Find the Potential Spammer Account in cPanel/Exim

In this tutorial, we will demonstrate how you can identify potential spammer accounts in cPanel’s Exim mail server.

What Constitutes as Spam?

            Technically, spam refers to Unsolicited Commercial Email (UCE), which are electronic mail messages sent to a personal computer without prior solicitation.

Types of Spam

1) Phishing spam

2) Global banking spam

3) Get rich quick spam

4) Illegally pirated software

5) Newsgroup and forum spam

What are the Consequences?

Some consequences of spam include:

1) Cluttered Inbox with countless bounced back emails.

2) Decreased Internet speed.

3) Theft of valuable information such as credit card details and contact lists.

4) Manipulation of search results on search engines.

What happens after a compromise?

The attacker uploads a PHP file on the server that serves as a part of a Distributed Denial of Service (DDoS) attack or a script used for sending a massive amount of spam. Any email client used to connect to the server (e.g., Outlook, Thunderbird) can be utilized for spamming.

We become aware of the spamming activity happening on our server, but we do not know whether it is due to a script or if someone’s personal computer was compromised.

Let’s start by examining a command that searches for all external logins:

exigrep @ /var/log/exim_mainlog | grep _login | sed -n ‘s/.*_login:(.*)S=.*/1/p’ | sort | uniq -c | sort -nr -k1

The above script utilizes exigrep to search through our email log and retrieve any lines containing an “@” symbol. It then performs sorting to determine the frequency of occurrences.

Let’s find out which user/account has been hacked:

exigrep @ /var/log/exim_mainlog | grep U= | sed -n ‘s/.*U=(.*)S=.*/1/p’ | sort | uniq -c | sort -nr -k1

Using this script, we can identify the user who is sending the most emails on the system. This user is likely generating spam.

Let’s trace down the script:

grep “cwd=” /var/log/exim_mainlog | awk ‘for(i=1;i<=10;i++)print $i’ | sort |uniq -c| grep cwd | sort -n | grep /home/

Executing this command will scan the lines in the Exim log that contain the string “cwd”. It helps to locate the folder where the spam is originating from.

Let’s check the X-PHP-Script field:

grep X-PHP-Script /var/spool/exim/input/*/*-H | awk ‘print $3’ | sort | uniq -c | sort -nr

This command searches the active mail queue and examines the X-PHP-Script field in the email headers. By default, this field is enabled in cPanel or can be enabled in WHM. The aforementioned line reveals the script responsible for sending the email.

Code Breakdown

The line below is employed to identify the most frequently used mailing script’s location from the Exim mail log.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘print $2’ | awk ‘print $1’ | sort | uniq -c | sort -n

grep cwd /var/log/exim_mainlog

Use the grep command to locate the string “cwd” in the Exim mail log, which represents the current working directory.

grep -v /var/spool

Grep with -v is used to invert the sense of matching, selecting non-matching lines. This omits any lines starting with /var/spool as it pertains to normal Exim deliveries.

awk -F”cwd=” ‘print $2’ | awk ‘print $1’

Using the awk command with the -F separator set to “cwd=”, it prints out the second set of data ($2) and then pipes it to another awk command. The second awk command solely prints out the first column ($1), allowing us to retrieve the script path.

sort | uniq -c | sort -n

Filter the script paths by their names, count them, and then sort them again in ascending order.

If you need any further assistance, please contact our support department.