Find the Potential Spammer Account in cPanel/Exim

Posted on November 8th, 2018

In this tutorial we can check how to find the potential spammer account in cPanel Exim mail server.

What is Spam?

            In technical spam is an Unsolicited Commercial Email (UCE), means email messages sent to a personal machine without the prior request.


Types of Spam

1) Phishing spam

2) Foreign bank spam

3) Get rich easily and quickly spam

4) Illicitly pirated software

5) Newsgroup and forum spam


What are its Effects?

Some effects of spam

1) Fills your Inbox with a number of bounce back emails.

2) Reduces your Internet speed.

3) Steals useful information like your credit card details and contact list information.

4) Alters your search results on search engine.


What happens after the compromise?

The attacker puts a PHP file on the server that acts as part of a DDoS or a script that used to send a ton of spam. Whatever application you are using to connect to email (Outlook, Thunderbird, etc.) and use that to start spamming.

We know that someone on our server is spamming. We don’t know if it’s due to a script or if it’s because someone’s machine got attacked.


Let’s look at a command which is used to searches for all external logins

exigrep @ /var/log/exim_mainlog | grep _login | sed -n ‘s/.*_login:\(.*\)S=.*/\1/p’ | sort | uniq -c | sort -nr -k1

The above script is used to exigrep through our email log and return any line containing an @ and then sort, gives how many instances are there.


Let’s check which user/account has been hacked:

exigrep @ /var/log/exim_mainlog | grep U= | sed -n ‘s/.*U=\(.*\)S=.*/\1/p’ | sort | uniq -c | sort -nr -k1

Using this script, we got the user who is sending the most email on the system. We can analyze that this user is producing spam.


Let’s track down the script

grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort |uniq -c| grep cwd | sort -n | grep /home/

Executing this command will check the lines in the Exim log that contains the string “cwd”. It helps to find the folder where the spam is happening.


Let’s check the X-PHP-Script field

grep X-PHP-Script /var/spool/exim/input/*/*-H | awk ‘{print $3}’ | sort | uniq -c | sort -nr

This will search the active mail queue. It checks for the X-PHP-Script field in the header of the emails. This must be enabled in cPanel by default or it can be enabled in Whm. This above line gives which script sent the email.


Code Breakdown

The below line is used to find most used mailing script’s location from the Exim mail log.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n


grep cwd /var/log/exim_mainlog

Use the grep command to locate string “cwd” from the Exim mail log. This stands for current working directory

grep -v /var/spool

Grep with -v is used to Invert the sense of matching, To select non-matching lines.That doesn’t show any lines that start with /var/spool. Because /var/spool is the normal Exim deliveries.

awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’

Use the awk command with the -F separator set to “cwd=”, then print out the $2nd set of data, then pipe that to the awk command again. It only prints out the $1st column, thereby we can get back the script path.

sort | uniq -c | sort -n

Filter the script paths by their name, and count them, sort them again in ascending order.


If you need any further help please do reach our support department.



Leave a Reply