How/Command to find out the spam mailing script’s location – Exim mail server

The Exim mail server has a lot of options/commands to find out the details of spammers easily from the command line. Click this link “Spam Check” to get more ideas.
We can find out the mail queue details, spam mail sender details, spam mail counts etc from the link I mentioned above.
Here is a script/piped-command to find out the spam mailing script’s location/folder in the server. It would be more helpful for us to identify the spam mail sending script and we can nullify it easily to stop spamming activity.

Steps to find the spam mailing script location?

Step 1 : SSH to your server as root user.
Step 2 : Execute the command pasted below:

# grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

The above command will displays the total count of emails sent and the corresponding directory/location which generate the spam mails actually.

# grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
    370 /home/$USER1/public_html
    386 /home/$USER2/public_html
    415 /home/$USER3/public_html
    470 /home/$USER4/public_html
    620 /root
   1409 /home/$USER5/public_html/link
   6340 /home/$USER6/public_html
  63898 /etc/csf

That’s it. 🙂


Related Links:
Check spamming – Exim.
Remove all frozen emails from mail queue.
Delete locked mails from mail queue.
Exim Log line flags.
Exim log file paths in WHM/cPanel & Directadmin.

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

9 Responses

  1. Abdi says:

    1 /home/user1/public_html/english/wp-admin
    1 /home/user2/public_html
    2 /home/user3/public_html/folder
    2 /home/user4/public_html
    2 /root
    5 /home/user5/public_html
    8 /home/user6/public_html
    485 /home/user6/public_html
    I have found i want to find the find that sending the spam and delete it what i have to do?

    • Arun Lal says:

      Hello Abdi,

      From the log that you’ve provided, the “user6″ sent about 485 emails and the emails have been sent from the public_html folder. There may be a PHP mailer or a script that send emails. Please check if there’s any vulnerable scripts in the public_html folder. You can use maldet to find any vulnerable scripts. If you’ve any contact forums, then please enable captcha for the forums to avoid spamming from this forums. Hope this info help you 🙂

  2. Abdi says:

    I have scanned with Linux Malware Detector but didn’t see any thing every thing is clean, how to find if there is PHP mailer i am not the owner of the website just i have hosted the website also the website is not forum it is news


  3. Alex Thorn says:

    OMG i just found the script and deleted it,so far no new mail wow if you saved my server i want to send you a big kiss hahaha thank you

  4. Alex Thorn says:

    mail que still clean, i think this worked, i pray to God they will not hackback in to put any scripts back on, great command this will make detection easy now

    please do contact me,



  5. Alex Thorn says:

    your command is makingit easy to find the mailing script

    but daily the hacker is still managing to put the script back on the server in different locations, i am not able to keep them out.

    how do i find out the way he is putting the files on the server??? and of course stop that from happening

    nothing i have tried is working

    thanks for the help


  6. reza says:

    Thank you for commands.
    They work good.


Leave a Reply

Your email address will not be published. Required fields are marked *