Find the Origin of Spam Emails in cPanel Using Exim

Posted on January 20th, 2020

 

Find the Origin of Spam Emails in cPanel Using Exim

If an unsolicited message or spam is sent using a messaging system, then it is known as spamming. Email spam is one of the most recognized spamming, whereas spamming also occurs in other social platforms. Some of the examples for such spamming are instant message spam, web search-engine spam, wiki spam, Internet forum spam, social spam, and more.

The different types of spam are Email spam, comment spam, trackback spam, phishing spam, foreign bank spam, and more. Exim or MTA manages the email deliveries on your server (Mail Transfer Agent). All the email activities, including the mail sent using the script, are logged in Exim.

To check the origin of spam emails in cPanel, you can use Exim as it saves all the activity logs. Run the following script to check spammers and spam emails in the cPanel server.

 

Find Spammers IP

To find the spammers or attackers IP, you can run the following command.

# grep “massmailer.php” /home/<username>/access-logs/<domainname> | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

 

Sorted List of Email Senders

The Exim mail queue stores all the emails sent by each person. To check the number of emails sent by all the users, you can run the following script.

# exim -bpr | grep “<” | awk {‘print$4’} | cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c | sort -n

 

This script sorts the list of email senders and displays the output similar to the one shown below.

1          [email protected]

3          [email protected]

5          [email protected]

29        [email protected]

178      [email protected]

 

In the above result, we could see that the email address ‘[email protected]’ is sending many emails.

 

Check the Spam Orgininating Script

To check which script is originating the spam email, you can run the following scripts.

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

# awk ‘{ if ($0 ~ “cwd” && $0 ~ “home”) {print $3} }’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

 

In the above three scripts, the third one is the sub of the first two scripts. The first two scripts should have a result or output similar to the one shown below.

     8                 cwd=/home/test1/public_html

11                cwd=/home/test2/public_html/a1/www

16                cwd=/home/test3/public_html

81                cwd=/home/test4/public_html

170               cwd=/home/test5/public_html/web

760               cwd=/home/test6/public_html/foro

802               cwd=/home/test7/public_html/web

124340           cwd=/home/test8/public_html/wp/wp-content/themes/twentyeleven

 

Find the Exact Spamming Script

The following script shows the currently running spamming script. You can find out the exact spamming script in the mail servers at any time using this script.

# ps auxwwwe | grep <user> | grep –color=always “<location of script>” | head

For example,

# ps auxwwwe | grep test | grep –color=always “/home/test/public_html/wp/wp-content/themes/twentyeleven” | head

After you find the exact script, you can get the IP address responsible for spamming by using the following script. The following script lists the IP addresses along with the number of access. In the list, the IP address with the high number of access is probably causing spamming. You can block that IP address in CSF or APF firewall.

# grep “<script_name>” /home/user/access-logs/<domainname> | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

 

Other Scripts:

If you are using the PHP script to send mail, then you can use the following command to find the script to send the email.

# egrep -R “X-PHP-Script” /var/spool/exim/input/*

To list the top 50 domains using the mail server, you should run the following command.

# eximstats -ne -nr /var/log/exim_mainlog

You can use the below command to check from which user’s home the mail is sent. This result helps in easy tracking of email, and we can block them if necessary.

# ps -C exim -fH ewww | grep home

 

List IPs Connected to the Server Through Port 25

You can use the following command to list all the IPs connected to the server through port number 25. If a particular IP is crossing the connection limit of 10, then in the server firewall, you need to block that IP.

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

 

Find “nobody” Spamming Issue

If the spamming is currently in progress and you want to find the “nobody” spamming issue, then you can run the below script:

# ps -C exim -fH ewww | awk ‘{for(i=1;i<40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n

The above script should have an output similar to the one shown below if the spamming is currently running.

6 PWD=/

348 PWD=/home/sample/public_html/abc

We need to count the PWD, and if it has the large PWD value, then you need to check the file. If the file is “/” or “/var/spool/mail/var/spool/exim”, then you can ignore it.

If the spamming has occurred sometime before, then you need to run the following command to find the “nobody” spamming issue.

# grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

 

Display the Summary of Spam Mails

To display the summary of mails in the mail queue, you can run the following command.

# exim -bpr | exiqsumm -c | head

This above command should display output or responds similarly to the one shown below.

Count               Volume            Oldest              Newest            Domain

——                 ——                 ——                 ——                 ——

114                  171KB              24h                  28m                 test123domain.com

15                   28KB                36h                  7m                   gmail.com

5                    10KB                34h                  10h                  test3domain.com

4                    8192                27h                  4h                    yourdomain.com

4                    75KB                7m                   7m                   server.domain.com

3                    6041                22h                  42m                 test_abc.com

 

So this is how you find the origin of Spam Emails in cPanel using Exim. If you need any further help, please do reach our support department.

Leave a Reply