How to find the Origin of Spam mails in cPanel Server – Exim

If you found this post helpful, kindly share it and show your support :)
  • To get a sorted list of email sender and number of mails send by each one in Exim mail queue.
exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n

You will get a result as like follows,

  • To check the Spam Originating Script
grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $4}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

You will get the result as like follows using first two scripts. The third script is the sub of the first two scripts.

      4    cwd=/home/example1/public_html
    138    cwd=/home/example5/public_html/web
    474    cwd=/home/example6/public_html/
    733    cwd=/home/example7/public_html/wp-back
 155343    cwd=/home/example8/public_html/wp-content/themes/twentynineteen
  • To find the Exact Spamming Script
ps auxwwwe | grep <user> | grep –color=always "<location of script>" | head

For eg :-

ps auxwwwe | grep | grep –color=always "/home/example8/public_html/wp-content/themes/twentynineteen" | head

Once you find the exact script, you can use the following script to get the IP address responsible for spamming. This script will lists the IP addresses along with the number of accesses. The IP address with the high number of accesses is probably causing spamming. You can block the IP address in the server firewall like CSF, APF firewall etc.

grep "" /home/user/access-logs/ | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

Some useful scripts

  • To find the PHP script to send the email
egrep -R "X-PHP-Script"  /var/spool/exim/input/*
  • To find the top 50 domains using the mail server
eximstats -ne -nr /var/log/exim_mainlog
  • To find from which user’s home the mail is sent.
ps -C exim -fH ewww | grep home
  • To find all the IPs connected to the server through port number 25.
netstat -plan | grep :25 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
  • To find “nobody” Spamming Issue

If spamming activities are still on the server, you can run the below script to find the “nobody” spamming issue.

ps -C exim -fH ewww | awk ‘{for(i=1;i<40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n

Sample output is as follows :-

8 PWD=/
756 PWD=/home/example/public_html/test

You nee to check the PWD value. If the PWD value is large, then you will need to check the file. If the file is “/”or “/var/spool/mail/var/spool/exim”, then you can ignore it.

  • If the spamming has occurred sometime before, then you need to run the following command to find the “nobody” spamming issue.
grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n
  • To display the summary of Spam Mails

You can run the below command to display the summary of mails in the mail queue.

exim -bpr | exiqsumm -c | head


Mohammed Noufal

I'm Mohammed Noufal, working as Server Admin for the last 10 years.  In my day-to-day life, l had to face different problems related to Web-hosting. On my website, you can find solutions for different Web-hosting-related problems. Sometimes, I spent hours searching/googling to find a solution. This inspired me to start a website that gives solutions to different Webhosting problems. This website includes basic Linux and windows commands, and different control panels like cPanel, Plesk, DirectAdmin, Webmin & so on. You can find solutions and or suggestions for different Web-hosting related problems from here. Hence I would like to say Errorlogz is your server protector.  I will be glad if Logdetect can help any one of the Server admins to find a solution to his problem.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *