Exim – Scripts to find the Origin of Spam mails in cPanel Server


To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.

# exim -bpr | grep “<” | awk {‘print $4′} | cut -d “” -f 1 | sort -n | uniq -c | sort -n

The following scripts will check the script that will originate spam mails:

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n

# awk ‘{ if ($0 ~ “cwd” && $0 ~ “home”) {print $3} }’ /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep ‘cwd=/home’ /var/log/exim_mainlog | awk ‘{print $3}’ | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.

# ps auxwwwe | grep | grep –color=always “” | head

The usage of the above script is as shown below.

# ps auxwwwe | grep test8 | grep –color=always “/home/test8/public_html/wp/wp-content/themes/twentyeleven” | head

Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.

# grep “” /home/user/access-logs/testdomain.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n


Following command that will show you the script which is using script to send the email. If it is from php then use

# egrep -R “X-PHP-Script” /var/spool/exim/input/*


It shows top 50 domains using mail server with options.

# eximstats -ne -nr /var/log/exim_mainlog


It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.

# ps -C exim -fH ewww | grep home

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

In order to find “nobody” spamming, issue the following command

# ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

# grep “cwd=” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}’ | sort | uniq -c | grep cwd | sort -n


The following script will give the summary of mails in the mail queue.

exim -bpr | exiqsumm -c | head