How to Find a spam script location with Exim - VPS / Dedicated Server

I this tutorial I'll guide you how to check the Exis mail log on your VPS or Dedicated server using command. This will help you to find spammers script location in the server, or their own in order to relay spam from your server.

What happen when sending spam mails from server?

When your IP sending spam mails from server can damage the sending reputation of your mail IP address, and lead to issues such as making you end up on a blacklist.

How do I stop spam coming from my server?

Exim, or the MTA (Mail Transfer Agent) on your server handles email deliveries. All email activity is logged including mail sent from scripts. It does this by logging the current working directory from where the script was executed. Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.

Locate top scripts sending into Exim

01. Login to your server via SSH as the root user.

02. Run the following command to pull the most used mailing script's location from the Exim mail log:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

03. You will get back something like this:
15 /home/userna5/public_html/about-us 25 /home/userna5/public_html 7866 /home/userna5/public_html/data

We can see /home/userna5/public_html/data by far has more deliveries coming in than any others.