Email Spam Problem

Most common thing of today is an Email spam, If you are owner of Cpanel dedicated server, or if you are administrator of one,  you have to have this kind of problem. On my servers, I have lazy WordPress admins/users that don’t care much about up to date wordpress or plugins that they use. Of course that old versions of wordpress and plugins are ideal thing for people that wanna take access of hosting accounts and do some illegal stuff. Some of them just upload some php mailer scripts or scripts that send spam mails on internet. As a server admin you can always check your Exim mail reports/logs to check who is sending those mails.

One way to find php script is this one:

By simply adding the following 2 lines into your php.ini then you can track down pretty much any outgoing spam using PHP

mail.add_x_header = On
mail.log = /var/log/phpmail.log

This will log all php scritps sending mail.

 

One of the methods you can use to find users sending spam is this one:

Login to your server via SSH as the root user.
Run the following command to pull the most used mailing script’s location from the Exim mail log:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

Code breakdown:

grep cwd /var/log/exim_mainlog Use the grep command to locate mentions of cwd from the Exim mail log. This stands for current working directory.
grep -v /var/spool Use the grep with the -v flag which is an invert match, so we don’t show any lines that start with /var/spool as these are normal Exim deliveries not sent in from a script.
awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ Use the awk command with the -Field seperator set to cwd=, then just print out the $2nd set of data, finally pipe that to the awk command again only printing out the $1st column so that we only get back the script path.
sort | uniq -c | sort -n Sort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest.
You should get back something like this:

15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data

We can see /home/userna5/public_html/data by far has more deliveries coming in than any others.

Now we can run the following command to see what scripts are located in that directory:
ls -lahtr /userna5/public_html/data

In thise case we got back:

drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
-rw-r–r– 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

So we can see there is a script called mailer.php in this directory

Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:
grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

You should get back something similar to this:

2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
7860 123.123.123.123

We can see the IP address 123.123.123.123 was using our mailer script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.

This can be accomplished with the following command:

apf -d 123.123.123.123 “Spamming from script in /home/userna5/public_html/data”

Hopefully you’ve learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to investigate if malicious activity is going on, and how to block it.

How to remove unwanted spam mails – Check this Article

Source: From Here