FA for email accounts
Related Articles
-
Investigating SMTP Abuse in Exim Logs
-
Cleaning Up the Exim Mail Queue
-
Setting Outbound Email Rate Limits in cPanel Servers
For more tools and examples, visit our Knowledgebase or Submit a Ticket.
Was this article helpful?
Your feedback helps us improve our documentation
Still need help? Submit a support ticket