How to findout where spam is coming from with EXIM?

JakWillis

Registered
Oct 1, 2014
2
0
1
cPanel Access Level
DataCenter Provider
I've tracked down the user which was sending out spam but I am wondering how can I determine where the script is that is doing it?

I ran a scan looking for the mail() function but found nothing. maldet also found nothing.

Can I add something to PHP and/or EXIM to better track down where the script location is?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
No, unless you are enabling an additional PHP module or changing Apache/PHP modules or versions.

Thank you.
 

John

Active Member
Jan 1, 2014
25
2
3
cPanel Access Level
Root Administrator
Try using below method,

Edit /usr/local/lib/php.ini and add below lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

And create a file called /var/log/phpmail.log , give full permission or exim user permission then restart Apache
touch /var/log/phpmail.log
chmod 777 /var/log/phpmail.log
service httpd restart

You can find the exact php script from "/var/log/phpmail.log", creating spam mails (it will also log all mails send using php mail function)

ref: /http://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/