Emails from

[bijojerome]

Hello,

Please see the log below:
-----------
2013-09-18 23:11:29 [338260] cwd=/home/user21 3 args: /usr/sbin/sendmail [email protected] -t
2013-09-18 23:11:30 [338260] 1VMUeP-001Pzo-Mj <= [email protected] U=user21 P=local S=768 T="Re:See why you need a web designer's help - My Email address has changed" from <[email protected]> for [email protected]
-----------

The above account 'user21' is sending spams .

I could see there is no mail scripts in /home/user21 . Also, the user does not have shell access.

How could the mails possibly sent?

Please advice.

Thanks in advance.

 

[quietFinn]

I could see there is no mail scripts in /home/user21 . Also, the user does not have shell access.

Check directory /home/user21/public_html including all subdirectories.

 

[cPanelMichael]

Hello

Are you positive there are no files in the account's home directory or within any subdirectories beneath it with the ability to send emails? Try using the "grep" command to search for "mail" within these files to help figure out which script is responsible.

Thank you.

 

[Aaron.Edwards]

Yes, check for the word "mail" under the directory : /home/user21/public_html

# grep -irl 'mail' /home/user21/public_html/

There should be some spam script hidden under this directory or so.

Try the below and see whether you got a company with the "user21" on your server ?

tail -3000 /var/log/exim_mainlog |grep 'rejected RCPT' |awk '{print$4}'|awk -F\[ '{print $2}'|awk -F\] '{print $1} '|sort | uniq -c | sort -k 1 -nr | head -n 5