How to find what script is sending emails from

Just as the title says

I am constantly being suspended from a script sending spam and I am getting gbs of return emails in the default email account in cpanel - It is disabled to send out emails.

Can anyone tell me where I can find what is sending these please?

I have updated all my scripts so I don't know what is going on

Thanks for any help

 

Hello there,

Not sure if you have root access to your server, if you do though, check the exim_mainlog. If you do not have root access, I would ask your provider to check this log and provide direction on where the emails are being sent from.

Regards,
Chris

 

I've been on this, my hosting provider suspect me sending spam email from one of my domain that hosted with them. They give me a screenshoot and ask me to stop this otherwise will suspend their service. They ask me to check each forder or reinstall all.

My suggest you need to make your password more strenght, once these spam script email success break into your cpanel, its hard to clean it otherwise to reinstall.

Good luck

 

Even if you've disabled the email accounts running on your hosting service, it is still possible to send out email using PHP scripts.

Are you running a Wordpress site or any other PHP scripts? Some hackers may have used your site to upload their own PHP scripts and use those PHP scripts to send out loads of emails. Look around in the upload directories of your PHP scripts and see if you can find anything out of place.

We manage a large number of dedicated servers and virtual private servers -- we see this sort of thing all the time.

 

exim usually includes a header like X-PHP-Originating-Script: Check if the bounce message contains the headers of the original message and see if that's in there.

If you have access to ssh on the server then you could also try checking the time the original message was sent (by looking at that header in the bounce message) and then checking your http access logs at that time...

Is this a wordpress site? I've seen outdated plugins get hacked with a script uploader. You could try grep'ing for eval as these uploaded scripts often use eval'ed code..

 

If you are using shared server you should ask your hosting provider to check this information for you. Every good hosting provider will provide you with more information on this.

If you are on Cloud/VPS/DC you may post here or PM me with the logs from the exim_mainlog. You can check the exim's queue with the following command:
exim -bp

After that you can use the following command to view the headers:
exim -Mvh IDofTheMail

 

It seem you are running on a shared servers, your host is supposed to help you to find the rogue script.

If you are running WordPress, just PM me i'll help you to fix your issue for free and scan your installation.

 

You should always sign up with a provider that has a spam filter for outbound emails, such as SpamExperts. Life is way easier with that.

 

You need to make sure your host is mailer friendly. Otherwise you will be banned over and over...