Introduction
In this article, we will be exploring means to determine how spam emails were sent from your server. This is meant to guide you in the right direction in which a further, more in-depth review of the server should be performed by the systems administrator, security administrator, or the server provider.
Procedure
You will want to find the message in your server's email logs which you can view details on how to read and understand the exim_mainlog here:
Reading and Understanding the exim_mainlog
The easiest way to find the message in your server's email logs is to obtain the message's ID, which you can do at WHM » Mail Queue Manager if the email is still in your server's mail queue. You can also obtain the message ID from the email's full headers if you have those available.
Once you have obtained the message ID, you can search for it with the following command:
exigrep MESSAGEID /var/log/exim_mainlog*
You will then want to look for one of the following lines:
A=dovecot_login:
A=dovecot_plain:
in which the email address that follows one of those lines is the actual sender of the email. To prevent that sender from sending more emails, you will want to reset that email address' password right away and the cPanel account's password as well just to be safe.
If you do not find A=dovecot_login: in the <= line of the message or you do not have an example message to investigate, the best way to determine where spam is being sent from on your server is to increase exim's verbosity. You will want to modify the "log_selector" box of the advanced exim configuration area of WHM with this:
log_selector = +all
and then save it. Once you have allowed some time to pass (usually between 6 to 24 hours), you will then want to run the following command:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This will list directories that email was sent from in which you'd be looking for user home directories with a large number and see if there are any mailer/spam scripts that are being abused in those directories.
The following link should also be helpful with preventing email abuse on your server: