Find SPAM senders using Exim with SSH
Exim is the message transfer agent (MTA) installed with our WHM/cPanel servers to relay email. You can investigate SPAM issues within Exim using SSH.
Follow the suggestions below to find the cause of your SPAM issue and learn to how fix it. To get started, you'll need to enable administrator access on your Gen 3 or Gen 4 server (if you haven't already done so), connect with SSH and switch to the root user.
If your server has stopped sending mail, it's likely there are email messages stuck in the email queue. You can view a summary of the Exim mail queue using:
[root@server ~]# exim -bp | exiqsumm Count Volume Oldest Newest Domain ----- ------ ------ ------ ------ 1621 960KB 4h 5m cooldomain.com --------------------------------------------------------------- 1621 960KB 4h 5m TOTAL
In our example, there are currently 1,621 messages stuck in the outgoing mail queue, all being sent to email recipients at cooldomain.com.
To examine the mail queue and generate a list of scripts that are sending mail, you can use:
Note: This command will only work if there are messages in the mail queue.
[root@server ~]# for message in $(exiqgrep -i); do exim -Mvh $message | grep "X-PHP-Script" | awk '{print $3}' >> /tmp/scriptslist.txt; done && cat /tmp/scriptslist.txt | uniq -c | sort -nr && rm -f /tmp/scriptslist.txt 1621 coolexample.com/wp-content/uploads/2021/01/mailscript.php
The output shows that a single PHP script is responsible for the email messages in the queue.
If the mail queue is currently empty, you'll need to search the Exim mail log to determine the source of the messages. Run this command to find any PHP scripts sending mail:
[root@server ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -rn 1646 /home/coolex/public_html/wp-content/uploads/2021/01 112 /usr/local/cpanel/whostmgr/docroot
If emails aren't coming from a cPanel account or script, they may be coming from an email account set up on the server. High usage can show that an email account's password was compromised. Run this command to generate a list of email accounts that have been logged into and have sent mail.
[root@server ~]# grep '_login' /var/log/exim_mainlog | cut -d '_' -f2 | cut -d ":" -f2 | awk '{print $1}' | sort | uniq -c | sort -rn | awk '{ if ($1 > 1) print $0}' 1152 info@coolexample.com 6 frontdesk@coolexample.com
In this case, one of the accounts is clearly responsible for a large number of messages. If you find a similar problem, reset the password of the account, advise the user that they can't send bulk email from their account, or both.
In extreme cases, after correcting any issues, you may find that the mail queue has a large amount of SPAM still waiting to be sent along with legitimate email. In these cases you may choose to empty the email queue to allow new mail to process normally.
for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done
Related steps
- Scripts can also be the cause of SPAM. See how you can enable PHPMail logging using WHM.
- Take steps to prevent SPAM issues on your server.
- Return to review email spam issues on your server.
More info
- Our server experts can perform these steps for a fee. For more information about our Expert Services, please visit our Expert Service menu.