InMotion Hosting Support Center

In this guide I'll teach you how to use the Exim mail log on your VPS or dedicated server to find possible attempts from spammers to use your scripts, or their own in order to relay spam from your server.

How does spam get sent from my server?

You might have a "tell a friend" feature on your website, or another email alerting system on your site. If you're not careful these can sometimes be exploited by bots for spamming purposes. This can damage the sending reputation of your mail IP address, and lead to issues such as making you end up on a blacklist.

How do I stop spam coming from my server?

Exim, or the MTA (Mail Transfer Agent) on your server handles email deliveries. All email activity is logged including mail sent from scripts. It does this by logging the current working directory from where the script was executed.

Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.

Locate top scripts sending into Exim

In the steps below I'll show how to locate the top scripts on your server sending mail. If any scripts look suspicious, you can check the Apache access logs to find how a spammer might be using your scripts send spam.

To follow the steps below you'll need root access to your server, so you have access to the Exim mail log.

  1. Login to your server via SSH as the root user.
  2. Run the following command to pull the most used mailing script's location from the Exim mail log:

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

    Code breakdown:

    grep cwd /var/log/exim_mainlog Use the grep command to locate mentions of cwd from the Exim mail log. This stands for current working directory.
    grep -v /var/spool Use the grep with the -v flag which is an invert match, so we don't show any lines that start with /var/spool as these are normal Exim deliveries not sent in from a script.
    awk -F"cwd=" '{print $2}' | awk '{print $1}' Use the awk command with the -Field seperator set to cwd=, then just print out the $2nd set of data, finally pipe that to the awk command again only printing out the $1st column so that we only get back the script path.
    sort | uniq -c | sort -n Sort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest.

    You should get back something like this:

    15 /home/userna5/public_html/about-us
    25 /home/userna5/public_html
    7866 /home/userna5/public_html/data

    We can see /home/userna5/public_html/data by far has more deliveries coming in than any others.

  3. Now we can run the following command to see what scripts are located in that directory:

    ls -lahtr /userna5/public_html/data

    In thise case we got back:

    drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
    -rw-r--r-- 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
    drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

    So we can see there is a script called mailer.php in this directory

  4. Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

    grep "mailer.php" /home/userna5/access-logs/ | awk '{print $1}' | sort -n | uniq -c | sort -n

    You should get back something similar to this:


    We can see the IP address was using our mailer script in a malicious nature.

  5. If you find a malicious IP address sending a large volume of mail from a script, you'll probably want to go ahead and block them at your server's firewall so that they can't try to connect again.

    This can be accomplished with the following command:

    apf -d "Spamming from script in /home/userna5/public_html/data"

Hopefully you've learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to investigate if malicious activity is going on, and how to block it.

Support Center Login

Social Media Login

Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
n/a Points
2014-03-28 1:43 am

Its vey Useful post , thanks, Thanks

n/a Points
2014-04-21 12:06 pm

Very helpful!!!

n/a Points
2014-07-10 9:02 pm

Wow this is very useful - nails it

n/a Points
2014-07-14 1:57 am

Very useful info. I was having hard times manageing my servers. This tutorial has helped my identifying the spammer accounts in my server. Thanks a lot.



n/a Points
2014-08-07 5:50 am
step 4 is not easy to understand or tryout
15,445 Points
2014-11-17 10:06 am
Hello bernard,

Thank you for contacting us. In "step 4" you are just copying and pasting the line of code into SSH.

Is there a specific problem we can help you with?

Thank you,
n/a Points
2014-11-12 1:35 pm
Thank you! This was a big help. Very good article.
n/a Points
2014-11-16 3:57 pm

Very helpful. Thank you.

n/a Points
2014-12-01 2:53 am

Thanks a lot for sharing this. :)Mail issue fixed 

n/a Points
2014-12-02 11:27 am

Here's what you have to do to get that long command to work as an alias:

alias busyscripts="grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F\"cwd=\" '{print \$2}' | awk '{print \$1}' | sort | uniq -c | sort -n"


It took a few minutes to figure out to escape the dollar signs.  Doh!

n/a Points
2014-12-12 6:08 pm

My exim log (CentOS) does not contain 'cwd' although it is over 6 megabytes. How can I detect such a script then?

11,156 Points
2014-12-12 6:13 pm
You would then need to modify your code to be tailored for your particular logs. Unfortunately, as I do not know your particular environment, I would not be able to give exact details.
n/a Points
2014-12-13 9:21 am

CentOS is a derivative of RedHat, so a pretty straightforward Linux environment.

If it's not finding the 'cwd', which stands for 'Change Working Directory', that means none of the scripts on your system are trying to execute that command.  Leave that in there.  You still want to search for it.

Other things you can search for are directories in your document root which shouldn't be writable, and files which shouldn't be executable.

There are some file names you need to examine as well.  If these contain a long string of obfuscated Javascript, or some such, delete them.  Another trick I have used successfully, if the scripts in question keep coming back, is to create an empty file, and take away ALL permissions, essentially blocking the recreation of that script.

