cPanel is one of the most popular tools for managing websites. However, spamming is a common problem on servers using cPanel. Spamming happens when the same message is sent to many people who didn’t ask for it. This can cause your server’s IP address to get blacklisted, making it hard for your emails to reach inboxes.
Spammers often exploit weak points in websites, like outdated WordPress or Joomla plugins and themes. Let’s learn how to identify and stop spammers on a cPanel server.
Compromised Accounts: Hackers guess or steal account passwords to send spam emails.
Malicious Scripts: Spamming scripts exploit vulnerabilities in content management systems (CMS) like WordPress and Joomla.
Sometimes, spammers gain access to email accounts. To fix this:
Change the account password to a strong one.
Advise users to avoid weak passwords.
Clear the email queue and restart the Exim service to disconnect any active spam connections.
Spamming scripts often target CMS-based accounts. Follow these steps to find and stop these scripts:
Use SSH to log in as the root user.
Use Exim logs to identify the source of the spam.
Run this command to find the script paths:
awk -F"cwd=" '{print $2}' /var/log/exim_mainlog | awk '{print $1}' | sort | uniq -c | sort -n
This will show how many emails each script has sent. For example:
18 /home/userna/public_html/about-us
28 /home/userna/public_html
1006 /home/userna/public_html/data
The directory /home/userna/public_html/data
is sending the most emails.
List the files in the directory:
ls -lah /home/userna/public_html/data
You might see a suspicious file like mailer.php
:
-rw-r--r-- 1 userna userna 5.6K Jan 20 11:27 mailer.php
This file is likely sending spam.
To see which IP addresses are using the script, run:
grep "mailer.php" /home/userna/access-logs/example.com | awk '{print $1}' | sort | uniq -c | sort -n
You may see results like this:
2 123.123.123.126
2 123.123.123.125
7860 123.123.123.123
The IP 123.123.123.123
accessed the script thousands of times, indicating malicious activity.
Block the suspicious IP using one of these commands:
Without a firewall:
ip route add blackhole 123.123.123.123
With CSF:
csf -d 123.123.123.123
With APF:
apf -d 123.123.123.123
By checking Exim logs and blocking malicious scripts or IPs, you can stop spamming on your cPanel server. Always keep your CMS, plugins, and themes up to date to reduce vulnerabilities.