Issue
You got a report/noticed yourself that your server is sending tons of outgoing emails and it is necessary to detect the account responsible for the spam delivery and clean the malicious script.
Environment
Any environment supported by Imunify360/ImunifyAV+ and with Exim installed.
Solution
1. • Use the following command to check spammer accounts – it will list the top 10 email senders according to exim_mainlog:
# grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -10
- Alternatively, this one below can be used:
# grep Sender /var/log/exim_mainlog | awk '{print $8}' | cut -d'=' -f2 | sort | uniq -c |sort -rn
- For cPanel users, the following script can be used for identifying the user sending our emails as well as the path(s) to the mail script: https://github.com/CpanelInc/tech-MSP (refer to the Useful links for more)
2. Scan the accounts listed as most sending out ones using Imunify360 scanner:
- Go to Imunify360 > Malware Scanner > Users ;
- Select the users judging from the previous exim_mainlog selection;
- Click on the "Scan for malware" option.
3. Make sure to clean up the detected malicious file after this scan finishes in case the "Default action detect" is set to "Just display in dashboard" In Malware Settings. Otherwise, those will be automatically cleaned up.
To clean up the detected files, go to Malware Scanner > Files tab and click on the "Clean up all" button:
4. Monitor the situation with the outgoing email delivery for confirming the resolution.
In case it is still occurring, please contact our Support team at https://cloudlinux.zendesk.com/hc/en-us/requests/new with the cleanup request and share your troubleshooting results.
Useful links
- https://docs.imunify360.com/dashboard/#users
- https://docs.imunify360.com/dashboard/#files
- https://serverfault.com/questions/938359/exim-find-total-number-of-emails-sent-within-last-24-hours-on-per-user-basis/938365
- https://support.cpanel.net/hc/en-us/articles/360052749573-How-to-Find-the-Source-of-a-Large-Amount-of-Email
- https://serverfault.com/questions/999422/find-exim-account-sending-lots-of-emails-spamming
Comments
0 comments
Please sign in to leave a comment.