Find the Origin of Spam Emails in cPanel Using Exim
Spamming refers to the distribution of unsolicited messages or spam through a messaging system. While email spam is the most commonly recognized form of spamming, it can also occur on other social platforms. Examples of spamming include instant message spam, net search-engine spam, wiki spam, web forum spam, social spam, and more.
There are different types of spam, such as email spam, comment spam, trackback spam, phishing spam, international bank spam, and more. The Mail Transfer Agent (MTA) called Exim manages email deliveries on your server. Exim logs all email activities, including those sent using a script.
To investigate the origin of spam emails in cPanel, you can use Exim as it saves all activity logs. Execute the following script to check for spammers and spam emails on the cPanel server.
Locate Spammers IP
To find the IP addresses of spammers or attackers, you can run the following command.
# grep “massmailer.php” /home/<username>/access-logs/<domainname> | awk ‘print $1’ | sort -n | uniq -c | sort -n
Sorted List of Email Senders
The Exim mail queue stores all emails sent by each individual. To check the number of emails sent by all users, you can run the following script.
# exim -bpr | grep “<” | awk ‘print$4’ | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n
This script sorts the list of email senders and displays the output like the one shown below.
In the above result, we can see that the email address ‘[email protected]’ is sending many emails.
Check the Spam Originating Script
To check which script is responsible for the spam email, you can run the following scripts.
# grep “cwd=/home” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | sort | uniq -c | grep cwd | sort -n
# awk ‘ if ($0 ~ “cwd” && $0 ~ “home”) print $3 ’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘print $3’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
Among the above three scripts, the third one is a combination of the first two scripts. The first two scripts should yield an output like the one shown below.
8 cwd=/home/test1/public_html
11 cwd=/home/test2/public_html/a1/www
16 cwd=/home/test3/public_html
81 cwd=/home/test4/public_html
170 cwd=/home/test5/public_html/net
760 cwd=/home/test6/public_html/foro
802 cwd=/home/test7/public_html/net
124340 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven
Identify the Specific Spamming Script
The following script displays the currently running spamming script. You can find out the exact spamming script on the mail servers at any time using this script.
# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head
For example,
# ps auxwwwe | grep check | grep –color=always “/home/check/public_html/wp/wp-content/themes/twentyeleven” | head
Once you find the exact script, you can obtain the IP address responsible for spamming by using the following script. This script lists the IP addresses along with the number of entries. In the list, the IP address with the highest number of entries is likely causing the spamming. You can block that IP address in the CSF or APF firewall.
# grep “<script_name>” /home/user/access-logs/<domainname> | awk ‘print $1’ | sort -n | uniq -c | sort -n
Additional Scripts:
If you are using a PHP script to send mail, you can use the following command to find the script responsible for sending the email.
# egrep -R “X-PHP-Script” /var/spool/exim/input/*
To list the top 50 domains using the mail server, you should run the following command.
# eximstats -ne -nr /var/log/exim_mainlog
You can use the below command to check from which user’s home directory the mail is sent. This result helps in easy tracking of email, and if necessary, we can block them.
# ps -C exim -fH ewww | grep home
List IPs Connected to the Server via Port 25
To list all the IPs connected to the server via port number 25, you can use the following command. If a specific IP exceeds the connection limit of 10, you need to block that IP in the server firewall.
# netstat -plan | grep :25 | awk ‘print $5’ | cut -d: -f 1 | sort | uniq -c | sort -nk 1
Identify “Nobody” Spamming Issue
If the spamming is currently in progress and you want to identify the “nobody” spamming issue, you can run the following script:
# ps -C exim -fH ewww | awk ‘for(i=1;i<40;i++)print $i’ | sort | uniq -c | grep PWD | sort -n
The above script should have an output like the one shown below if the spamming is currently running.
6 PWD=/
348 PWD=/home/sample/public_html/abc
We need to focus on the PWD count, and if it has a large value, then you need to investigate the file. If the file is “/” or “/var/spool/mail/var/spool/exim”, you can ignore it.
If the spamming occurred sometime before, then you need to run the following command to identify the “nobody” spamming issue.
# grep “cwd=” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | sort | uniq -c | grep cwd | sort -n
Show the Summary of Spam Emails
To display the summary of emails in the mail queue, you can run the following command.
# exim -bpr | exiqsumm -c | head
The above command should display output similar to the one shown below.
Count Size Oldest Newest Domain
—— —— —— —— ——-
114 171KB 24h 28m check123area.com
15 28KB 36h 7m gmail.com
5 10KB 34h 10h test3domain.com
4 8192 27h 4h yourdomain.com
4 75KB 7m 7m server.area.com
3 6041 22h 42m test_abc.com
This is how you can find the origin of Spam Emails in cPanel using Exim. If you need further assistance, please reach out to our support department.
