dtandukar

Member
Apr 28, 2014
6
0
1
cPanel Access Level
Root Administrator
Dear all,

My server has been generating spam emails since last 3 days and could not trace out the source. I found similar case here: http://forums.cpanel.net/f43/open-relay-server-284991.html as well.

Followings are the things I have already done without any success:

1. checked for culprit php script by making new phpmail.log (seems like it is not php script)
2. malware cleaned
3. shutdown joomla site
4. shutdown moodle site
5. shutdown old lime survey site

Any advice, suggestion - how can the culprit be tracked?

Best regards, Deependra
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
Hello :)

Could you provide more details about how you became aware your server is sending out SPAM? Are you able to view the headers of these emails? Have you checked /var/log/exim_mainlog for more information?

Thank you.
 

dtandukar

Member
Apr 28, 2014
6
0
1
cPanel Access Level
Root Administrator
spam emails

My dedicated server is generating spam emails continuously. it does not seem to be from php script. Is there anyway to track the culprit, i have been trying to find out since last one week. It generates more than 2o emails a second - please help.

Best regards, Deependra
 

dtandukar

Member
Apr 28, 2014
6
0
1
cPanel Access Level
Root Administrator
Because of the last amount of email, the server blocked the out going email - that is when i came to know about it. I am copying here one of the mails in queue:

Code:
Mail Control Data:
icimod 510 500
<[email protected]>
1398777168 0
-ident icimod
-received_protocol local
-body_linecount 3
-max_received_linelength 28
-auth_id icimod
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

Date:
Tue, 29 Apr 2014 18:57:48 +0545
From:
[email protected]
To:
[email protected]
Subject:
Test mail 405209145
Message-Id:
<[email protected]>
Received:
from domain by server.domain.org with local (Exim 4.82)
(envelope-from <[email protected]>)
id 1Wf7q4-0004qQ-0n
for [email protected]; Tue, 29 Apr 2014 18:57:48 +0545
Sender:
<[email protected]>


Bla-bla-bla
----------------
best regards
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
The message header you provided indicates the "icimod" user is sending out those emails. Is that a user on your system? If so, first try changing the password of that account. You can also search for the term "spam source" on our forums and you will see several threads where methods of spam investigation is discussed.

Thank you.
 

dtandukar

Member
Apr 28, 2014
6
0
1
cPanel Access Level
Root Administrator
yes, icimod is the main account. Password has been changed several times. Okay let me search for spam source in the forum - if any suggestion, I am glad to take on.

Best regards,
 

cPanelPeter

Technical Analyst III
Staff member
Sep 23, 2013
574
17
143
cPanel Access Level
Root Administrator
Twitter
Hello,

Try running the following command:

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
This will list the source and the number of messages from each source.