Identifying spam sources under cPanel/exim

Expertise level: Medium
Related information

Identifying the php scripts that are sending mail is the first step to protecting yourself against would-be spammers. The first step is to trace a php script. To do this, you will need root SSH access to the server and the log selector for exim will need to be enabled (this will help generate extra/well defined logs for exim). Next, follow these steps: 

  1. Log into WHM as root
  2. Go to Access Service Configuration >> Exim Configuration Editor.
  3. Click on Advance Editor
  4. Locate #!!# cPanel Exim 4 Config under the the exim.conf section 
  5. Add following code in the text box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Check the exim logs: 

tail -f /var/log/exim_mainlog | grep cwd

The above command will scan the current working directory for exim and show the directory path from which emails are being sent.

**Generally, if emails are sent from a script, you will see email sent form cpaneluser_at_serverhostname.tld in the exim logs. 

If you see there are multiple emails in the email queue with the name cpaneluser_at_serverhostname.tld then you can check the headers for the message.

To check email headers use command:

exim -Mvh Message-id

To show the script that is responsible for sending the email,  locate for X-PHP-Script.


Article is closed for comments.
Powered by Zendesk