bijojerome

Registered
Jul 4, 2010
1
0
51
Hello,

Please see the log below:
-----------
2013-09-18 23:11:29 [338260] cwd=/home/user21 3 args: /usr/sbin/sendmail [email protected] -t
2013-09-18 23:11:30 [338260] 1VMUeP-001Pzo-Mj <= [email protected] U=user21 P=local S=768 T="Re:See why you need a web designer's help - My Email address has changed" from <[email protected]> for [email protected]
-----------

The above account 'user21' is sending spams .

I could see there is no mail scripts in /home/user21 . Also, the user does not have shell access.

How could the mails possibly sent?

Please advice.

Thanks in advance.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,894
463
438
Finland
cPanel Access Level
Root Administrator
I could see there is no mail scripts in /home/user21 . Also, the user does not have shell access.
Check directory /home/user21/public_html including all subdirectories.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello :)

Are you positive there are no files in the account's home directory or within any subdirectories beneath it with the ability to send emails? Try using the "grep" command to search for "mail" within these files to help figure out which script is responsible.

Thank you.
 

Aaron.Edwards

Active Member
Sep 21, 2013
36
0
6
cPanel Access Level
Root Administrator
Yes, check for the word "mail" under the directory : /home/user21/public_html

# grep -irl 'mail' /home/user21/public_html/

There should be some spam script hidden under this directory or so.

Try the below and see whether you got a company with the "user21" on your server ?

tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2}'|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5