Help Interpreting Exim Queue

C4talyst

Well-Known Member
Jun 21, 2008
55
0
56
I have a cPanel server with around 300 sites on it. Recently, spammers were able to upload php files to an unpatched WordPress site and send emails. I caught it when we landed on a blacklist. I've patched/cleaned the site in question, and while working on this I noticed the following output from the command 'exim -bp | exiqsumm':

-- begin snip --

Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
- Spam Domains List Removed -

-- end snip --

I don't understand what this output represents. None of these domains are hosted on my server. Are these spam/bounces that are incoming to my users, or, does this indicate another possible vulnerability issue where our server is sending outbound spam? A huge thank you to anyone who can help.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I don't understand what this output represents.
Hello :)

The command you are running is providing you a summary of the existing messages in your mail queue. You can open your mail queue from Web Host Manager and review the individual messages if you want to get a better idea of the type of messages and where they come from.

Thank you.
 

C4talyst

Well-Known Member
Jun 21, 2008
55
0
56
Thank you for pointing me there. I can see that I have many emails queued up to go out from [System] to unusual addresses...would this likely indicate that I still have some "issues" to resolve?
 

C4talyst

Well-Known Member
Jun 21, 2008
55
0
56
Thank you for pointing me there. I can see that I have many emails queued up to go out from [System] to unusual addresses...would this likely indicate that I still have some "issues" to resolve?
Actually, I'm wondering now if this represents a bounce being sent out to someone that was sending spam to our users...after looking at the message headers.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Yes, it's likely a bounce sent to a non-existent user. You should be able to remove these messages from the queue to avoid the automatic retry attempts.

Thank you.