Question
How am I able to find the source of spam emails being sent from my server?
Answer
First, you will want to find an example SPAM message in the server's email logs and retrieve the message's ID. If you already have the headers from a SPAM message, then the ID of the message will be listed in the headers.
If there are emails still in your server's mail queue, then another way to find a message ID is from the Mail Queue Manager in WHM at Home / Email / Mail Queue Manager.
Where can I view the mail queue in WHM?
Alternatively, you can use the Mail Delivery Reports tool in WHM at Home / Email / Mail Delivery Reports to view any sent messages.
Once you have obtained a message ID, you can search for it in the Exim logs with the following command:
# exigrep MESSAGEID /var/log/exim_mainlog*
In the output, look for one of the following lines:
CONFIG_TEXT: A=dovecot_login:
A=dovecot_plain:
The email address that follows one of those lines is the actual sender of the email. To prevent that sender from sending more emails, you will want to reset that email address' password right away.
How to reset your email password through the cPanel interface
For extra caution, you can also reset the cPanel user's password.
How to reset a cPanel User’s Password
If you do not find this in the log output, this could indicate a script sent the message. In this case, you should check the current working directory (CWD) that Exim logged for the email submission.
# grep -B1 MESSAGEID /var/log/exim_mainlog|head -1
This will output the directory where a message was sent from, and you can check this directory for any malicious-looking scripts.
If you do not find "A=dovecot_login:" in the "<=" line of the message and do not find a malicious-looking script in the current working directory, or you do not have an example message to investigate, the best way to determine where spam is being sent from on your server is to increase Exim's Log Verbosity setting. You will want to modify the log_selector box in the Advanced Editor inside of the Exim Configuration Manager:
CONFIG_TEXT: log_selector = +all
Where do I edit the Exim Configuration?
Once you have allowed some time to pass (usually between 6 to 24 hours), you will then want to run the following command:
# awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This command will list directories from which any email was sent, and look for user home directories with a large number. Check these directories for any mailer/spam scripts that could be abused in those directories.
Comments
0 comments
Article is closed for comments.