so i've just started noticing today that i'm getting large amount of spam emails sent from domains on my machine, all of them. the users they're supposedly sending mail from do not exist. need some help with this, getting blacklsited everywhere.. i've followed all the best practices for setting up courier/exim.
"from" address can be spoofed. Likely it's a PHP script running on the doman and your web app is hacked.
grep 'SUBJECT LINE' /var/log/exim_mainlog | head -n 20
You can also grep message_id if you have it. That's usually better. Get a message ID from exim -bp or the mail queue manager in WHM.
If that grep returns lines that have P=esmtpa courier_auth:[email protected]
, then the spammer is indeed using an SMTP login, and the [email protected]
is the actual username/password being used.
If you see P=local U=nobody (or U=some_cp_username) then it's a PHP script sending the spam, or some local running process. You'll need to take one of the exim message ID's and run this
grep -B3 $MESSAGE_ID /var/log/exim_mainlog | grep cwd
This will tell you what folder the PHP script is in that is sending the spam. Good luck.