How to findout where spam is coming from with EXIM?

[JakWillis]

I've tracked down the user which was sending out spam but I am wondering how can I determine where the script is that is doing it?

I ran a scan looking for the mail() function but found nothing. maldet also found nothing.

Can I add something to PHP and/or EXIM to better track down where the script location is?

 

[cPanelMichael]

Hello

You may find this thread helpful:

Mail Sent From Script

Thank you.

 

[JakWillis]

Do I need to recompile apache or php or anything? I am running php 5 with suphp

 

[cPanelMichael]

No, unless you are enabling an additional PHP module or changing Apache/PHP modules or versions.

Thank you.

 

[John]

Try using below method,

Edit /usr/local/lib/php.ini and add below lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

And create a file called /var/log/phpmail.log , give full permission or exim user permission then restart Apache
touch /var/log/phpmail.log
chmod 777 /var/log/phpmail.log
service httpd restart

You can find the exact php script from "/var/log/phpmail.log", creating spam mails (it will also log all mails send using php mail function)

ref: /http://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/