Spam emails are commonly referred to as unsolicited or junk emails sent in bulk without user consent. In a cPanel server running Exim, spamming usually occurs due to compromised accounts, vulnerable scripts, or improperly configured applications.
Common Causes of Server Spamming
Spamming generally happens in the following ways:
- Compromised Email Accounts
Weak or easily guessable passwords allow attackers to access email accounts and send spam. - Malicious or Vulnerable Scripts
Attackers upload scripts that automatically send emails at regular intervals. - Forum or Newsletter Applications
Poorly configured forums, contact forms, or newsletter scripts may send large volumes of emails without proper validation.
General Fix for Spamming Issues
- Block suspicious IP addresses responsible for incoming spam using CSF, iptables, or APF firewall.
- Reset compromised account passwords.
- Disable vulnerable mailing lists or scripts.
- Suspend affected accounts if required.
Case 1: Spam Sent via PHP Script
Step 1: Check Mail Queue Count
exim -bpcA high number indicates possible spam activity.
Step 2: View Recent Emails in Queue
exim -bp | tail -10Step 3: Inspect Email Header
exim -Mvh <message-id>Check the auth_id field to identify the account sending spam.
Step 4: Locate the Spam Script
cd /var/spool/exim/input
egrep "X-PHP-Script" * -RIdentify heavily used mail directories:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -nStep 5: Disable the Script
chown root: script.php
chmod 000 script.phpStep 6: Find Malicious IP Accessing Script
grep "script.php" /home/domain/access-logs/domain.com | awk '{print $1}' | sort | uniq -c | sort -nBlock the IP:
- CSF:
csf -d IP - iptables:
iptables -I INPUT -s IP -j DROP - APF:
apf -d IP
Step 7: Clear Spam Emails
exim -bp | grep "user" | awk '{print $3}' | xargs exim -MrmCase 2: Spam Sent from Compromised Email Account
Step 1: Check Mail Queue
exim -bpcStep 2: Identify Email Sending Maximum Messages
exim -bpr | grep "<*@*>" | awk '{print $4}' | grep -v "<>" | sort | uniq -c | sort -nStep 3: Inspect Message Headers
exim -Mvh <message-id>Check the auth_id field to find the compromised email account.
Step 4: Reset Email Password Immediately
Step 5: Identify Login IP Address
grep user@domain.com /var/log/maillog | awk '{print $10}' | sort | uniq -c | sort -nBlock malicious IP addresses using firewall rules.
Step 6: Remove Spam Emails
exim -bpu | grep -e "frozen" -e "user@domain.com" | awk '{print $3}' | xargs exim -MrmCase 3: Spam via Forms or Newsletters
If spam originates from contact forms or newsletter applications:
- Enable CAPTCHA verification
- Add form validation and authentication controls
- Limit bulk email sending
- Consult a developer to secure web forms properly
If you suspect your server has spamming, contact our Server Admin team and they can fix it today.
Partner with SupportPRO for 24/7 proactive cloud support that keeps your business secure, scalable, and ahead of the curve.
