Identfy spamming accounts in cPanel servers
Introduction
Identifying spamming accounts is an important part of maintaining the security and reputation of a cPanel mail server. Accounts that send an unusually high number of emails may indicate compromised credentials, vulnerable scripts, or unauthorized email activity. This guide explains how to identify accounts that have sent a large volume of emails in a day using an Exim log analysis script.
Prerequisites
- Root or sudo access to the cPanel server
- Exim is installed and running
- Access to the server via SSH
- Exim mail logs available for analysis
Implementation
Step 1
Log in to the cPanel server via SSH as the root user.
Step 2
Execute the following command to analyze the Exim mail logs and identify accounts that have sent a large number of emails during the previous day:
awk -v dt=$(date +”%Y-%m-%d” –date “$(date +”%F %T”) 1 days ago”) ‘$1~dt && $0~/ [UA]=/ && $0!~/U=(mailnull)/ {printf(“%s %s”,$1,$2); for (i=1;i<=NF;i++) if ($i~/U=/) printf(” %s”,$i); printf(“\n”)}’ /var/log/exim_mainlog | sort | uniq -c | sort -rn | awk ‘$1>50 {print}’
Step 3
Review the output.
The command displays the email accounts that have sent more than 50 emails during the previous day, along with the total number of emails sent.
Step 4
Investigate any accounts that appear to be sending an unusually high volume of emails to determine whether the activity is legitimate or the result of a compromised account or vulnerable application.
Conclusion
Regularly monitoring Exim mail logs helps identify accounts that may be generating excessive email traffic. By reviewing accounts with unusually high email activity, administrators can quickly detect potential spam sources, secure compromised accounts, and maintain the health and reputation of the mail server.
