How to find the source of spam emails in cPanel?

I want to find the source of spam emails in cPanel?

cPanel cPanel Hosting Web Hosting
Answer Share

1 Answers

Anonymous answered 5 months ago
Anonymous answered 5 months ago

The most straightforward method to locate the message in your server's email logs is to retrieve the message's ID. This can be done through WHM (Web Host Manager) at Mail Queue Manager, provided the email is still in your server's mail queue. Alternatively, if you can access the email's full headers, you can also extract the message ID from there.

After obtaining the message ID, you can execute the following command to search for it:

exigrep MESSAGEID /var/log/exim_mainlog*

You should then search for one of the following lines:

A=dovecot_login: A=dovecot_plain:

where the email address following one of those lines represents the email's actual sender. To stop the sender from sending additional emails, it's essential to reset the password for that email address promptly. As an additional precaution, consider resetting the password for the corresponding cPanel user.

If "A=dovecot_login" or "A=dovecot_plain" is not found, it may suggest that a script sent the message. In such instances, inspecting the current working directory (CWD) logged by Exim for the email submission is advisable. Examine this directory for any scripts that appear to be malicious.

grep -B1 MESSAGEID /var/log/exim_mainlog|head -1

If "A=dovecot_login:" is not present in the "<=" line of the message, and if no malicious-looking script is found in the current working directory, or if you don't have a sample message to investigate, the most effective way to identify the source of spam on your server is to elevate Exim's Log Verbosity setting. You should adjust the "log_selector" field in the advanced Exim configuration section of WHM as follows:

log_selector = +all

and then save it. After giving it some time, typically between 6 to 24 hours, proceed to execute the following command:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

This command will generate a list of directories from which emails were sent. Your focus should be on identifying user home directories with a significant volume. Examine these directories for any mailer or spam scripts that might be misused.

Your Answer

Hosting Companies insights

3017 Web Hosting Reviews A trusted source of genuine reviews. Learn Reviews
2527 Web Hosting Companies Ever-growing pool of web hosting providers. Browse Providers
2894 Web Hosting Coupons Exciting web hosting deals available here Browse Coupons