Identifying Spam Sources Under cPanel/WHM/Exim

Gary Oosterhuis | November 8, 2014

Spammers can be sneaky. They hack into a website, upload a few PHP files and begin to use these PHP files to send spam through your web server.  It’s important to find the source quickly and stop the spam before your mail server’s IP address gets blacklisted.

Step 1

Enable extended logging within exim:

  1. Login to the WHM as root
  2. Go to Access Service Configuration > Exim Configuration Editor
  3. Choose Advanced Editor
  4. Change the value for log_selector to

+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Step 2

Run the following command via SSH as root

tail -f /var/log/exim_mainlog | grep cwd=/home/

Add a username after /home/ if you know which account is sending spam.

Generally, if a PHP script is sending out spam, you will see a list of each email sent out and the path to the PHP file used to send it.

Example result:

2014-11-08 09:56:58 cwd=/home/username/public_html/scripts/sk432.php 3 args: /usr/sbin/sendmail -t -i
2014-11-08 09:59:56 cwd=/home/username/public_html/scripts/sk432.php 3 args: /usr/sbin/sendmail -t -i

Link Web Development is a Barrie Website Design and Development company committed to providing quality websites to business owners and other Graphic Design Firms and SEO Experts.

Contact Link Web Development

Add a Comment

Your email address will not be published. Required fields are marked *