How to Find Spammers on a cPanel Server

cPanel is one of the most popular tools for managing websites. However, spamming is a common problem on servers using cPanel. Spamming happens when the same message is sent to many people who didn’t ask for it. This can cause your server’s IP address to get blacklisted, making it hard for your emails to reach inboxes.

Spammers often exploit weak points in websites, like outdated WordPress or Joomla plugins and themes. Let’s learn how to identify and stop spammers on a cPanel server.

Types of Spamming

  • 1.

    Compromised Accounts: Hackers guess or steal account passwords to send spam emails.

  • 2.

    Malicious Scripts: Spamming scripts exploit vulnerabilities in content management systems (CMS) like WordPress and Joomla.

Compromised Accounts

Sometimes, spammers gain access to email accounts. To fix this:

  • Change the account password to a strong one.

  • Advise users to avoid weak passwords.

  • Clear the email queue and restart the Exim service to disconnect any active spam connections.

Spamming Through Scripts

Spamming scripts often target CMS-based accounts. Follow these steps to find and stop these scripts:

  • Step 1: Log in to the Server

    Use SSH to log in as the root user.

  • Step 2: Check Exim Logs

    Use Exim logs to identify the source of the spam.

    Run this command to find the script paths:

    awk -F"cwd=" '{print $2}' /var/log/exim_mainlog | awk '{print $1}' | sort | uniq -c | sort -n

    This will show how many emails each script has sent. For example:

    18 /home/userna/public_html/about-us
    28 /home/userna/public_html
    1006 /home/userna/public_html/data

    The directory /home/userna/public_html/data is sending the most emails.

  • Step 3: Find the Problematic Script

    List the files in the directory:

    ls -lah /home/userna/public_html/data

    You might see a suspicious file like mailer.php:

    -rw-r--r-- 1 userna userna 5.6K Jan 20 11:27 mailer.php

    This file is likely sending spam.

  • Step 4: Check Access Logs

    To see which IP addresses are using the script, run:

    grep "mailer.php" /home/userna/access-logs/example.com | awk '{print $1}' | sort | uniq -c | sort -n

    You may see results like this:

    2 123.123.123.126
    2 123.123.123.125
    7860 123.123.123.123

    The IP 123.123.123.123 accessed the script thousands of times, indicating malicious activity.

  • Step 5: Block Malicious IPs

    Block the suspicious IP using one of these commands:

    Without a firewall:

    ip route add blackhole 123.123.123.123

    With CSF:

    csf -d 123.123.123.123

    With APF:

    apf -d 123.123.123.123

Summary

By checking Exim logs and blocking malicious scripts or IPs, you can stop spamming on your cPanel server. Always keep your CMS, plugins, and themes up to date to reduce vulnerabilities.