Incoming spam attack can be reduced by setting the “catch-all” parameter as fail.
WHM >>Main >> Server Configuration >> Tweak Settings:(Under “Mail” section)

Under WHM >> Main >> Exim Configuration, we can enable RBL and spamassasin to reduce the attack

Spams sent from the server (outgoing attack)

ps -C exim -fH ewww |grep home

is a command which is really helpful to trace the PHP scripts which is trying to send spam emails

The maximum number of emails that a domain can send each hour can be set in WHM by navigating to
WHM >>Main >> Server Configuration >> Tweak Settings

As the email is going out, you can do the following:    

grep cwd=/home /var/log/exim_mainlog

tail -5000 /var/log/exim_mainlog | grep cwd=/home

exim -bp
exim -bp | grep | wc -l
exim -Mvh 1OXDSz-0003bc-3p


cat /var/log/exim_mainlog | grep ‘spam’ | awk ‘{print $5}’  | cut -d@ -f2 | sort -n | uniq -c | sort -n


To check a spammer on the server use following command. This will count the number of mails send by user specified.
– exigrep -u /var/log/exim_mainlog | wc -l

Find the size and count the number of mails on server
– exim -bp | exiqsumm | more

Generates statistics from Exim mainlog or syslog files.
eximstats -nr -ne /var/log/exim_mainlog  


Script to know the mail count by various accounts

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n


Below script will help to list the exact script that is generating spam emails from under and account

egrep “X-PHP” /var/spool/exim/* -iR


To Know the no: of mails send by a domain

exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v “<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n


To Know the no: of mails send by a perticular domain
cat /var/log/maillog  | grep ‘spam ‘ | awk ‘{print $11 }’ | cut -d: -f1 | grep | wc -l


To know the exim connection status:

netstat -an | grep :25 | awk ‘{print $5 }’ | cut -d: -f1 | sort | uniq -c | sort -n


To know the Apache connection status:

netstat -an | grep :80 | awk ‘{print $5 }’ | cut -d: -f1 | sort | uniq -c | sort -n


Determine the number of established and time_wait TCP connections on the server
netstat -an | grep tcp | egrep -i ‘established|time_wait’ | wc -l

How do you list the IP’s and the number of connections they have with the server?
netstat -anp | grep ‘tcp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

Check what ports are listening on server
netstat –listen

lsof -i
Of the two, lsof is by far the most detailed.


Load issue due to exim mail server ( incoming spam )


Posted on October 7, 2009 by admin

The following steps show how to tackle incoming spam coming to a domain that raised the server load :
Logged into the server here :

root@alpha [~]# w
10:19:45 up 12 min,  3 users,  load average: 15.80, 123.55, 84.57
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0   10:14    1:03   0.09s  0.03s watch w
root     pts/1   10:15   46.00s  0.12s  0.08s top -c
root     pts/2    10:19    0.00s  0.03s  0.00s w
root@alpha [~]# top -c

top . 10:19:48 up 12 min,  3 users,  load average: 14.54, 121.50, 84.11
Tasks: 115 total,   1 running, 113 sleeping,   1 stopped,   0 zombie
Cpu(s):  8.4%us,  6.7%sy,  0.1%ni, 14.6%id, 69.7%wa,  0.1%hi,  0.5%si,  0.0%st
Mem:    898232k total,   430932k used,   467300k free,    43656k buffers
Swap:  2096440k total,    57364k used,  2039076k free,    63556k cached

Using ps auwx, I found that exim was the issue. Hundreds of them running :

12228(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim -bd -q60m 12229(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim -bd -q60m 12230(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim -bd -q60m 12231(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim -Mc 1MvWjX-000360-ES 12232(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim -Mc 1MvWjX-00035z-1K 12233(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim -bd -q60m

Got the mail queue written to a temporary file.
root@alpha [~]# exim -bp >> /root/spammer &
[1] 11559

Viewed it and found that bulk of them were going to non-existent email addresses in
root@alpha [~]# tail -f /root/spammer

2m  5.1K 1MvXKe-0002l4-3x <>

2m  5.1K 1MvXKg-0002lA-LW <>

2m  7.2K 1MvXKg-0002lB-Fc <>

When I searched that domain inside mail logs I found that everything was sent to .tail. user which confirmed they were non existent.

