Skip to main content

How to find the source of spam emails

Sean Malen
  • Updated

Introduction

This article will discuss methods for finding the origin of spam emails sent via your server. This information is for a systems administrator, security professional, or service provider to stop spam and prevent it from ever being sent.

 

Procedure

You will want to find the message in your server's email logs. The easiest way to find the message in your server's email logs is to obtain the message's ID, which you can do at "WHM / Mail Queue Manager" if the email is still in your server's mail queue. You can also obtain the message ID from the email's full headers if you have those available.

Once you have obtained the message ID, you can search for it with the following command:

exigrep MESSAGEID /var/log/exim_mainlog*

Then look for one of the following lines in the message logs:

A=dovecot_login:
A=dovecot_plain:

The email address that follows one of those lines is the actual sender of the email. To prevent that sender from sending more emails, you will want to reset that email address' password right away. For extra caution, you can also reset the cPanel user's password.

If you do not find "A=dovecot_login" or "A=dovecot_plain", this could indicate a script sent this message. In this case, you should check the current working directory (CWD) that Exim logged for the email submission. Check this directory for any malicious-looking scripts.

grep -B1 MESSAGEID /var/log/exim_mainlog|head -1

If you do not find "A=dovecot_login:" in the "<=" line of the message, and do not find a malicious-looking script in the current working directory, or you do not have an example message to investigate; the best way to determine where spam is being sent from on your server is to increase Exim's Log Verbosity setting. You will want to modify the "log_selector" box of the advanced Exim configuration area of WHM with this:

log_selector = +all

Then save the change. Once you have allowed some time to pass (usually between 6 to 24 hours), you will then want to run the following command:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

This command will list directories that the email was sent from, in which you'd be looking for user home directories with a large number. Check these directories for any mailer/spam scripts that could be abused in those directories.

 

Additional Resources

How to Prevent Email Abuse

Where can I view the mail queue in WHM?

How to find email headers

Mail Status Probe

Related articles

Comments

0 comments

Article is closed for comments.