HELP : My server emails sending too many spam

Operating System & Version
Centos 7
cPanel & WHM Version
v100.0.9

muwicaksono

Registered
Feb 8, 2022
3
0
1
indonesia
cPanel Access Level
Root Administrator
Hello, i've got spam mails from my server and keeps so many emails hold in the mail queue. When I checked the IP reputation it turned out to be blacklisted by sorbs & outlook filter too.
 

andrew.n

Well-Known Member
Jun 9, 2020
982
363
63
EU
cPanel Access Level
Root Administrator
You should look into the headers of the mails and see which account is sending those.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,625
2,625
363
cPanel Access Level
Root Administrator
If you're familiar with SSH, you can run this command to scan the mail logs and see if any directories are sending spam:

Code:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
That will give you a list, sorted by the number of emails sent from that location. Just make sure to ignore common areas, like CSF or system notifications.
 

quietFinn

Well-Known Member
Feb 4, 2006
2,042
552
493
Finland
cPanel Access Level
Root Administrator
For my experience the 1st thing to do is to find out if the emails are LOCAL RELAY or AUTH RELAY, i.e. if the emails are sent FROM the server or THROUGH the server.
 

jana-its

Registered
Jan 7, 2023
1
0
1
Saudia Arabia
cPanel Access Level
Root Administrator
For my experience the 1st thing to do is to find out if the emails are LOCAL RELAY or AUTH RELAY, i.e. if the emails are sent FROM the server or THROUGH the server.
Hello, I have spam through the server and my firewall and Exim stopped the sender. how I can catch the spammer or the exploit. I use ImunifyAV and no malware was found.
 

martin MHC

Well-Known Member
Sep 14, 2016
345
75
78
UK
cPanel Access Level
Root Administrator
If you're familiar with SSH, you can run this command to scan the mail logs and see if any directories are sending spam:

That will give you a list, sorted by the number of emails sent from that location. Just make sure to ignore common areas, like CSF or system notifications.

@cPRex I have done this for our own issues of suspecting spam is being send from the server to accounts on the server, the results are as follows:

1 /home/account1
1 /home/account2
1 /root
388 /etc/csf
392 /

My query is this:

Should "/" be sending any sort of emails?
Should "/root" be sending any sort of emails?

Does the location indicate the file that is sending the emails rests in that directory? For instance, how would I go about sourcing the cause code of the 392 emails from "/" if it's not an expected sender?

thank you.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
16,625
2,625
363
cPanel Access Level
Root Administrator
Sure, / is just giving you the total number. /root is a bit odd as I don't see that one come up often. And yes, the location listed indicates something in that directory triggered the message to be sent.

Remember, we're trying to track down spam that's getting your server IP flagged at a provider or otherwise hurting your reputation. One email isn't going to do that.
 
  • Like
Reactions: martin MHC

martin MHC

Well-Known Member
Sep 14, 2016
345
75
78
UK
cPanel Access Level
Root Administrator
Sure, / is just giving you the total number. /root is a bit odd as I don't see that one come up often. And yes, the location listed indicates something in that directory triggered the message to be sent.

Remember, we're trying to track down spam that's getting your server IP flagged at a provider or otherwise hurting your reputation. One email isn't going to do that.
oh of course, It's because it didn't add up I didn't think it was a sum value! Awesome, thanks.