root@alpha [~]# grep /var/log/exim_mainlog
2009-10-04 04:32:51 1MuMWR-0005z1-Dd => tail <> R=localuser T=local_delivery
2009-10-04 04:35:38 1MuMZ7-00060v-Jo => tail <> R=localuser T=local_delivery
2009-10-04 04:35:50 1MuMZK-000612-Hj => tail <> R=localuser T=local_delivery
2009-10-04 04:42:21 1MuMfc-0006KX-O1 => tail <> R=localuser T=local_delivery
2009-10-04 04:55:38 1MuMsT-0006hF-UZ => tail <> R=localuser T=local_delivery
2009-10-04 04:58:16 1MuMv2-0006j0-5n => tail <> R=localuser T=local_delivery
2009-10-04 05:25:46 1MuNLd-000812-S1 => tail <> R=localuser T=local_delivery
2009-10-04 06:03:12 1MuNvr-0000aw-8y => justin <> R=virtual_user T=virtual_userdelivery
2009-10-04 06:04:42 1MuNxJ-0000bP-TG => tail <> R=localuser T=local_delivery
2009-10-04 06:26:58 1MuOIr-0001NR-SL => tail <> R=localuser T=local_delivery
2009-10-04 06:30:57 1MuOMi-0001iK-W3 => tail <> R=localuser T=local_delivery
2009-10-04 06:36:35 1MuOSB-0001pJ-En => tail <> R=localuser T=local_delivery
2009-10-04 06:47:22 1MuOcb-00028b-GR => tail <> R=localuser T=local_delivery
2009-10-04 07:00:07 1MuOow-0002ff-Lz => tail <> R=localuser T=local_delivery

I searched the valiases file and confirmed that the default user was set to .tail. ( which should ideally be set to .fail. for a heavily spammed user). Fail will make sure the email to be fully dropped when the mail server finds out that such a mailbox did not exist under that domain.

root@alpha [~]# cat /etc/valiases/
*: tail
I edited it and changed it to
*: :fail:

root@alpha [~]# vi /etc/valiases/

Then I used the following script to completely remove all emails sent to any email adress under the domain stuck in the mail queue.

for i in `grep -rl To: [.]\* /var/spool/exim/input/ | awk -F\/ {.print $7.} | awk -F\-H$ {.print $1.}`;do exim -Mrm $i;done

Checked if exim mail server was running and also if the load is normal.

root@alpha [~]# du -sch /var/spool/exim/input/

root@alpha [~]# ps ax | grep exim

13378 ?        Ss     0:00 /usr/sbin/exim -bd -oX 26

13383 ?        Ss     0:01 /usr/sbin/exim -bd -q60m

13389 ?        Ss     0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465

17936 ?        S      0:00 /usr/sbin/exim -bd -q60m

17938 ?        S      0:00 /usr/sbin/exim -bd -q60m

17956 pts/2    R+     0:00 grep exim

root@alpha [~]# w

13:11:45 up  3:04,  3 users,  load average: 0.08, 0.10, 0.08

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0   10:14    2:53m 13.39s 13.33s watch w

root     pts/1   10:15   23:32   5.22s  0.06s -bash

root     pts/2    10:19    0.00s  4.74s  0.00s w
After confirming the above, I logged out of the server.


Searching for Spammers


There are two aspects to dealing with spam for a server administrator:

Inbound spam to users
Outbound spam from compromised scripts

Both need very different approaches to help detect, remove and resolve.

Inbound spam to users

Inbound spam is the scourge of the modern internet and, the inconvenience to users aside, can cause serious performance and resource issues on the server. These can affect both the server overall and the timely deliver of clean email in particular.

The best way to tackle inbound spam is at the entry point into the server . the MTA, i.e. exim the SMTP server of choice for cPanel. By blocking spam before it has even entered the server you save both on server resources used when delivering the email in addition to 3rd party tools to help detect spam further along the email relay process.

To do this you need to do work at the RCPT stage of the SMTP protocol. This occurs during the transaction between the sender and recipient SMTP servers and comes before the actual body of an email arrives on a server. The primary form of spam attack is the Dictionary Attack:

A common technique for spammers to use is what is known as a dictionary attack on a domain. A dictionary attack, in our context, is a single SMTP connection that attempts to send email from a spam source to a random set of names on our domain, e.g., in the hope that one of the many hundreds that we try will get a hit and deliver our spam.

This technique is used by spammers mainly because most people don.t advertise their email addresses (due to spam!) and they want to access this untapped market.

