|
Well, there's a few ways.
First - look at the obvious. If someone is abusing one of your customer's contact/feedback forms, look at the addresses on the outgoing mail. Do they all include a recipient like 'info@oneofyourdomains.com' ? Chances are, that's your culprit because the form is also hardcoded to include your customer as a recipient.
If they are abusing some other kind of form, you might be able to do some other investigating. Issue this command - grep 'cwd=' /var/log/exim_mainlog . If your logging allows it*, you should see a great deal of output. I'd be suspicious of a lot of anything that appears to point at /home (ie here's a legitimate one from one of my customer's forms - "2006-02-14 11:33:50 cwd=/home/betterhm/public_html 3 args: /usr/sbin/sendmail -t -i").
Hopefully one of these two should get you some results.
* You may need to increase the logging of exim. WHM -> Service Configuration -> Exim Configuration Editor -> Advanced Mode. In the VERY TOP box, add "log_selector = +all" (without the quotes) and save.
|