---
title: "How to Find a spam script location with Exim"
description: "In this guide I’ll teach you how to use the Exim mail log on your VPS or dedicated server to find possible attempts from spammers to use your scripts, or their own in order to relay spam from your..."
url: https://www.inmotionhosting.com/support/email/find-spam-script-location-with-exim/
date: 2013-01-22
modified: 2021-11-23
author: "InMotion Hosting Contributor"
categories: ["Email"]
type: post
lang: en
---

# How to Find a spam script location with Exim

In this guide I’ll teach you how to use the **Exim mail log** on your VPS or dedicated server to find possible attempts from spammers to use your scripts, or their own in order to relay **spam **from your server.

- [How does spam get sent from my server?](#how-spam)
- [How do I stop spam coming from my server?](#how-stop)
- [Locate top scripts sending into Exim](#top-scripts)
  - [Code Breakdown](#breakdown)

## How does spam get sent from my server?

You might have a “tell a friend” feature on your website, or another email alerting system on your site. If you’re not careful these can sometimes be exploited by bots for spamming purposes. This can damage the sending reputation of your mail IP address, and lead to issues such as making you end up on a [blacklist](https://www.inmotionhosting.com/support/email/why-do-mail-servers-get-blacklisted/).

## How do I stop spam coming from my server?

Exim, or the MTA (Mail Transfer Agent) on your server handles email deliveries. All email activity is logged including mail sent from scripts. It does this by logging the current working directory from where the script was executed.

Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.

## Locate top scripts sending into Exim

In the steps below I’ll show how to locate the top scripts on your server sending mail. If any scripts look suspicious, you can check the Apache access logs to find how a spammer might be using your scripts send spam.

To follow the steps below you’ll need root access to your server, so you have access to the Exim mail log.

1. [Login to your server via SSH](https://www.inmotionhosting.com/support/server/ssh/how-to-login-ssh/) as the root user.
2. Run the following command to pull the most used mailing script’s location from the Exim mail log: `grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n`(See [the table below](#breakdown) for a detailed breakdown of this code.)You should get back something like this:`15 /home/userna5/public_html/about-us``25 /home/userna5/public_html``7866 /home/userna5/public_html/data`We can see `/home/userna5/public_html/data` by far has more deliveries coming in than any others.
3. Now we can run the following command to see what scripts are located in that directory:`ls -lahtr /userna5/public_html/data`In this case we got back:`drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../``-rw-r–r– 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php``drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./`So we can see there is a script called **mailer.php** in this directory.Knowing the **mailer.php** script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:`grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n`
4. You should get back something similar to this:`2 123.123.123.126``2 123.123.123.125``2 123.123.123.124``7860 123.123.123.123`We can see the IP address **123.123.123.123** was using our mailer script in a malicious nature.
5. If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.This can be accomplished with the following command:`apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"`

### Code Breakdown

| **Code** | **Meaning** |
| --- | --- |
| `grep cwd /var/log/exim_mainlog` | Use the `grep` command to locate mentions of `cwd` from the Exim mail log. This stands for **current working directory**. |
| `grep -v /var/spool` | Use the `grep` with the `-v` flag which is an invert match, so we don’t show any lines that start with `/var/spool` as these are normal Exim deliveries not sent in from a script. |
| `awk -F"cwd=" '{print $2}' \| awk '{print $1}'` | Use the `awk` command with the `-F` Field separator set to `cwd=`, then just print out the `$2` second set of data, finally pipe that to the `awk` command again only printing out the `$1` first column so that we only get back the script path. |
| `sort \| uniq -c \| sort -n` | Sort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest. |

Hopefully you’ve learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to investigate if malicious activity is going on, and how to block it.

**Dedicated Servers with Premier Care Support**

Serious infrastructure needs comprehensive support. Premier Care provides the security tools, backup protection, and expert assistance your business requires.

![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Professional Setup     ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Fully-Managed     ![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)24/7 Expert Human Support

[Dedicated Server Hosting](https://www.inmotionhosting.com/dedicated-servers?mktgp=t&irgwc=1&affiliates=5001860&utm_campaign=Jumbotron&utm_source=supportcenter&utm_medium=cta&utm_term=managed-dedi-cta1)
