Identifying Spam Sources Under cPanel/WHM/Exim
Gary Oosterhuis | November 8, 2014
Spammers can be sneaky. They hack into a website, upload a few PHP files and begin to use these PHP files to send spam through your web server. It’s important to find the source quickly and stop the spam before your mail server’s IP address gets blacklisted.
Step 1
Enable extended logging within exim:
- Login to the WHM as root
- Go to Access Service Configuration > Exim Configuration Editor
- Choose Advanced Editor
- Change the value for log_selector to
+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
Step 2
Run the following command via SSH as root
tail -f /var/log/exim_mainlog | grep cwd=/home/
Add a username after /home/ if you know which account is sending spam.
Generally, if a PHP script is sending out spam, you will see a list of each email sent out and the path to the PHP file used to send it.
Example result:
2014-11-08 09:56:58 cwd=/home/username/public_html/scripts/sk432.php 3 args: /usr/sbin/sendmail -t -i
2014-11-08 09:59:56 cwd=/home/username/public_html/scripts/sk432.php 3 args: /usr/sbin/sendmail -t -i
Link Web Development is a Barrie Website Design and Development company committed to providing quality websites to business owners and other Graphic Design Firms and SEO Experts.
Add a Comment