how to identify account or PHP/Perl script used for spamming?

[ShirazDindar]

Hi,

We're using the standard Exim setup on Cpanel. I'm experiencing a lot of outgoing SPAM from the nobody user, as I can see by the "view relayer" option, and in the mail queue.

Is there any way to identify which account or, better yet, which PHP/Perl CGI script is being used to send this spam? It's funny how hard it is to find this info out online. Maybe I'm just looking in the wrong places.

Our server is pretty heavily loaded and I don't want to suffer the performance hit of suexec, phpsusec or suphp.

Previously, I installed a sendmail replacement script which intercepts all sendmail access, logs the script that accesses it, and then sends it along to the actual sendmail binary, but the script was buggy and it broke my outgoing mail from all scripts, including legitimate ones.


Also, can anyone tell me if turning on the SMTP Tweak may break any legitimate script mailers?


Thank you kindly,

Shiraz

[tanfwc]

No, turning on SMTP tweak does not break anything.

You may apply this patch to check your php scripts.
http://choon.net/php-mail-header.php

[cPanelTodd]

The quickest and easiest way is to add 'log_selector = +arguments +subject' to the exim configuration. You can do this by using the Advanded exim config editor in WHM and adding that line to the first text box.

Once this is added, you can monitor /var/log/exim_mainlog. You will see where all emails are originated from. If there is a php/perl script sending spam, you will be able to find exactly what folder the script resides in.

[ShirazDindar]

Wow, both very very practical suggestions! I wish I'd asked sooner. Thanks guys.

[jayh38]

Also some very handy tools to add THanks to Chirpy...

www.configserver.com

ConfigServer Mail Queues
ConfigServer Mail Manage

cheers