How to Identify Outbound Spam on a cPanel Shared Hosting Server Print

When a cPanel shared hosting server starts sending spam, it can damage your IP reputation, delay legitimate emails, and even lead to blacklisting. This guide explains how to quickly identify the source of spam using Exim logs.

📊 Step 1: Check Overall Mail Activity

Run a quick review of Exim stats to spot unusual patterns:

eximstats -ne -nr /var/log/exim_mainlog | less

Look for:

• High outbound volume in dkim_remote_smtp deliveries.

• Large counts of failed or deferred messages.

• Sudden spikes in deliveries per hour.

🔍 Step 2: Identify PHP Script Senders (Most Common on Shared Hosting)

Run the following command to see which cPanel accounts are generating emails via PHP:

exigrep ' cwd=/home/' /var/log/exim_mainlog \
| sed -n 's/.*cwd=\(\/home\/[^ ]*\).*/\1/p' \
| sort | uniq -c | sort -nr | head

Interpretation:

• Output will list directories under /home/USER/.

• The highest counts usually indicate the source account.

• Check for suspicious public_html subpaths like wp-content/plugins/.

Pro Tip: To pinpoint the exact PHP file:

exigrep 'X-PHP-Script' /var/log/exim_mainlog | tail -n 100

📬 Step 3: Check for SMTP Auth Abuse (Stolen Email Passwords)

If the spam is sent via authenticated SMTP sessions:

exigrep 'A=dovecot_login' /var/log/exim_mainlog \
| grep -oP 'user=\\K\\S+' | sort | uniq -c | sort -nr | head

If found:

• Force password resets for affected accounts.

• Block malicious IPs using CSF or another firewall.

• Review /var/log/maillog for suspicious login attempts.

🕵️ Step 4: Trace a Specific Message ID

Once you have a suspicious message ID:

exigrep MESSAGE_ID /var/log/exim_mainlog
exim -Mvh MESSAGE_ID   # View headers
exim -Mvl MESSAGE_ID   # View logs

Look for:

• A=dovecot_login: → Authenticated email account.

• cwd=/home/USER/... + X-PHP-Script: → Website sending mail.

• from=<> → Bounce messages (possible backscatter spam).

🛡 Step 5: Contain the Spam Immediately

• Limit Email Sending:

whmapi1 modifyacct user=USERNAME MAX_EMAIL_PER_HOUR=0

• Suspend Outgoing Mail for specific accounts via cPanel UI.

• Remove Spam from Queue:

exiqgrep -i -f '<>' | xargs -r exim -Mrm

🔧 Step 6: Clean and Secure the Server

If PHP/Website Compromise:

• Scan with ImunifyAV/Maldet.

• Remove malicious mailer scripts.

• Update CMS core, plugins, and themes.

If SMTP Account Compromise:

• Enforce password resets.

• Enable SSL/TLS only.

• Implement rate limits per account.

🛑 Step 7: Harden cPanel/WHM to Prevent Recurrence

• Enable Prevent “nobody” from sending mail.

• Set Max hourly emails per domain to a safe default.

• Use SPF, DKIM, DMARC.

• Consider outbound filtering via MailChannels or similar.

✅ Quick Reference Commands

💡 Pro Tip: Monitor /var/log/exim_mainlog in real-time during cleanup to verify no new spam is being injected:

tail -f /var/log/exim_mainlog

Need professional help? 👉 Submit a Support Ticket →