Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exim Sending spam as root user

Discussion in 'E-mail Discussion' started by waddy, Jun 8, 2013.

  1. waddy

    waddy Member

    Aug 26, 2008
    Likes Received:
    Trophy Points:

    Our mail queue is filling up at a rate of 4000 emails an hour. Server is struggling, users are not able to send email as the ip of this server is blacklisted.

    Huge volumes of spam coming out from our whm server. I have followed some articles on this issue with exim/cpanel and found the scripts sending the emails in user accounts and fixed them.

    But we are getting a huge volume of outgoing spam from sender: [email protected] and I cannot work out how or why?

    Any help appreciated.

    I have installed and enabled csf and followed the csf recommendations, the outgoing spam problem is still happening.

    I have enabled +all logging in exim, enabled smtp auth before pop. I have rate limited outgoing mails.


    #eximstats -ne -nr /var/log/exim_mainlog

    Top 50 local senders by message count
    Messages Bytes Average Local sender
    55424 16GB 0 root
    52732 3840MB 15KB mailnull
    48 57KB 1216 supportu
    13 47KB 3702 kikoffco

    Top 50 local senders by volume
    Messages Bytes Average Local sender
    55424 16GB 0 root
    52732 3840MB 15KB mailnull
    48 57KB 1216 supportu
    13 47KB 3702 kikoffco

    Exim statistics from 2013-06-09 03:06:06 to 2013-06-09 09:36:47

    Grand total summary
    At least one address
    TOTAL Volume Messages Addresses Hosts Delayed Failed
    Received 20GB 108276 55 53749 49.6% 104946 96.9%
    Delivered 511MB 1882 1882 545
    Rejects 495 29
    Temp Rejects 13 1

    Top 50 sending hosts by message count
    Messages Bytes Average Sending host
    108217 20GB 0 local
    3 13KB 4437
    2 8916 4458
    2 7935 3967
    2 7868 3934

    Message header:

    Return-path: <[email protected]>
    Received: from root by with local (Exim 4.80)
    (envelope-from <[email protected]>)
    id 1UlTTK-0004B4-8U
    for [email protected]; Sun, 09 Jun 2013 10:27:02 +1000
    From: Casino Dealer <[email protected]>
    To: [email protected]

    exim -bp |tail -40

    0m 101K 1UlTlR-0004Na-Bd <[email protected]>
    [email protected]

    0m 102K 1UlTlR-0004No-G9 <>
    [email protected]

    0m 102K 1UlTlR-0004O1-J6 <>
    [email protected]

    0m 101K 1UlTlR-0004O4-KD <[email protected]>
    [email protected]

    0m 102K 1UlTlR-0004OP-MF <>
    [email protected]

    awk '$4 ~ /^cwd/{print $4}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr


    151014 cwd=/var/spool/exim
    51859 cwd=/tmp
    48 cwd=/
    24 cwd=/home/supportu/public_html/cronjobs
    8 cwd=/usr/local/cpanel/whostmgr/docroot
    2 cwd=/root

    - - - Updated - - -

    Also disabled the nobody account from sending email...

    Some more info

    /usr/sbin/exim -Mvh 1UlTpP-0000wy-Og |more
    mailnull 47 12
    1370738991 0
    -ident mailnull
    -received_protocol local
    -body_linecount 1390
    -max_received_linelength 427
    [email protected]

    170P Received: from mailnull by with local (Exim 4.80)
    id 1UlTpP-0000wy-Og
    for [email protected]; Sun, 09 Jun 2013 10:49:51 +1000
    041 X-Failed-Recipients: [email protected]
    029 Auto-Submitted: auto-replied
    071F From: Mail Delivery System <[email protected]>
    037T To: [email protected]
    059 Subject: Mail delivery failed: returning message to sender
    060I Message-Id: <[email protected]>
    038 Date: Sun, 09 Jun 2013 10:49:51 +1000
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following document includes some useful information on preventing email abuse:

    Preventing Email Abuse

    It appears you may have implemented most of these features already. There is a possibility that your server has been hacked. Have you scanned your server for exploits or investigated to see if your server has been rooted?

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice