Catching Spammers on cPanel Servers:

Follow the steps given below to catch Spammers sending mails from scripts (
nobody emails

1. Edit /etc/exim.conf

2. On the second line add (After hostlist auth_relay_hosts = * ) :

log_selector = +address_rewrite +all_parents +arguments +connection_reject
+delay_delivery +delivery_size +dnslist_defer +incoming_interface
+incoming_port +lost_incoming_connection +queue_run +received_sender
+received_recipients +retry_defer +sender_on_delivery +size_reject
+skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error
+smtp_syntax_error +subject +tls_cipher +tls_peerdn
Make sure all that comes on a single line.

3. Save and exit.

4. Restart Exim.
A keep a watch on /var/log/exim_mainlog as you should be able to trace path
to directory from which the spammer(s) is / are spamming.

if the spammer is not spamming using formmail scripts then go through
following steps :-

1 > Get the message ID from the header of the spam. It should be in format
like 1DWJj4-00042i-74 ( this is the most important step else all thats given
below is crap )

2 > grep exim_mainlog with the message ID ( Ex : grep 1DWJj4-00042i-74
/var/log/exim_mainlog )

3 > Check the time on which the spam was sent and also check all that is
shown after grep.

4 > If you find out the domain name or path of the scripts from exim_mainlog
then go ahead and suspend the spammer, else proceed to step 5.

5 > Use this message ID to check the original message or bounced message in
/var/spool/exim/input/. You should see 2 files there, one with -D at end and
one with -H at the end. ( Ex : /var/spool/exim/input/4/1DWJj4-00042i-74-D &
/var/spool/exim/input/4/1DWJj4-00042i-74-H ) This 2 files will have all the
information that was sent in the spam message and if it was sent using
mailing list then you will catch the username of spammer in auth_sender part
of this files. If it shows nobody then its your bad luck Proceed to step 6.

6 > If exim_mainlog shows the spams originating from /tmp of the server and
check the file in /tmp of the server. wner of the file will be seen as
nobody:nobody. Take down the time of creation of file. This time is what we
need to find out who uploaded the script. You will need to convert this time
into the time format of /usr/local/apache/logs/error_log & then in the
format of the domlogs located at /usr/local/apache/domlogs/*

7 > for file in /usr/local/apache/domlogs/*; do cat $file |grep “example”;
done; ( you cannot do direct grep for the query here as it will give error
that the arguement list is too long )

8 > If the results in step 2 have shown some domain name or some username in
common as sender of the spam but now you dont see that domain name on the
server then check /var/cpanel/accounting.log to see if that account has been
terminated from the server ( Ex : grep
ebayspammer.com/var/cpanel/accounting.log )
All that we need to know is importance of /var/log/exim_mainlog,
/var/log/formmail.log, /usr/local/apache/logs/error_log,
/usr/local/apache/domlogs/*,
/var/spool/exim/input/*/* and the files uploaded in /tmp of the server.
Major spamming issues are caught using the time of sending the spam. You
will need to work on your own when you get across such issue and use your
logic to convert the time of sending the spams to the time format of
respective log files I mentioned above.
-> Files in /var/spool/exim/msglog contain logging information for each message and are named the same as the message-id.
-> Files in /var/spool/exim/input are named after the message-id, plus a suffix denoting whether it is the envelope header (-H) or message data (-D).
These directories may contain further hashed subdirectories to deal with larger mail queues, so don’t expect everything to always appear directly in the top /var/spool/exim/input or /var/spool/exim/msglog directories; any searches or greps will need to be recursive. See if there is a proper way to do what you’re doing before working directly on the spool files.

Leave a Reply