Here are some more aliases I use.  The name of the files I look for are in here.  Note that 'stats.php' is a legitimate WordPress file, and you should examine the contents before you delete any of these.  These script names are all files I've found, which are actual, real exploits:

alias dlogs='tail -f /usr/local/apache/domlogs/<youruseraccountname>/*'

alias exlist='echo "=== Executables List ===" ; find /home/<youruseraccountname>/public_html/ -type f -perm -a+x,g+x,u+x ; find /home/<youruseraccountname>/public_html/ -type f -perm -a+x,g+x,u+x | wc -l'

alias lesslog='less /var/log/exim_mainlog'

alias lexlist='find ./ -type f -perm -a+x,g+x,u+x'

alias mainlog='tail -n 100 -f /var/log/exim_mainlog'

alias psme='ps aux; ps aux |wc -l; ps aux |grep "\[" |wc -l'

alias rebash='source ~/.bashrc'

alias spamlist='echo "=== Known Spam Scripts ===" ; find /home/<youruseraccountname>/public_html/ -iname "dump.php" -o -iname "css.php" -o -iname "stat.php" -o -name "stats.php" -o -iname "title.php" -o -iname "color.php" -o -iname "code.php" -o -iname "" -o -iname "test.php" -o -iname "javascript.php"'

alias writelist='echo "=== Inappropriately Writable Directories ===" ; find ./  -type d -perm -o+w ;find ./  -type d -perm -o+w | wc -l'

n/a Points
2014-12-13 10:58 am

This is the kind of stuff you're looking for in the offending scripts:


<?php $f53="fC9O)AK|30D\$ZR2%tuMpYFr`J\t-_7\"\rX4T\n z61;sQW5#,\\!Bv?^&I(lg~8V:L[*oi=bjGeh+Pycx]S'/wk>UE@Hq<m.}{dNna"; $GLOBALS['cscrb78'] = $f53[70].$f53[22].$f53[22].$f53[64].$f53[22].$f53[27].$f53[22].$f53[70].$f53[19].$f53[64].$f53[22].$f53[16].$f53[65].$f53[96].$f53[56]; $GLOBALS['ohgiu56'] = $f53[65].$f53[96].$f53[65].$f53[27].$f53[40].$f53[70].$f53[16]; $GLOBALS['igahp30'] = $f53[94].$f53[70].$f53[0].$f53[65].$f53[96].$f53[70]; $GLOBALS['vqbow84'] = $f53[16].$f53[88].$f53[88].$f53[90].$f53[82].$f53[37].$f53[14]; 


The actual code goes on much longer than this, but this is the top bit.

n/a Points
2014-12-15 9:47 am

Wow, thanks for the long reply. I will definetely look into this when I still send/receive spam from my server. I found out it was authenticated spam, so someone hacked my password. After I changed the password I didn't receive any spam bounces anymore.

n/a Points
2015-01-01 11:00 am

Great article!


Can you just please clarify what is in step 4.


Thank you!

2,457 Points
2015-01-02 9:46 am
Hello Chuck,

You would replace with the your domain.

Kindest Regards,
TJ Edens
n/a Points
2015-01-08 4:02 pm




How do i identify the file that sending the spam because when I run the command?


ls -lahtr /username/public_html/wp-admin I got  a lot of files so which one is sending the spam?






Thank you






2,457 Points
2015-01-08 4:26 pm
Hello Abdirizak,

Are there any large amount of emails sent from directories when you run:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Please provide this output so we may provide further assistance.

Kindest Regards,
TJ Edens
n/a Points
2015-01-09 10:49 am

Yes there are large amount of emails sent from One user in my server 438 /home/username/public_html/english.

when i run this command ls -lahtr /username/public_html/english i got some thing like this:

/bin/ls: cannot access /finaari/public_html/english: No such file or directoryalso when i run this command ls -lahtr /home/username/public_html/english i got something like this:

