How to find the source of spam emails in cPanel?

Harry P

Well-known member
Registered
Joined
Feb 3, 2015
Messages
439
Points
28
Is there a way to find the source of spam emails in cPanel? when I checked with mxtoolbox, my server IP is in email blacklist, it is UCEPROTECTL3 but I don't know why my server ip or my mail was marked as spam. Can anyone shoot me where to check or how to solve this problem?
 

Fusion Arc Hosting

Well-known member
Hosting Provider
Registered
Joined
Oct 25, 2017
Messages
136
Points
18
Hi Harry,

Finding the source of the email can be tricky However, one thing you can do is check your exim logs via WHM >> View Mail Statistics Summary and see the top 50 senders by volume. This may show you which account is sending way to much email compared to all others most likely it's spam by sending lots of mail to many different emails at once.

Once you find the top sender take a look at their mailbox and see if you find anything suspicious on it. As for being delisted from the blacklist of UCEPROTECTL3 they don't allow you to request a delist from my knowledge. However, they will auto remove your IP from the blacklist as soon as they dont detect any more spam email coming from your IP.

If you still are not able to find the source I would recommend you contact your hosting provider or the team at cPanel to help you. Thanks!
 

David Beroff

Well-known member
Registered
Joined
Jun 14, 2016
Messages
1,411
Points
63
David Beroff
View Mail Statistics Summary and see the top 50 senders by volume. This may show you which account is sending way to much email compared to all others most likely it's spam by sending lots of mail to many different emails at once.
Thanks for valuable information, I also check this and see how it works because I am facing mail spams on my server but I don't know where or which source of websites sent them.
 

harry_v

Well-known member
Registered
Hosting Provider
Joined
Dec 20, 2017
Messages
109
Points
18
If the email is still in your server's mail queue, the quickest approach to locate it in the email logs is to retrieve the message's ID, which you can accomplish at WHM > Mail Queue Manager. If you have the full headers for the email, you can also get the message ID from them.

After you've obtained the message ID, use the following command to look for it:

exigrep MESSAGEID /var/log/exim_mainlog*

You will then want to look for one of the following lines:

A=dovecot_login:
A=dovecot_plain:


The email's true sender is the email address following one of those lines. To keep that sender from sending more emails, you should change the password for that email address and the cPanel account's password straight soon.

If you don't see A=dovecot login: in the message's = line or don't have an example message to look into, increasing exim's verbosity is the best approach to figure out where spam is coming from your server. Modify the "log selector" box in WHM's advanced Exim settings area with the following:

log_selector = +all

and then save it. Once you have allowed some time to pass (usually between 6 to 24 hours), you will then want to run the following command:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

It will identify the directories from which the email was sent. You should look for high numbers of user home directories to determine if any mailer/spam scripts are being used in those directories.
T will list directories that email was sent from in which you'd be looking for user home directories with a large number and see if any mailer/spam scripts are being abused in those directories.
 

Harry P

Well-known member
Registered
Joined
Feb 3, 2015
Messages
439
Points
28
Harry P
Blacklists by mail spams so why we should see mail logs? according to me, there is only errors that logged by mail server, it is not relevant to mail spam or blacklist, right?
 

nacyparker

New member
Registered
Joined
Oct 4, 2021
Messages
2
Points
1
The easiest way to find the message in your server's email logs is to obtain the message's ID, which you can do at WHM » Mail Queue Manager if the email is still in your server's mail queue. You can also obtain the message ID from the email's full headers if you have those available.
 
Older Threads
Replies
0
Views
387
Replies
4
Views
866
Latest Threads
Recommended Threads
Replies
4
Views
2,162
Replies
2
Views
2,613
Replies
11
Views
3,165

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top