{"id":1299,"date":"2014-10-15T00:55:39","date_gmt":"2014-10-15T06:55:39","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=1299"},"modified":"2026-03-26T04:17:17","modified_gmt":"2026-03-26T10:17:17","slug":"fix-spamming-in-cpanel-exim-server","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/fix-spamming-in-cpanel-exim-server\/","title":{"rendered":"Fix spamming in cpanel exim server"},"content":{"rendered":"\n<p>Spam emails are commonly referred to as unsolicited or junk emails sent in bulk without user consent. In a cPanel server running Exim, spamming usually occurs due to compromised accounts, vulnerable scripts, or improperly configured applications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Common Causes of Server Spamming<\/h2>\n\n\n\n<p>Spamming generally happens in the following ways:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Compromised Email Accounts<\/strong><br>Weak or easily guessable passwords allow attackers to access email accounts and send spam.<\/li>\n\n\n\n<li><strong>Malicious or Vulnerable Scripts<\/strong><br>Attackers upload scripts that automatically send emails at regular intervals.<\/li>\n\n\n\n<li><strong>Forum or Newsletter Applications<\/strong><br>Poorly configured forums, contact forms, or newsletter scripts may send large volumes of emails without proper validation.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">General Fix for Spamming Issues<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block suspicious IP addresses responsible for incoming spam using <strong>CSF<\/strong>, <strong>iptables<\/strong>, or <strong>APF<\/strong> firewall.<\/li>\n\n\n\n<li>Reset compromised account passwords.<\/li>\n\n\n\n<li>Disable vulnerable mailing lists or scripts.<\/li>\n\n\n\n<li>Suspend affected accounts if required.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Case 1: Spam Sent via PHP Script<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Check Mail Queue Count<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -bpc<\/code><\/pre>\n\n\n\n<p>A high number indicates possible spam activity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: View Recent Emails in Queue<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -bp | tail -10<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Inspect Email Header<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -Mvh &lt;message-id&gt;<\/code><\/pre>\n\n\n\n<p>Check the <strong>auth_id<\/strong> field to identify the account sending spam.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Locate the Spam Script<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/var\/spool\/exim\/input<br>egrep \"X-PHP-Script\" * -R<\/code><\/pre>\n\n\n\n<p>Identify heavily used mail directories:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep cwd \/var\/log\/exim_mainlog | grep -v \/var\/spool | awk -F\"cwd=\" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Disable the Script<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>chown root: script.php<br>chmod 000 script.php<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Find Malicious IP Accessing Script<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>grep \"script.php\" \/home\/domain\/access-logs\/domain.com | awk '{print $1}' | sort | uniq -c | sort -n<\/code><\/pre>\n\n\n\n<p>Block the IP:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CSF: <code>csf -d IP<\/code><\/li>\n\n\n\n<li>iptables: <code>iptables -I INPUT -s IP -j DROP<\/code><\/li>\n\n\n\n<li>APF: <code>apf -d IP<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Clear Spam Emails<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -bp | grep \"user\" | awk '{print $3}' | xargs exim -Mrm<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Case 2: Spam Sent from Compromised Email Account<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Check Mail Queue<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -bpc<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Identify Email Sending Maximum Messages<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -bpr | grep \"&lt;*@*&gt;\" | awk '{print $4}' | grep -v \"&lt;&gt;\" | sort | uniq -c | sort -n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Inspect Message Headers<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -Mvh &lt;message-id&gt;<\/code><\/pre>\n\n\n\n<p>Check the <strong>auth_id<\/strong> field to find the compromised email account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Reset Email Password Immediately<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Identify Login IP Address<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>grep user@domain.com \/var\/log\/maillog | awk '{print $10}' | sort | uniq -c | sort -n<\/code><\/pre>\n\n\n\n<p>Block malicious IP addresses using firewall rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Remove Spam Emails<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>exim -bpu | grep -e \"frozen\" -e \"user@domain.com\" | awk '{print $3}' | xargs exim -Mrm<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Case 3: Spam via Forms or Newsletters<\/h2>\n\n\n\n<p>If spam originates from contact forms or newsletter applications:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>CAPTCHA verification<\/strong><\/li>\n\n\n\n<li>Add form validation and authentication controls<\/li>\n\n\n\n<li>Limit bulk email sending<\/li>\n\n\n\n<li>Consult a developer to secure web forms properly<\/li>\n<\/ul>\n\n\n\n<p>If you suspect your server has spamming, contact our <a href=\"https:\/\/www.supportpro.com\/requestquote.php\">Server Admin team<\/a> and they can fix it today.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile is-vertically-aligned-center has-white-background-color has-background\"><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size\">Facing issues? <\/p>\n\n\n\n<p class=\"has-large-font-size\">Our technical support<br>engineers can solve it. <\/p>\n\n\n\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper\" id=\"hs-cta-wrapper-3350a795-db50-482f-9911-301930d1b1be\"><span class=\"hs-cta-node hs-cta-3350a795-db50-482f-9911-301930d1b1be\" id=\"hs-cta-3350a795-db50-482f-9911-301930d1b1be\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2725694\/3350a795-db50-482f-9911-301930d1b1be\" ><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-3350a795-db50-482f-9911-301930d1b1be\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/3350a795-db50-482f-9911-301930d1b1be.png\"  alt=\"Contact Us today!\"\/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2725694, '3350a795-db50-482f-9911-301930d1b1be', {\"useNewLoader\":\"true\",\"region\":\"na1\"}); <\/script><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div><figure class=\"wp-block-media-text__media\"><img fetchpriority=\"high\" decoding=\"async\" width=\"904\" height=\"931\" src=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png\" alt=\"guy server checkup\" class=\"wp-image-12943 size-full\" srcset=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png 904w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-291x300.png 291w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-768x791.png 768w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-585x602.png 585w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Spam emails are commonly referred to as unsolicited or junk emails sent in bulk without user consent. In a cPanel server running Exim, spamming usually occurs due to compromised accounts,&hellip;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,6,1,4,3],"tags":[],"class_list":["post-1299","post","type-post","status-publish","format-standard","hentry","category-general-topics","category-linux-basics","category-miscellaneous","category-server-security","category-technical-articles"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/1299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/comments?post=1299"}],"version-history":[{"count":7,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/1299\/revisions"}],"predecessor-version":[{"id":16649,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/1299\/revisions\/16649"}],"wp:attachment":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media?parent=1299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/categories?post=1299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/tags?post=1299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}