To prevent this type of spam getting through, it is essential that you do not use the Default Address (catchall) feature within cPanel to receive emails wherever possible. You should always setup specific Forwarders (aliases) for any email addresses you use and set the Default Address to :fail: for each domain.

By using :fail: exim will automatically reject email at the SMTP RCPT stage and make dictionary attacks redundant. Additionally, you can use exim ACLs to block such spammers who repeatedly perform dictionary attacks to further relieve the server of the load from dealing with them. See:

From a server performance perspective, it is essential that you use :fail: and not :blackhole: with email addresses or the Default Address to block such spam. Mor information about the reasoning for this is presented here.

Another preventative measure is to enable the WHM options:

WHM > Exim Configuration Editor > Verify the existance of email senders.
WHM > Exim Configuration Editor > Use callouts to verify the existance of email senders.

These two options have exim check that any server that attempts to relay email to your server can actually receive email in reply. This is part of the RFC requirements of an SMTP server and the inability of a server to do so indicates a likely spammer.

There are numerous other checks that you can also perform at the SMTP RCPT stage in exim ACLs. Examples are using RBL checks to reject email from IP addresses that originate from IP addresses that are know to harbour spammers, e.g.:

deny message = Message rejected . $sender_fullhost is in an RBL, see $dnslist_text
!hosts = +relay_hosts
!authenticated = *
dnslists = :

You can also check the format of email headers to ensure that RFC compliant, which many spam servers are not. A typical example is checking the SMTP HELO/EHLO protocol command to ensure it.s correctly structured, e.g.:

deny message = HELO/EHLO set to my IP address
condition = ${if match {$sender_helo_name}{} {yes}{no}}

(where is your servers main IP address)

deny message = EHLO/HELO does not contain a dotted address
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

Finally, once the email has passed through these hoops, you can implement a 3rd party application to scan emails and tag them as likely spam. cPanel has an inbuilt solution that uses SpamAssassin to score email likely to be spam. You can then have such emails filtered to a special account or the client can filter such emails based on the email header record modifications made by SpamAssassin.

An alternative is to use a more thorough tool such as MailScanner which can be very effective at scoring spam emails.

A free installation tool is available for cPanel servers from us here or as a paid service here.

However, a cPanel server using such a tool is not supported by cPanel and would have to be removed/disabled before cPanel would investigate any email related issues should you need support.

Outbound spam from compromised scripts

Outgoing spam is likely to come from two sources:

Indirectly from a compromised web script in a clients account
Directly from a client

The starting point for both will be the exim mainlog:

/var/log/exim_mainlog (Linux)
/var/log/exim/mainlog (FreeBSD)

For the purpose of this document I am going to assume a Linux OS.

The most laborious way to track messages down is to trawl the exim mainlog and to look for anomalous behaviour. This is actually very difficult to do and you really need to narrow down exactly what you are looking for.

Tracking down spammers is a difficult affair, but can be made easier with some preparation of your servers environment. I would strongly advise that you add the following to the exim configuration to enable some extended logging that greatly improves the ease in tracking down on-server spammers:

In WHM > Exim Configuration Editor > Switch to Advanced Mode > in the first textbox add the following line and then Save:

log_selector = +arguments +subject

This tells exim to log the path on disk from where the email was executed and the subject of the email. You can then interrogate the exim mainlog more easily.

The best way to do this is to obtain the original email header from the spam originating from your server. This you should receive either from the person reporting the spam, or from remnants of a spam attack in the exim mail queue.

The part required in the email is the exim message id in the Received: header line within the email header of the spam.

As an example, take the following email header:

Return-path: <>
Received: from [] (
by with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.52)
id 1FZ8z3-0006M4-Do
for; Thu, 27 Apr 2006 17:04:49 +0100
Received: from forums by with local (Exim 4.43)
id 1FZ8zt-0005lz-E7
for; Thu, 27 Apr 2006 12:05:41 -0400
Subject: Buy Me!

