Introduction

Email spam originating from compromised websites, vulnerable scripts, or unauthorized users can negatively impact your server’s reputation and lead to IP blacklisting. On cPanel servers, Exim MTA provides detailed logging that can help administrators identify the source of spam emails. This guide explains how to enable advanced Exim logging and trace spam emails back to the responsible script, user account, or website.

Prerequisites

Before proceeding, ensure the following:

  • Root SSH access to the cPanel/WHM server.
  • Exim Mail Transfer Agent (MTA) installed and running.
  • Basic knowledge of Linux command-line operations.
  • Access to Exim configuration files and log directories.
  • A recent backup of the Exim configuration before making changes.

Procedure

Step 1: Enable Advanced Exim Logging

  1. Edit the Exim configuration file:
vi /etc/exim.conf
  1. Locate the line:
hostlist auth_relay_hosts = *
  1. Add the following line immediately after it (ensure it remains on a single line):
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
  1. Save the file and exit.
  2. Restart Exim:
service exim restart
  1. Monitor the Exim log file:
tail -f /var/log/exim_mainlog

Step 2: Identify the Spam Message ID

Obtain the Message-ID from the email header. Example:

1DWJj4-00042i-74

This Message-ID is critical for tracing the source of the spam email.

Step 3: Search Exim Logs

Search for the Message-ID in Exim logs:

grep "1DWJj4-00042i-74" /var/log/exim_mainlog

Review:

  • Sender address
  • Recipient address
  • Delivery path
  • Script location
  • Username
  • Timestamp

Step 4: Identify the Responsible User or Script

If the log output reveals:

  • Domain name
  • cPanel username
  • PHP script path

You can immediately investigate or suspend the offending account.

Example indicators:

cwd=/home/user/public_html/

or

A=dovecot_login:user@example.com

Step 5: Inspect Exim Spool Files

If the logs do not clearly identify the sender:

Locate the message files:

find /var/spool/exim/input -name "*1DWJj4-00042i-74*"

You should find:

1DWJj4-00042i-74-H
1DWJj4-00042i-74-D

Where:

  • -H = Envelope/Header information
  • -D = Message body/data

Inspect them:

cat 1DWJj4-00042i-74-H
cat 1DWJj4-00042i-74-D

Look for:

auth_sender
received_from
cwd

These fields often reveal the originating account.

Step 6: Investigate “Nobody” Emails

If emails are sent as:

nobody@nobody

the spam is likely being sent through a PHP script.

Check the Exim logs for script paths:

grep nobody /var/log/exim_mainlog

If the spam originates from /tmp, inspect the files:

ls -lah /tmp

Check:

stat suspicious_file.php

Record the file creation time and correlate it with:

/usr/local/apache/logs/error_log

and

/usr/local/apache/domlogs/*

to identify the account that uploaded the script.

Step 7: Search Apache Domain Logs

Search all domain logs for suspicious activity:

for file in /usr/local/apache/domlogs/*; do
    grep "example" "$file"
done

Replace "example" with:

  • Suspicious filename
  • Upload script name
  • Known exploit pattern

Step 8: Check for Recently Terminated Accounts

Sometimes the spammer account may already be removed.

Search the cPanel accounting log:

grep "ebayspammer.com" /var/cpanel/accounting.log

This helps determine whether the offending account was terminated previously.

Important Log Locations

Log/FilePurpose
/var/log/exim_mainlogMain Exim activity log
/var/log/formmail.logFormMail activity
/usr/local/apache/logs/error_logApache errors
/usr/local/apache/domlogs/*Domain access logs
/var/spool/exim/input/*/*Message headers and bodies
/var/spool/exim/msglog/*/*Per-message logs
/tmpTemporary uploaded scripts

Useful Commands

Search recursively for a Message-ID:

find /var/spool/exim -type f | xargs grep "1DWJj4-00042i-74"

Search recent Exim activity:

grep "$(date '+%Y-%m-%d')" /var/log/exim_mainlog

Monitor live mail activity:

tail -f /var/log/exim_mainlog

Check Exim queue:

exim -bp

Conclusion

Tracking spam on a cPanel server requires analyzing Exim logs, message spool files, Apache logs, and uploaded scripts. The most effective approach is to start with the Message-ID from the spam email header and trace it through exim_mainlog. By correlating timestamps across Exim, Apache, and system logs, administrators can identify compromised scripts, vulnerable websites, or abusive user accounts and take corrective action before the server’s reputation is affected.

Post Views: 138

Leave a Reply