Finding scripts responsible for Email / Spam

Sometimes you will find that your servers IP address is becoming blacklisted because of spaming coming from your server. This is normally caused by vulnerable PHP scripts existing on your server (such as non upgraded WordPress installations). If you'd like to find out how to find those scripts, keep reading!

The default MTA (Mail Transfer Agent) in cPanel/WHM is exim. With exim, there are specific log file(s) that we can use to help find out what scripts are responsible for emails coming from your server. For this article, we will be using the /var/log/exim_mainlog log file:

1. Login to your server via SSH
2. Type in the following command at the command prompt:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | grep home | awk '{print $3}'


The above command will provide you the locations of the PHP scripts that are sending out email, along with the dates and times, and email ID. Please note it won't give the exact name of the location, only the directory in which the script resides.

Once you have the location where the script is, you can use the “cd” command to change directory to that location and look for scripts which don't belong.

Scripts that are likely responsible for spam will be shown in the output very frequently and without much time in between (sometimes not even a second in between). We've observed a commonality of spam scripts being in /theme or /gallery directories, especially among WordPress installations.

Was this answer helpful?

 Print this Article

Also Read

Video Tutorial: What is the difference between WebHost Manager (WHM) and cPanel

Please do not hesitate to contact us if you need any further assistance.

Email returned, Rejected by Recipient or Blacklisted

If you receive a bounce back error that you cannot figure out. Please contact technical support...

Linux Security - Access Logs

It is very common for public facing servers to have brute forcing attempts against them. In this...

Getting Started with cPanel/WHM

Below are links to cPanel/WHM Official User GuideWebHost Manager® (WHM) User Guide...

Video Tutorial: How to use FileManager in cPanel

Please do not hesitate to contact us if you need any further assistance.