What is sending spam on my server !

I was just creating some new content for the LJSHost knowledge base and thought this article would be a nice tutorial for all you WHM VPS owners with spam problems

Finding out what script is spamming on a WHM server

Spam or unsolicited email is a huge problem for anyone with a server, it is estimated that around 90% of all email worldwide is junk mail. Spammers can have a negative impact on your server in many ways included consuming all server resources resulting in poor performance and getting your IP address blacklisted preventing you from sending mail to some providers from your server.

Spammers send junk mail in a couple of different ways sometimes from an external mail client but more often from a script uploaded to your server. Compromised CMS platforms such as WordPress are often the cause of spam due to being hijacked by a hacker who is using your contact form to send thousands of messages.

So now you know the problem let's talk about what you can do about it and shut it down.

All mail servers have an MTA (Mail Transport Agent) that receives mail from mail clients, web applications and other servers which have mail for users on your server. WHM uses the Exim transport agent which this guide will be focusing on but these forensic techniques can be adjusted for other mail transport agents.

Locating the script that is spamming


This command will scan the exim_mainlog file which is where Exim logs all mail activity. It might look complex but it's just a few simple Linux command piped together.

How the command works

- Show all row with ‘cwd' (current working directory) in the log

- Use the grep with the -v to show an invert match, so to exlcude /var/spool which are normal Exim delivers not from a script.

- format the output so we only see the data we need.

- Sort the script paths by name, count them and format the output numerically from lowest to highest.


This is a typical output from the command. All user data is contained within the /home/ directory which are the results you want to focus on /etc/csf /root for example are system generated emails which are only internal sending firewall reports, cron job notifications etc.

As you can see from the output 1652 /home/account3/public_html/scripts is the most likely suspect and shows 1652 mails sent from a script in the scripts folder.

Lets take a look in the scripts directory to see what we find.


Here we find the script spam_script.php which is the php program sending the spam. In a real world situation the file will be called something innocent such as wp-plug-contact.php to make it look like a genuine file.

A quick view of this file will show mail() functions etc to send the spam.

All you need to do the stop the spam is delete the file.

That is awesome a lot of time files rebuild form types of malware and viruses
does this stop them from rebuilding
Have used other programs that have help us and our clients
This one will be very useful as well awesome job

It would be great if i can use these ways on a Linux server without WHM/cPanel, for instance, on a LEMP stack, Plesk, Directadmin or other hosting control panels?
I have several VPS using WHM/cPanel and I will check them with your codes and see how it works.

Thanks for sharing useful tips!

You have really provider a good information for many of the users who got unmanaged servers or VPS. Spamming is a major concern and to understand what exactly is causing the problem can only stop the issue from occurring again and again on the server.

I've been using the same methods for many years and they sure do help a lot! Very nice detailed guide you did on it, though. Good job!

PS I would also suggest monitoring all your server IPs on blacklists using HetrixTools, too.

Thanks for this info, I'm always trying to look back through forums/emails etc. to find these commands again, when there is a mail issue on one of my servers. Great info for anyone running their own server.

thanks I just bookmarked this

I am wondering how the OP determined an email is spam mail or not.

Which command do this job?

Or do I need to do as following step you guided above?

You need to view the email to decided if it is spam however most of the time the Subjects will all be the same.

Identifying out going SPAM needs to be done before the steps in this guide which is done by viewing the logs either with WHM or the eximstats tools. The guide I posted as aimed towards drilling down to the root cause and stopping it once you have identified a mailbox is spamming. Most spam is automated on the server with PHP these days, Spammers don't send remotely via SMTP as they used it but it still happens.

This is really very valuable information to take care of unmanaged servers.

Thanks LJSHost really appreciate.

Thanks LJSHOst for this detailed writing. I have searched over here & there to sort out a system to detect spamming script but couldn't find out. Thanks a lot. I used LMD & ClamAV to find them out previously.

Great post, this will surely help a lot of people out!

Thank you for this post. I am learning a lot by just reading these posts. I also have bookmarked this for future reference.
Thank you guys!

Cheers!

Aewsome sharing but I think its limited to WHM.
I had a dedicated server multiple times suspended due to some of the client abusing it. The only way I knew it was getting the server suspended and they telling me the ip of the client. Can anybody guide me for how to avoid spamming on my dedicated box with multiple clients using VPS.

It all depends on what MTA those servers are using. The method I detailed can be used with any MTA you just need to change the spool and log file location relevant to the MTA configuration.

I would like to add some more commands addition to your commands -

1. Once you will check the mail count of all accounts on server in ascending order using below command

exim -bpc; grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Click to expand...

After that you can check the logs of particular email address which has highest email count in email queue using below command -

grep email address /var/log/exim_mainlog

Click to expand...

2. When you will check the email logs for the email address that time you can find the email subject too which will specify whether the email account is sending spam emails from it or not.

3. Addition to above command, you can use below commands too -

Checking the header of the mail -

exim -Mvh message id

Click to expand...

Checking the body of mail - exim -

Mvb message id

Click to expand...

4. You can check the number of emails in exim mail queue using below command -

exim -bpr | grep "<" | wc -l

Click to expand...

When you are sure with the script or email account that it is sending the spam emails then you can take below recommended actions -

If the spamming using script is there then use below guidelines-
1. Disable the script from the server that is change it's permission to 000 with ownership as root.
2. Rename that script.

So spammer no longer use that script.

If the spamming using email account is there then then use below guidelines-
1. Reset the email account's password as soon as possible. The password should be combination of small and capital letters, numbers, special characters so it will become strong password and email account can't be hacked easily.
2. Reset the control panel's password from where you are accessing the emails.
3. If there is still spamming then it's recommended to remove the email account from server.

Thank you for this one! it sure is hard to always monitor all of your server Ips, but what else can you do? I've bookmarked this one also.

Improve your firewall settings i have problems with that it can fill up your mailbox fast and can affect your acct. That can be blacklisted many programmers used php to send spams.

Nice feed man, good way of pointing out the linking ways of spams, but I think improving security is the best defense.

Nobody likes receiving junks or spams in his/her server. Spam are just too annoying and they create some funny impressions on the receiver. Some spam messages are often found to be of help and some are sometimes useful. Some of these spam are also dangerous to the server and may affect the smooth running of the server. Some may even cause server breakdown thereby making it difficult for the administrator to have rightful and complete access on the server.
Truly, spam are unsolicited messages sent to the server. There are many ways by which spam can be sent to one's server. The most common reason among these is unprotected server which tends to attract malicious mails and are vulnerable to virus attack. Servers need to be strongly protected to filter unsolicited messages. I mentioned earlier that some of this junks are sometimes useful. The reason is that there are some mails that if one opens, they will be of good help to someone. Above all, server protection is the way out of receiving unsolicited messages which are otherwise known as junks or spam messages.