The Received: header lines are added to the email header, so the original Received: line that interested in is:

Received: from forums by with local (Exim 4.43)
id 1FZ8zt-0005lz-E7
for; Thu, 27 Apr 2006 12:05:41 -0400

And the id we want is 1FZ8zt-0005lz-E7

This is the unique identifier for this email that has originated from the server. With this, we can follow the exim transaction on the server to see how it was processed using:

grep 1FZ8zt-0005lz-E7 /var/log/exim_mainlog

(be aware that the exim_mainlog files may have been rotated so you may have to expand compressed archives and search them instead)

This transaction may look something like this:

2006-04-27 17:43:41 1FZ8zt-0005lz-E7 <= U=nobody P=local S=4001 T=.Buy Me!.
2006-04-27 17:43:50 cwd=/home/ClientX/public_html/phpBB/ 5 args: /usr/sbin/exim -Mc 1FZ8zt-0005lz-E7
2006-04-27 17:43:53 1FZ8zt-0005lz-E7 => R=lookuphost T=remote_smtp [] X=TLSv1:AES256-SHA:256
2006-04-27 17:43:53 1FZ8zt-0005lz-E7 Completed

In this example, we can see that the email originated from the nobody user locally on the server. This means that the likely spam was sent from a script on the server. The nobody user is used to run the Apache web server and is the default username and group that Apache will execute web scripts as. Two things can affect this:

suexec, if enabled, will run CGI scripts as the owner of the script file, typically the cPanel account name
phpsuexec, if enabled, will run PHP scripts in the same manner as CGI scripts

suexec is typically always enabled on web servers and phpsuexec may or may not be. If phpsuexec is not enabled, then in all likelihood, the script run under the nobody account will be a PHP script.

From the example above we can see that a script was run from with the /home/ClientX/public_html/phpBB/ directory on the server, which would suggest a compromised PHP script within that directory.

Here.s another example of a spam originating from a client instead of a script. This can happen either with malicious intent, or if the clients PC has been compromised by a virus or worm:

2006-04-27 17:54:51 1FZ9lT-000707-O2 <= ([]) [] P=esmtpa S=715 id=ABCDEFG T=.Buy Me!.
2006-04-27 17:54:51 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1FZ9lT-000707-O2
2006-04-27 17:54:51 1FZ9lT-000707-O2 => R=boxtraper_autowhitelist T=boxtrapper_autowhitelist
2006-04-27 17:54:52 1FZ9lT-000707-O2 => R=lookuphost T=remote_smtp [] X=TLSv1:AES256-SHA:256
2006-04-27 17:54:52 1FZ9lT-000707-O2 Completed

In this example, the key part is:

This shows that the email was authenticated for relaying using SMTP AUTH (i.e. fixed_plain) and the username from that clients PC.

As you can see, there is a great depth to the amount of work needed to track down spammers on a server, plus there.s the additional work of closing holes in insecure scripts if they are the cause. Some instances can be much more complex and require trawling through the Apache logs for domains in /usr/local/apache/domlogs/* which is not a trivial matter.

The best security from such exploitation is to keep your server secure and to be aware of who and what you allow on your server.

Hope that you have enjoyed this.   I found its very useful and informative. Its from


Get details of scripts that are used to send out spam emails :

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n


eximstats -t5 /var/log/exim_mainlog > teststats

Script to know the mail count by various accounts

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

The number of mails by a domain

exigrep /var/log/exim_mainlog|grep 2009-04-17|grep Completed|wc -l

1)Issue this command: ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user.s home the mail is going, so that you can easily trace it and block it if needed.

2)Issue this command: eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.

3)Issue this command: exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.

4)Issue this command:    netstat -plan|grep :25|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

5)In order to find “nobody” spamming, issue the following command

ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD|sort -n

It will give some result like:

Example :

347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

Command :

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

This will result in something like :

47 cwd=/root

8393 cwd=/home/sample/public_html/test

Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)

Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.

exim -bpr | exiqsumm -c | head


exiqgrep -ir <domain> | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at <domain>.

exiqgrep -i -f | xargs exim -Mrm

$BDTYPE = ‘mysql’;
$DBHOST = ‘localhost’;                                                                                          //Database Host
$DBNAME = ‘rack_fortunarack2k9’;                                                                                        //Database Name
$DBUSER = ‘rack_rooter’;                                                                                                        //Database Username
$DBPASS = ‘beck07’;

You can use the below scripts to find out the php script used for spamming

 find /home/xyz/ -name ‘*.php’|xargs grep -w “mail(“

This will search for any PHP files containing the mail() function. From there, you can get an idea of which scripts are sending emails out.

If there is on going spamming via a php script issue below command to find the running scripts at the moment

watch ‘ps -ef| grep php’



Find email forwarders or autoresponders Spamming


  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: