I have a shared server, for which I'm the admin. One of the clients has a virus, and according to "Mail Relayers" is sending about 1,400 spam/virus emails a day.
I need to track down which email account is the one sending the viruses. In the "Mail Relayers" list, I see a Message ID field, but a search for this ID in /var/log/maillog doesn't find anything. What does this ID correspond to?
I used rkhunter and ClamAV to confirm that the virus isn't on the server. I'm using CSF to block most foreign IPs, but since these emails are actually originating from the local user, this doesn't seem to have any impact.
I also added this to the end of cpanel_exim_system_filter so that I could track all outgoing emails through the server, and while it has copied emails correctly, I haven't caught any of those being shown in Mail Relayers:
# where example.com represents the actual domain
if first_delivery
and ("$h_from:" contains "example.com")
then
unseen deliver "[email protected]"
endif
#
Any other suggestions on how I might find the offending email account?
I need to track down which email account is the one sending the viruses. In the "Mail Relayers" list, I see a Message ID field, but a search for this ID in /var/log/maillog doesn't find anything. What does this ID correspond to?
I used rkhunter and ClamAV to confirm that the virus isn't on the server. I'm using CSF to block most foreign IPs, but since these emails are actually originating from the local user, this doesn't seem to have any impact.
I also added this to the end of cpanel_exim_system_filter so that I could track all outgoing emails through the server, and while it has copied emails correctly, I haven't caught any of those being shown in Mail Relayers:
# where example.com represents the actual domain
if first_delivery
and ("$h_from:" contains "example.com")
then
unseen deliver "[email protected]"
endif
#
Any other suggestions on how I might find the offending email account?
