Identifying Spam Sources Under cPanel/WHM/Exim
Gary Oosterhuis | November 8, 2014
Spammers can be sneaky. They hack into a website, upload a few PHP files and begin to use these PHP files to send spam through your web server.Ã‚Â It’s important to find the source quickly and stop the spam before your mail server’s IP address gets blacklisted.
Enable extended logging within exim:
- Login to the WHM as root
- Go to Access Service Configuration > Exim Configuration Editor
- Choose Advanced Editor
- Change the value for log_selector to
+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
Run the following command via SSH as root
tail -f /var/log/exim_mainlog | grep cwd=/home/
Add a username after /home/ if you know which account is sending spam.
Generally, if a PHP script is sending out spam, you will see a list of each email sent out and the path to the PHP file used to send it.
2014-11-08 09:56:58 cwd=/home/username/public_html/scripts/sk432.php 3 args: /usr/sbin/sendmail -t -i
2014-11-08 09:59:56 cwd=/home/username/public_html/scripts/sk432.php 3 args: /usr/sbin/sendmail -t -i