GoDaddy Help

Find SPAM senders using Exim with SSH

Exim is the message transfer agent (MTA) installed with our WHM/cPanel servers to relay email. You can investigate SPAM issues within Exim using SSH.

Follow the suggestions below to find the cause of your SPAM issue and learn to how fix it. To get started, you'll need to enable administrator access on your Gen 3 or Gen 4 server (if you haven't already done so), connect with SSH and switch to the root user.

If your server has stopped sending mail, it's likely there are email messages stuck in the email queue. You can view a summary of the Exim mail queue using:

[root@server ~]# exim -bp | exiqsumm

Count Volume Oldest Newest Domain
----- ------ ------ ------ ------

1621 960KB 4h 5m cooldomain.com
---------------------------------------------------------------
1621 960KB 4h 5m TOTAL

In our example, there are currently 1,621 messages stuck in the outgoing mail queue, all being sent to email recipients at cooldomain.com.

To examine the mail queue and generate a list of scripts that are sending mail, you can use:

Note: This command will only work if there are messages in the mail queue.

[root@server ~]# for message in $(exiqgrep -i); do exim -Mvh $message | grep "X-PHP-Script" | awk '{print $3}' >> /tmp/scriptslist.txt; done && cat /tmp/scriptslist.txt | uniq -c | sort -nr && rm -f /tmp/scriptslist.txt

1621 coolexample.com/wp-content/uploads/2021/01/mailscript.php

The output shows that a single PHP script is responsible for the email messages in the queue.

If the mail queue is currently empty, you'll need to search the Exim mail log to determine the source of the messages. Run this command to find any PHP scripts sending mail:

[root@server ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -rn

1646 /home/coolex/public_html/wp-content/uploads/2021/01
 112 /usr/local/cpanel/whostmgr/docroot

If emails aren't coming from a cPanel account or script, they may be coming from an email account set up on the server. High usage can show that an email account's password was compromised. Run this command to generate a list of email accounts that have been logged into and have sent mail.

[root@server ~]# grep '_login' /var/log/exim_mainlog | cut -d '_' -f2 | cut -d ":" -f2 | awk '{print $1}' | sort | uniq -c | sort -rn | awk '{ if ($1 > 1) print $0}'

   1152 info@coolexample.com
      6 frontdesk@coolexample.com

In this case, one of the accounts is clearly responsible for a large number of messages. If you find a similar problem, reset the password of the account, advise the user that they can't send bulk email from their account, or both.

In extreme cases, after correcting any issues, you may find that the mail queue has a large amount of SPAM still waiting to be sent along with legitimate email. In these cases you may choose to empty the email queue to allow new mail to process normally.

Warning: Emptying the mail queue will delete all messages and is not reversible.
To empty the email queue:

for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done

Related steps

More info

  • Our server experts can perform these steps for a fee. For more information about our Expert Services, please visit our Expert Service menu.