The system has detected an unusually large amount of outbound email.

Muneef

• July 20, 2022 12:38

Please help me since i am getting daily my client accounts please help me to fix

• 

  cPRex Jurassic Moderator

  • July 20, 2022 17:45

  Hey there! If you use the links in that message, do you see a large amount of messages being sent from the machine? If so, the first thing to check would be if these are coming from a legitimate account that has been compromised, or a script being used to send messages.

  0
• 

  Muneef

  • July 20, 2022 17:48

  I checked webmail i don't see any emails but i am guessing its running with script

  0
• 

  cPRex Jurassic Moderator

  • July 20, 2022 18:46

  We have some details that may help this situation in the following article:

  0
• 

  Muneef

  • July 22, 2022 14:17

  We have some details that may help this situation in the following article:

  0
• 

  cPRex Jurassic Moderator

  • July 22, 2022 14:20

  We don't usually make videos for those topics. I would just try running this command to see if it shows you anything useful: grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
  

  0
• 

  Muneef

  • July 22, 2022 14:57

  after run i got this message

  0
• 

  cPRex Jurassic Moderator

  • July 22, 2022 15:37

  Great - you'll want to investigate those WordPress plugin directories to see if they really should be sending that much mail.

  0
• 

  Muneef

  • July 22, 2022 15:45

  Great - you'll want to investigate those WordPress plugin directories to see if they really should be sending that much mail.

  
  Okay, I will check and let you know

  0
• 

  seobegood

  • November 11, 2023 09:28

  Hi, I got a simular problem on cPanel, i have made a lott of 'tests' but i am not able to fix it. So i would like to ask the community for help. i executed the code from cPRex; grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n See atached file, so my question is 2682 /etc/csf is the 'bad boy'? Thank you!

  0
• 

  seobegood

  • November 11, 2023 09:44

  Hi, I got a simular problem on cPanel, i have made a lott of 'tests' but i am not able to fix it. So i would like to ask the community for help. i executed the code from cPRex; grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n See atached file, so my question is 2682 /etc/csf is the 'bad boy'? Thank you!

  
  Update, I did an other command; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr Same results, but 1 more line; 4471 cwd=/var/spool/exim

  0
• 

  cPRex Jurassic Moderator

  • November 13, 2023 16:03

  @seobegood - Notifications from CSF are just that - the notifications from their product since the beginning of the mail log. I doubt that is related to your issue. The 4471 number is just a total of all emails that Exim has sent on your server since the log started. What you're looking for is a large number next to an individual cPanel account that would explain the behavior. Can you provide us with more details on exactly what is happening with your server?

  0

Please sign in to leave a comment.