Exim Sending spam as root user


Aug 26, 2008

Our mail queue is filling up at a rate of 4000 emails an hour. Server is struggling, users are not able to send email as the ip of this server is blacklisted.

Huge volumes of spam coming out from our whm server. I have followed some articles on this issue with exim/cpanel and found the scripts sending the emails in user accounts and fixed them.

But we are getting a huge volume of outgoing spam from sender: [email protected] and I cannot work out how or why?

Any help appreciated.

I have installed and enabled csf and followed the csf recommendations, the outgoing spam problem is still happening.

I have enabled +all logging in exim, enabled smtp auth before pop. I have rate limited outgoing mails.


#eximstats -ne -nr /var/log/exim_mainlog

Top 50 local senders by message count
Messages Bytes Average Local sender
55424 16GB 0 root
52732 3840MB 15KB mailnull
48 57KB 1216 supportu
13 47KB 3702 kikoffco

Top 50 local senders by volume
Messages Bytes Average Local sender
55424 16GB 0 root
52732 3840MB 15KB mailnull
48 57KB 1216 supportu
13 47KB 3702 kikoffco

Exim statistics from 2013-06-09 03:06:06 to 2013-06-09 09:36:47

Grand total summary
At least one address
TOTAL Volume Messages Addresses Hosts Delayed Failed
Received 20GB 108276 55 53749 49.6% 104946 96.9%
Delivered 511MB 1882 1882 545
Rejects 495 29
Temp Rejects 13 1

Top 50 sending hosts by message count
Messages Bytes Average Sending host
108217 20GB 0 local
3 13KB 4437 mail33c50.megamailservers.eu
2 8916 4458 mail228c50.megamailservers.eu
2 7935 3967 mail56c50.megamailservers.eu
2 7868 3934 mail-oa0-f43.google.com

Message header:

Return-path: <[email protected]>
Received: from root by srv07.domain.com.au with local (Exim 4.80)
(envelope-from <[email protected]>)
id 1UlTTK-0004B4-8U
for [email protected]; Sun, 09 Jun 2013 10:27:02 +1000
From: Casino Dealer <[email protected]>
To: [email protected]

exim -bp |tail -40

0m 101K 1UlTlR-0004Na-Bd <[email protected]>
[email protected]

0m 102K 1UlTlR-0004No-G9 <>
[email protected]

0m 102K 1UlTlR-0004O1-J6 <>
[email protected]

0m 101K 1UlTlR-0004O4-KD <[email protected]>
[email protected]

0m 102K 1UlTlR-0004OP-MF <>
[email protected]

awk '$4 ~ /^cwd/{print $4}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr


151014 cwd=/var/spool/exim
51859 cwd=/tmp
48 cwd=/
24 cwd=/home/supportu/public_html/cronjobs
8 cwd=/usr/local/cpanel/whostmgr/docroot
2 cwd=/root

- - - Updated - - -

Also disabled the nobody account from sending email...

Some more info

/usr/sbin/exim -Mvh 1UlTpP-0000wy-Og |more
mailnull 47 12
1370738991 0
-ident mailnull
-received_protocol local
-body_linecount 1390
-max_received_linelength 427
[email protected]

170P Received: from mailnull by srv07.valuwebhosting.com.au with local (Exim 4.80)
id 1UlTpP-0000wy-Og
for [email protected]; Sun, 09 Jun 2013 10:49:51 +1000
041 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
071F From: Mail Delivery System <[email protected]>
037T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
060I Message-Id: <[email protected]>
038 Date: Sun, 09 Jun 2013 10:49:51 +1000


Technical Support Community Manager
Staff member
Apr 11, 2011
cPanel Access Level
DataCenter Provider
Hello :)

The following document includes some useful information on preventing email abuse:

Preventing Email Abuse

It appears you may have implemented most of these features already. There is a possibility that your server has been hacked. Have you scanned your server for exploits or investigated to see if your server has been rooted?

Thank you.