Understanding "-remote- sender"

driansmith

Active Member
Mar 12, 2008
26
0
51
Bournemouth
cPanel Access Level
Root Administrator
I seem to have a massive number of failed and deferred emails in my "Email »View Sent Summary".
Is there somewhere I can understand exactly what account/process is producing these spam emails? Currently running at 1000 emails per day.

Apologies if the question is a little basic.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,266
313
Houston
HI @driansmith

In most cases behavior like this results from a script on the server being compromised. Can you run the following over SSH on your server:

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
It should print the directories which the mail is originating from
 

webmasteryoda

Well-Known Member
Apr 3, 2013
98
7
58
Serbia
cPanel Access Level
Root Administrator
I have exactly this kind of problem.

Here is my output:

8023 cwd=/var/spool/exim
2544 cwd=/home/user1/public_html
1030 cwd=/etc/csf
392 cwd=/
19 cwd=/home/user2/public_html
16 cwd=/home/user3/public_html
15 cwd=/home/user4/public_html

Why so many Exim failures, and is it possible that user1 is generating these problems?

EDIT: I have disabled user1 and spam stopped.
So, the problem is solved, thanks to this command.
Thank you
 
Last edited: