1 Answers
The most straightforward method to locate the message in your server's email logs is to retrieve the message's ID. This can be done through WHM (Web Host Manager) at Mail Queue Manager, provided the email is still in your server's mail queue. Alternatively, if you can access the email's full headers, you can also extract the message ID from there.
After obtaining the message ID, you can execute the following command to search for it:
exigrep MESSAGEID /var/log/exim_mainlog*
You should then search for one of the following lines:
A=dovecot_login: A=dovecot_plain:
where the email address following one of those lines represents the email's actual sender. To stop the sender from sending additional emails, it's essential to reset the password for that email address promptly. As an additional precaution, consider resetting the password for the corresponding cPanel user.
If "A=dovecot_login" or "A=dovecot_plain" is not found, it may suggest that a script sent the message. In such instances, inspecting the current working directory (CWD) logged by Exim for the email submission is advisable. Examine this directory for any scripts that appear to be malicious.
grep -B1 MESSAGEID /var/log/exim_mainlog|head -1
If "A=dovecot_login:" is not present in the "<=" line of the message, and if no malicious-looking script is found in the current working directory, or if you don't have a sample message to investigate, the most effective way to identify the source of spam on your server is to elevate Exim's Log Verbosity setting. You should adjust the "log_selector" field in the advanced Exim configuration section of WHM as follows:
log_selector = +all
and then save it. After giving it some time, typically between 6 to 24 hours, proceed to execute the following command:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This command will generate a list of directories from which emails were sent. Your focus should be on identifying user home directories with a significant volume. Examine these directories for any mailer or spam scripts that might be misused.