How to find which script on my server is sending spam emails?

user75380 asked:

My server is sending the spam email and I am not able to find out which script is sending them.

The emails were all from [email protected] so disabled from the cpanel that nobody should not be allowed to send emails

Now at least they are not going out, I keep receiving them. This is mail I get:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from nobody by cpanel.myserver.com with local (Exim 4.80)
        (envelope-from <[email protected]>)
        id 1UBBap-0007EM-9r
        for [email protected]; Fri, 01 Mar 2013 08:34:47 +1030
To: [email protected]
Subject: Order Detail
From: "Manager Ethan Finch" <[email protected]>
X-Mailer: Fscfz(ver.2.75)
Reply-To: "Manager Ethan Finch" <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------1362089087512FD47F4767C"
Message-Id: <[email protected]>
Date: Fri, 01 Mar 2013 08:34:47 +1030

------------1362089087512FD47F4767C
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

This is my logs for exim logs:

2013-03-01 14:36:00 no IP address found for host gw1.corpgw.com (during SMTP connection from [203.197.151.138]:54411)
2013-03-01 14:36:59 H=() [203.197.151.138]:54411 rejected MAIL [email protected]: HELO required before MAIL
2013-03-01 14:37:28 H=(helo) [203.197.151.138]:54411 rejected MAIL [email protected]: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2013-03-01 14:37:28 SMTP connection from (helo) [203.197.151.138]:54411 closed by DROP in ACL
2013-03-01 14:37:29 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2013-03-01 14:37:29 Start queue run: pid=12155
2013-03-01 14:37:29 1UBBap-0007EM-9r ** [email protected] R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-03-01 14:37:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1UBBap-0007EM-9r
2013-03-01 14:37:30 1UBHFp-0003A7-W3 <= <> R=1UBBap-0007EM-9r U=mailnull P=local S=7826 T="Mail delivery failed: returning message to sender" for [email protected]
2013-03-01 14:37:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHFp-0003A7-W3
2013-03-01 14:37:30 1UBBap-0007EM-9r Completed
2013-03-01 14:37:32 1UBHFp-0003A7-W3 aspmx.l.google.com [2607:f8b0:400e:c00::1b] Network is unreachable
2013-03-01 14:37:38 1UBHFp-0003A7-W3 => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.26] X=TLSv1:RC4-SHA:128
2013-03-01 14:37:39 1UBHFp-0003A7-W3 Completed
2013-03-01 14:37:39 End queue run: pid=12155
2013-03-01 14:38:20 SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1)
2013-03-01 14:38:21 SMTP connection from localhost [127.0.0.1]:36667 closed by QUIT
2013-03-01 14:42:45 cwd=/ 2 args: /usr/sbin/sendmail -t
2013-03-01 14:42:45 1UBHKv-0003BH-LD <= [email protected] U=root P=local S=1156 T="[cpanel.server.com] Root Login from IP 122.181.3.130" for [email protected]
2013-03-01 14:42:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHKv-0003BH-LD
2013-03-01 14:42:47 1UBHKv-0003BH-LD aspmx.l.google.com [2607:f8b0:400e:c00::1a] Network is unreachable
2013-03-01 14:42:51 1UBHKv-0003BH-LD => [email protected] R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.27] X=TLSv1:RC4-SHA:128
2013-03-01 14:42:51 1UBHKv-0003BH-LD Completed
2013-03-01 14:43:22 SMTP connection from [127.0.0.1]:37499 (TCP/IP connection count = 1)
2013-03-01 14:43:23 SMTP connection from localhost [127.0.0.1]:37499 closed by QUIT

Is there any way to find which script, or which user, is generating those?

My answer:


Run a malware scanner, such as maldet, or AVG, or both, on your user’s data. Most malicious scripts are picked up by such tools.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.