Introduction
This article will discuss methods for finding the origin of spam emails sent via your server. This information is for a systems administrator, security professional, or service provider to stop spam and prevent it from ever being sent.
Procedure
You will want to find the message in your server's email logs, which you can view details on how to read and understand the exim_mainlog here:
Reading and Understanding the exim_mainlog
The easiest way to find the message in your server's email logs is to obtain the message's ID, which you can do at WHM » Mail Queue Manager if the email is still in your server's mail queue. You can also obtain the message ID from the email's full headers if you have those available.
Once you have obtained the message ID, you can search for it with the following command:
exigrep MESSAGEID /var/log/exim_mainlog*
You will then want to look for one of the following lines:
A=dovecot_login:
A=dovecot_plain:
in which the email address that follows one of those lines is the actual sender of the email. To prevent that sender from sending more emails, you will want to reset that email address' password right away. For extra caution, you should also reset the cPanel user's password.
If you do not find "A=dovecot_login" or "A=dovecot_plain", this could indicate a script sent this message. In this case, you should check the current working directory (CWD) that Exim logged for the email submission. Check this directory for any malicious-looking scripts.
grep -B1 MESSAGEID /var/log/exim_mainlog|head -1
If you do not find "A=dovecot_login:" in the "<=" line of the message, and do not find a malicious-looking script in the current working directory, or you do not have an example message to investigate; the best way to determine where spam is being sent from on your server is to increase Exim's Log Verbosity setting. You will want to modify the "log_selector" box of the advanced Exim configuration area of WHM with this:
log_selector = +all
and then save it. Once you have allowed some time to pass (usually between 6 to 24 hours), you will then want to run the following command:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This command will list directories that email was sent from, in which you'd be looking for user home directories with a large number. Check these directories for any mailer/spam scripts that could be abused in those directories.
Resources
We have another guide on preventing spam:
Where can I view the mail queue in WHM?
Also, our Mail Status Probe provides helpful output, such as:
/usr/local/cpanel/3rdparty/bin/perl <(curl -s "https://raw.githubusercontent.com/CpanelInc/tech-SSE/master/msp.pl") --auth