cPanel Spammers

If you deliver shared hosting services on cPanel, you likely deal with spam. As part of our cPanel server management services., we find spam typically comes from one of 3 sources:

  • Compromised application
  • Compromised end-user password
  • Insecure form to email scripts

If you do not have the right log information, finding spammers on cPanel can take a lot of time.  Fortunately by modifying the default logging parameters, we can get the data we need to quickly find the scripts sending the spam.

Video: 2 Minute on Catching a Spammer


PHP Nobody Spammers

If you have a web application sending spam, the originating sender my be listed as “nobody” in cPanel logs.  This is commonly referred to as PHP nobody spammers in forums and other blogs.

The reason you see this is if you use PHP under mod_php without SuPHP or mod_ruid2, the Apache web server runs as the nobody user.  As a result, the script sends the email as the “nobody” user — making it difficult to identify which site is sending the spam.

If you use suPHP or mod_ruid2, the username will be that of the account owner.  This makes finding the source of the spam easier, but I still recommend updating your logs.

Modify Exim Logs

To find cPanel spammers, we need more information.   By adding more detail to the exim logs, we can get this information by using the Exim Configuration Manager in cPanel.

By changing the log_selector variable in exim, the logs will now show us the directory from where emails originate — invaluable information when  finding cPanel spammers.    (See Exim documentation for more details on log_selectors).

To modify the exim logs:

1. Login to WHM

2. Search for Exim in the search box and select the Exim Configuration Manager

exim configuration editor

3. In the Exim Configuration Manager, select the advanced configuration tab and find the log_selector line. (Tip: just search for log_selector in your browser).

exim log selector helps catch spammers

4. In the log_selector space, replace the lines that are there with this (be careful of line breaks):

+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface
 +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery
+size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher

If you are having issues, try this Pastbin version.

5. Scroll to the bottom of the window and click save.  If you have an error, check for line breaks.

This will add the advanced logging to exim.

Review Exim Maillog

After a while, check your exim logs.  I usually grep for

grep cwd=/home /var/log/exim_mainlog

You will get a list of directories that have sent email:

2014-02-02 06:44:29 cwd=/home/joe/public_html 4 args: /usr/sbin/sendmail -t -i
2014-02-02 06:45:18 cwd=/home/jane/public_html 3 args: /usr/sbin/sendmail -t -i
2014-02-02 06:56:28 cwd=/home/jane/public_html 3 args: /usr/sbin/sendmail -t -i
2014-02-02 07:09:26 cwd=/home/jane/public_html 3 args: /usr/sbin/sendmail -t -i
2014-02-02 07:13:31 cwd=/home/bob/public_html 3 args: /usr/sbin/sendmail -t -i

If you see 100’s of entries for one specific path, then check the apache  logs for that site.  You will likely find the script being exploited.


Privacy Concerns

Note that the above logs will also add the subject line into the exam main_log.   You may consider this to be a privacy issue.  If so, remove the subject line just remove the +subject selector.

Catch a Spammer Tips?

Do you have some clever tips on how to find spammers on cPanel?  Let us know.