If an unsolicited message or spam is sent using a messaging system, then it is known as spamming. Email spam is one of the most recognized spamming, whereas spamming also occurs in other social platforms. Some of the examples for such spamming are instant message spam, web search-engine spam, wiki spam, Internet forum spam, social spam, and more.
The different types of spam are Email spam, comment spam, trackback spam, phishing spam, foreign bank spam, and more. Exim or MTA manages the email deliveries on your server (Mail Transfer Agent). All the email activities, including the mail sent using the script, are logged in Exim.
To check the origin of spam emails in cPanel, you can use Exim as it saves all the activity logs. Run the following script to check spammers and spam emails in the cPanel server.
Find Spammers IP
To find the spammers or attackers IP, you can run the following command.
# grep “massmailer.php” /home/<username>/access-logs/<domainname> | awk ‘{print $1}’ | sort -n | uniq -c | sort -n
Sorted List of Email Senders
The Exim mail queue stores all the emails sent by each person. To check the number of emails sent by all the users, you can run the following script.
# exim -bpr | grep “<” | awk {‘print$4’} | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n
This script sorts the list of email senders and displays the output similar to the one shown below.
In the above result, we could see that the email address ‘[email protected]’ is sending many emails.
Check the Spam Orgininating Script
To check which script is originating the spam email, you can run the following scripts.
# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n
# awk ‘{ if ($0 ~ “cwd” && $0 ~ “home”) {print $3} }’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
In the above three scripts, the third one is the sub of the first two scripts. The first two scripts should have a result or output similar to the one shown below.
8 cwd=/home/test1/public_html
11 cwd=/home/test2/public_html/a1/www
16 cwd=/home/test3/public_html
81 cwd=/home/test4/public_html
170 cwd=/home/test5/public_html/web
760 cwd=/home/test6/public_html/foro
802 cwd=/home/test7/public_html/web
124340 cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven
Find the Exact Spamming Script
The following script shows the currently running spamming script. You can find out the exact spamming script in the mail servers at any time using this script.
# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head
For example,
# ps auxwwwe | grep test | grep –color=always “/home/test/public_html/wp/wp-content/themes/twentyeleven” | head
After you find the exact script, you can get the IP address responsible for spamming by using the following script. The following script lists the IP addresses along with the number of access. In the list, the IP address with the high number of access is probably causing spamming. You can block that IP address in CSF or APF firewall.
# grep “<script_name>” /home/user/access-logs/<domainname> | awk ‘{print $1}’ | sort -n | uniq -c | sort -n
Other Scripts:
If you are using the PHP script to send mail, then you can use the following command to find the script to send the email.
# egrep -R “X-PHP-Script” /var/spool/exim/input/*
To list the top 50 domains using the mail server, you should run the following command.
# eximstats -ne -nr /var/log/exim_mainlog
You can use the below command to check from which user’s home the mail is sent. This result helps in easy tracking of email, and we can block them if necessary.
# ps -C exim -fH ewww | grep home
List IPs Connected to the Server Through Port 25
You can use the following command to list all the IPs connected to the server through port number 25. If a particular IP is crossing the connection limit of 10, then in the server firewall, you need to block that IP.
# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
Find “nobody” Spamming Issue
If the spamming is currently in progress and you want to find the “nobody” spamming issue, then you can run the below script:
# ps -C exim -fH ewww | awk ‘{for(i=1;i<40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n
The above script should have an output similar to the one shown below if the spamming is currently running.
6 PWD=/
348 PWD=/home/sample/public_html/abc
We need to count the PWD, and if it has the large PWD value, then you need to check the file. If the file is “/” or “/var/spool/mail/var/spool/exim”, then you can ignore it.
If the spamming has occurred sometime before, then you need to run the following command to find the “nobody” spamming issue.
# grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n
Display the Summary of Spam Mails
To display the summary of mails in the mail queue, you can run the following command.
# exim -bpr | exiqsumm -c | head
This above command should display output or responds similarly to the one shown below.
Count Volume Oldest Newest Domain
—— —— —— —— ——
114 171KB 24h 28m test123domain.com
15 28KB 36h 7m gmail.com
5 10KB 34h 10h test3domain.com
4 8192 27h 4h yourdomain.com
4 75KB 7m 7m server.domain.com
3 6041 22h 42m test_abc.com
So this is how you find the origin of Spam Emails in cPanel using Exim. If you need any further help, please do reach our support department.