Tracking Down a Spammer on cPanel

Identify the spammer, if your server is getting spammed. Learn how to track down a spammer on cPanel step by step.

If your server has been SPAMming you need to identify how the SPAM is getting sent.

The first thing to do is login to WHM and go to the Mail Queue section.

Look through the queue for SPAM messages going to somewhere externally (e.g. hotmail.com).

Click on the magnifying glass next to one of them and it opens in a new window. Click on 'Extended headers'. Scroll down on the headers to see if you can determine how it arrived.

SMTP Authentication SPAM

For example I did one and it says:

from ns209446.ovh.net ([94.23.202.153]:59626 helo=block.se)
by yourdomain.com with esmtpa (Exim 4.82)
(envelope-from <survey@block.se>)
id 1XlE6P-000EbS-Kr
for svintus99@hotmail.com; Mon, 03 Nov 2014 20:39:10 +1100

This says the message arrived via 'esmtpa', which means it arrived via SMTP authentication. Which means someones mail account has been compromised and they are sending via SMTP authentication.

You would then need to login via SSH and search the mail log at:

/var/log/exim_mainlog

To do this login via SSH and type:

pico /var/log/exim_mainlog

Script SPAM

If the message lists a user not esmtpa then there is a script on that users website which is sending the SPAM. This is much harder to deal with as you need to look at their site files and find the offending script and remove it. Then you must secure their website (otherwise the SPAMmer will simply reupload his script). This involves making sure the CMS version is the absolute latest version, that all commercial plugins are the latest version, and that you have absolutely NO custom plugins on your site. Obviously changing the passwords associated with this site is also a requirement.

The first step is to login to your server via SSH and type:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

This will output the list of directories where emails are sent. Ignore the entry for /usr/local/cpanel/whostmgr/docroot as that is for root system emails. If your server has been SPAMming you will most likely see an entry with thousands of messages in /home/username/public_html/somewhere

That is where the script that has been sending the emails is located. You can then find and remove those scripts, and we recommend CHMODding the folder they were located in to 444. This stops any scripts in that directory from executing. To do that type:

chmod 444 /home/username/public_html/spammingfolder

The most important thing once you have got rid of the SPAMming files is:

1. To ensure that your site CMS is the latest version

2. Any suspect or unused components or plugins are removed completely

3. Any remaining plugins or components are updated to the latest version

It is paramount that you do this, otherwise the SPAMmer will simply use the vulnerability to put his files back or elsewhere on your site.

Once you think you have fixed the issue you need to clear the mail queue and watch for any new SPAM coming in over 24 hours.

You can clear the mail queue in WHM -> Mail Queue Manager

Or in WHM -> Terminal (or SSH) you can do either of the following:

Delete all mail in the queue: exim -bp | exiqgrep -i | xargs exim -Mrm

Delete all mail from one sender: exiqgrep -i -f user@example.com.au | xargs exim -Mf