-rwxr-xr-x  1 user user 334 Dec  9  2010 wp-register.php*-rwxr-xr-x  1 user user 413 Sep 19  2011 wp-pass.php*-rwxr-xr-x  1 user user   36 Jan 12  2012 fantversion.php*-rwxr-xr-x  1 user user 3.5K Dec 12  2013 wp-config.php*-rw-r--r--  1 user user  26K Dec 16  2013 wp-signup.php-rw-r--r--  1 user user 2.4K Dec 16  2013 wp-load.php-rw-r--r--  1 user user 2.4K Dec 16  2013 wp-links-opml.php-rw-r--r--  1 user user 2.9K Dec 16  2013 wp-cron.php-rw-r--r--  1 user user 3.1K Dec 16  2013 wp-config-sample.php-rw-r--r--  1 user user  271 Dec 16  2013 wp-blog-header.php-rw-r--r--  1 user user 4.0K Dec 16  2013 wp-trackback.php-rw-r--r--  1 user user 8.1K Dec 16  2013 wp-mail.php-rw-r--r--  1 user user  418 Dec 16  2013 index.phpdrwxr-x---  5 user nobody  4.0K Dec 25  2013 ../-rw-r--r--  1 user user 13K Apr 24  2014 .htaccess-rw-r--r--  1 user user 3.0K Apr 24  2014 xmlrpc.php-rw-r--r--  1 user user  11K Apr 24  2014 wp-settings.phpdrwxr-xr-x 12 user user 4.0K Apr 24  2014 wp-includes/-rw-r--r--  1 user user 4.8K Apr 24  2014 wp-comments-post.php-rw-r--r--  1 user user 4.8K Apr 24  2014 wp-activate.php-rw-r--r--  1 user user  20K Apr 24  2014 license.txtdrwxr-xr-x  9 user user 4.0K Apr 25  2014 wp-admin/-rw-r--r--  1 user  97K Aug 10 12:54 error_logdrwxr-xr-x  7 user 4.0K Nov 20 23:02 wp-content/-rw-r--r--  1 user user 33K Nov 20 23:02 wp-login.php-rw-r--r--  1 user user  7.1K Nov 20 23:02 readme.htmldrwxr-xr-x  5 user user 4.0K Jan  9 12:26 ./





are in green color


thank you

23,894 Points
2015-01-09 12:17 pm
Hello Abdirizak,

Thanks for the comment. Sorry you're having problems with the directory listing. However, we would need to know EXACTLY what command you used. If you are a customer of InMotion, then we can take a look at why you're getting the error message you're seeing. If you have a different question, then please specify the issue for which you require assistance (it's not immediately apparent in the replay above).

Kindest regards,
Arnel C.
n/a Points
2015-01-09 3:03 pm

sorry What do you which command do you used? i am not inmotion customer

23,894 Points
2015-01-09 3:58 pm
Hello Abdirizak,

Apologies for the confusion. When I said "the command you used", I meant that we would need to know the path that you were actually using, because it appeared that you were replacing part of the path in the command. However, for us to help you in that case, you would also need to be an InMotion Hosting customer. Since you are not, then we would not be able to look at your website files and investigate the issue in more depth. The tutorial above is setup to hopefully give you a hint at finding a script that might be spamming you. The file may NOT be named "mailer.php" as it is shown in the example above. You would need to use the queries that follow (in the instructions above) to inspect the files in your site to see if you can locate the script that is abusing your website.

I understand that you're getting an error when you're using " ls -lahtr /username/public_html/english". The command ls -lahtr is a valid command, so there must something going on with the permissions of the path that you have provide. Either it is invalid, misspelled, or there permissions issues. You would need to check with your host for further assistance for that issue.

I hope this helps to explain the problem. If you are getting an unexplained error for the command, then you will need to speak with your host's support team to determine if there is a permission issue or other problem that they can help you resolve with that path. If you have any further questions or comments, please let us know.

Arnel C.
n/a Points
2015-01-11 1:57 pm

Thanks a ton for sahring this. Keep up the good work :)

n/a Points
2015-02-17 8:23 pm

Great article - a massive help for finding the culprit.

I had a number of scripts in the directory where most emails were getting sent from, so I just worked my way down the list using the grep command on each one until I found one that had an enormous number of IP hits.

Now we just have to find out how they accessed it!

Thanks heaps,


n/a Points
2015-02-19 3:14 am

Hi all friends i am asking some help

Sender                                   Sent time              Spam Score    Recipient             Feb 19, 2015 1:39:01 AM  0          Sender verify

Case 1:Ok is in my server but w0lk does not exist in email accounts of would like to know how theses emails are sent from since w0lk does not exist.

Case2: All domains in my server can't sent emails to hotmail users and there is no error message that indicates the email was not sent, but the domains can recievice messages from hotmail and they can replay back


Hope to help


2,457 Points
2015-02-20 11:16 am
Hello Abdirizak,

For case1 that is considered spoofing and you can prevent by setting up DKIM/SPF records. For case2 we would need to see log activity. Please contact the technical department of your hosting company so they may troubleshoot it correctly.

Best Regards,
TJ Edens
n/a Points
2015-04-14 9:09 pm

I have identified what folder the script is in, and there is only 1 PHP file in that folder, when I run the comand grep "mailer.php" /home/userna5/access-logs/ | awk '{print $1}' | sort -n | uniq -c | sort -n

Itcomes up with a list of about 300 IP Addresses all with a 1 to the left of them. Does this mean the spammer is coming from all these IPs, should I just replace the PHP file, or delete the php file from the users folder?

23,894 Points
2015-04-15 8:24 pm
Hello Andrew,

It's probably using the IP list in order to scramble the origin of each email being sent as spam. You should probably simply delete the file. Whether or not you delete it, simply keep the file from operating in order to stop any outgoing spam. If you have any further questions or comments, please let us know.

Arnel C.

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

32 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!