How to Find Spammers on cPanel/WHM

cPanel Spammers

If you deliver shared hosting services on cPanel, you likely deal with spam. As part of our server management services, we find spam typically comes from one of 3 sources:

Compromised application
Compromised end-user password
Insecure form to email scripts

If you do not have the right log information, finding spammers on cPanel can take a lot of time. Fortunately by modifying the default logging parameters, we can get the data we need to quickly find the scripts sending the spam.

Video: 2 Minute on Catching a Spammer

PHP Nobody Spammers

If you have a web application sending spam, the originating sender my be listed as “nobody” in cPanel logs. This is commonly referred to as

PHP nobody spammers in forums and other blogs.

The reason you see this is if you use PHP under mod_php without SuPHP or mod_ruid2, the Apache web server runs as the nobody user. As a result, the script sends the email as the “nobody” user — making it difficult to identify which site is sending the spam.

If you use suPHP or mod_ruid2, the username will be that of the account owner. This makes finding the source of the spam easier, but I still recommend updating your logs.

Modify Exim Logs

To find cPanel spammers, we need more information. By adding more detail to the exim logs, we can get this information by using the Exim Configuration Manager in cPanel.

By changing the log_selector variable in exim, the logs will now show us the directory from where emails originate — invaluable information when finding cPanel spammers. (See Exim documentation for more details on log_selectors).

To modify the exim logs:

1. Login to WHM

2. Search for Exim in the search box and select the Exim Configuration Manager

3. In the Exim Configuration Manager, select the advanced configuration tab and find the log_selector line. (Tip: just search for log_selector in your browser).

4. In the log_selector space, replace the lines that are there with this (be careful of line breaks):

+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface
+incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery
+size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher

If you are having issues, try this Pastbin version.

5. Scroll to the bottom of the window and click save. If you have an error, check for line breaks.

This will add the advanced logging to exim.

Review Exim Maillog

After a while, check your exim logs. I usually grep for

grep cwd=/home /var/log/exim_mainlog

You will get a list of directories that have sent email:

2014-02-02 06:44:29 cwd=/home/joe/public_html 4 args: /usr/sbin/sendmail -t -i
2014-02-02 06:45:18 cwd=/home/jane/public_html 3 args: /usr/sbin/sendmail -t -i
2014-02-02 06:56:28 cwd=/home/jane/public_html 3 args: /usr/sbin/sendmail -t -i
2014-02-02 07:09:26 cwd=/home/jane/public_html 3 args: /usr/sbin/sendmail -t -i
2014-02-02 07:13:31 cwd=/home/bob/public_html 3 args: /usr/sbin/sendmail -t -i

If you see 100′s of entries for one specific path, then check the apache logs for that site. You will likely find the script being exploited.

Privacy Concerns[/b]

Note that the above logs will also add the subject line into the exam main_log. You may consider this to be a privacy issue. If so, remove the subject line just remove the +subject selector.
Catch a Spammer Tips?

Do you have some clever tips on how to find spammers on cPanel? Let us know.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

WHM/ CPanel Server Updates Fails

Sometime When you try to install Updates from (Home »Server Configuration »Update Preferences) it...

11 Ways to Free Up Disk Space on a cPanel Server

I’m sure that most of you have been to the point where one or more of your servers start to fill...

Site open throw ip shows 500 Interver Error

Some time we try to open your site throw ip example and we get 500...

After Changing IP displayes default cpanel page

HelloWhen you change ip of website in whm/cpanel it start shows default cpanel page it shows...

The host at this IP address is infected with the CryptPHP PHP malware.

HelloMostly CryptPHP PHP malware is made in image and can be in name of  social.png  in Any...