Expertise level: Medium
Related information: http://iweb.com/dedicated-server
Identifying the php scripts that are sending mail is the first step to protecting yourself against would-be spammers. The first step is to trace a php script. To do this, you will need root SSH access to the server and the log selector for exim will need to be enabled (this will help generate extra/well defined logs for exim). Next, follow these steps:
- Log into WHM as root
- Go to Access Service Configuration >> Exim Configuration Editor.
- Click on Advance Editor
- Locate #!!# cPanel Exim 4 Config under the the exim.conf section
- Add following code in the text box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
Check the exim logs:
tail -f /var/log/exim_mainlog | grep cwd
The above command will scan the current working directory for exim and show the directory path from which emails are being sent.
**Generally, if emails are sent from a script, you will see email sent form cpaneluser_at_serverhostname.tld in the exim logs.
If you see there are multiple emails in the email queue with the name cpaneluser_at_serverhostname.tld then you can check the headers for the message.
To check email headers use command:
exim -Mvh Message-id
To show the script that is responsible for sending the email, locate for X-PHP-Script.