How To Find a spam script on cPanel

In this guide on the Orcacore website, we want to teach you How To Find a spam script on cPanel.

Spam emails are those unwanted messages sent in bulk, primarily from a commercial advertiser. Spam email traffic constitutes more than 50% of email traffic these days.

Spamming– sending a heap of unnecessary commercial messages or advertisements to a group of addressees, usually by email (but can also be posted to online chat rooms, message boards, and cells (mobile phone spam or also known as m-spam)). Spamming people is considered a gross violation of internet etiquette and punishable. Sending spam can result even in hosting account cancellation without any compensation.

As a server administrator, you have a variety of tools at your disposal. Such tools may be helpful to locate and deal with spamming activity within the server directly.

One of these tools is Exim Mail Transfer Agents.

Exim Mail Transfer Agent (MTA) is pre-installed and configured out-of-the-box on all cPanel-based server instances. Its default configuration is sufficient to ensure the email deliverability from the server. All emails originating from the server (it does not matter whether those are legit or spam messages) are handled by the Exim module. If you suspect your server to be a part of the ongoing spamming activity, a setup like this is convenient for detecting and troubleshooting unwanted spamming actions on the server.

How To Find a spam script on cPanel

In the following steps, we will show how to locate the top scripts on your server sending mail. If any scripts look suspicious, you can check the Apache access logs to find how a spammer might be using your scripts to send spam.

You must log in to your server as a root user to have access to the Exim mail log.

How To Locate top scripts sent into Exim

At this point, run the following command as a root user to pull the most used mailing script’s location from the Exim mail log:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

You will get the output similar to the following output:

20 /home/user1/public_html/about-us 25 /home/user1/public_html 7567 /home/user1/public_html/data

As you can see, the /home/user1/public_html/data has more deliveries coming in than any others.

Now use the command below to see what scripts are located in that directory:

ls -lahtr /user1/public_html/data

You should see something similar to the following output:

spam script

In the above output, you see that there is a script named mailer.php in this directory.

PHPMailer is the classic email sending library for PHP. It supports several ways of sending email messages such as mail(), Sendmail, qmail, and direct dispatch to SMTP servers.

Next, you must take a look at your Apache access log to see what IP addresses are accessing this script using the following command:

grep "mailer.php" /home/user1/access-logs/ | awk '{print $1}' | sort -n | uniq -c | sort -n

You should see something similar to the following output:

2 2 2 7560

You can see the IP address was using your mailer script of a malicious nature.

Note: If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to block them at your server’s firewall so that they can’t try to connect again. To do this, you can use the following command:

apf -d "Spamming from script in /home/user1/public_html/data"

That’s it! you are done.


At this point, you learn to use Exim to find a spam script on your cPanel. Also, you learn how to investigate if malicious activity is going on, and how to block it.

Hope you enjoy it.

Please subscribe to us on Facebook and Twitter.

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Stay informed and not overwhelmed, subscribe now!