WebHostingPeople Blog

How Can We Help?

Find the Origin of Spam Emails in cPanel Using Exim

You are here:

Spamming refers to the distribution of unsolicited messages or spam through a messaging system. While email spam is the most commonly recognized form of spamming, it can also occur on other social platforms. Examples of spamming include instant message spam, net search-engine spam, wiki spam, web forum spam, social spam, and more.

There are different types of spam, such as email spam, comment spam, trackback spam, phishing spam, international bank spam, and more. The Mail Transfer Agent (MTA) called Exim manages email deliveries on your server. Exim logs all email activities, including those sent using a script.

To investigate the origin of spam emails in cPanel, you can use Exim as it saves all activity logs. Execute the following script to check for spammers and spam emails on the cPanel server.

Locate Spammers IP

To find the IP addresses of spammers or attackers, you can run the following command.

# grep “massmailer.php” /home/<username>/access-logs/<domainname> | awk ‘print $1’ | sort -n | uniq -c | sort -n

Sorted List of Email Senders

The Exim mail queue stores all emails sent by each individual. To check the number of emails sent by all users, you can run the following script.

# exim -bpr | grep “<” | awk ‘print$4’ | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n

This script sorts the list of email senders and displays the output like the one shown below.

1          [email protected]

3          [email protected]

5          [email protected]

29        [email protected]

178      [email protected]

In the above result, we can see that the email address ‘[email protected]’ is sending many emails.

Check the Spam Originating Script

To check which script is responsible for the spam email, you can run the following scripts.

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | sort | uniq -c | grep cwd | sort -n

# awk ‘ if ($0 ~ “cwd” && $0 ~ “home”) print $3 ’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘print $3’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

Among the above three scripts, the third one is a combination of the first two scripts. The first two scripts should yield an output like the one shown below.

     8                 cwd=/home/test1/public_html

11                cwd=/home/test2/public_html/a1/www

16                cwd=/home/test3/public_html

81                cwd=/home/test4/public_html

170               cwd=/home/test5/public_html/net

760               cwd=/home/test6/public_html/foro

802               cwd=/home/test7/public_html/net

124340           cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven

Identify the Specific Spamming Script

The following script displays the currently running spamming script. You can find out the exact spamming script on the mail servers at any time using this script.

# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head

For example,

# ps auxwwwe | grep check | grep –color=always “/home/check/public_html/wp/wp-content/themes/twentyeleven” | head

Once you find the exact script, you can obtain the IP address responsible for spamming by using the following script. This script lists the IP addresses along with the number of entries. In the list, the IP address with the highest number of entries is likely causing the spamming. You can block that IP address in the CSF or APF firewall.

# grep “<script_name>” /home/user/access-logs/<domainname> | awk ‘print $1’ | sort -n | uniq -c | sort -n

Additional Scripts:

If you are using a PHP script to send mail, you can use the following command to find the script responsible for sending the email.

# egrep -R “X-PHP-Script” /var/spool/exim/input/*

To list the top 50 domains using the mail server, you should run the following command.

# eximstats -ne -nr /var/log/exim_mainlog

You can use the below command to check from which user’s home directory the mail is sent. This result helps in easy tracking of email, and if necessary, we can block them.

# ps -C exim -fH ewww | grep home

List IPs Connected to the Server via Port 25

To list all the IPs connected to the server via port number 25, you can use the following command. If a specific IP exceeds the connection limit of 10, you need to block that IP in the server firewall.

# netstat -plan | grep :25 | awk ‘print $5’ | cut -d: -f 1 | sort | uniq -c | sort -nk 1

Identify “Nobody” Spamming Issue

If the spamming is currently in progress and you want to identify the “nobody” spamming issue, you can run the following script:

# ps -C exim -fH ewww | awk ‘for(i=1;i<40;i++)print $i’ | sort | uniq -c | grep PWD | sort -n

The above script should have an output like the one shown below if the spamming is currently running.

6 PWD=/

348 PWD=/home/sample/public_html/abc

We need to focus on the PWD count, and if it has a large value, then you need to investigate the file. If the file is “/” or “/var/spool/mail/var/spool/exim”, you can ignore it.

If the spamming occurred sometime before, then you need to run the following command to identify the “nobody” spamming issue.

# grep “cwd=” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | sort | uniq -c | grep cwd | sort -n

Show the Summary of Spam Emails

To display the summary of emails in the mail queue, you can run the following command.

# exim -bpr | exiqsumm -c | head

The above command should display output similar to the one shown below.

Count               Size            Oldest              Newest            Domain

——                 ——                ——                 ——                 ——-

114                  171KB              24h                  28m                 check123area.com

15                   28KB                36h                  7m                   gmail.com

5                    10KB                34h                  10h                  test3domain.com

4                    8192                27h                  4h                    yourdomain.com

4                    75KB                7m                   7m                   server.area.com

3                    6041                22h                  42m                 test_abc.com

This is how you can find the origin of Spam Emails in cPanel using Exim. If you need further assistance, please reach out to our support department.

Post Your Comment