If you suspect your server is sending spam or want to identify spamming scripts, use these commands on your VPS or dedicated server via SSH.
1️⃣ Identify Suspicious Scripts Sending Mail
Run the following command to find the current working directories (cwd) from which emails are being sent via Exim. This can help you locate malicious or compromised scripts:
grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
This command:
✅ Searches /var/log/exim_mainlog for cwd= entries (current working directories used by PHP scripts or others calling Exim).
✅ Sorts and counts unique occurrences.
✅ Helps you identify suspicious paths like /home/username/public_html/wp-content/themes/... etc.
2️⃣ Remove Emails From a Specific Sender
If you confirm spam is originating from a user (e.g., cpaneluser1), remove all queued emails from that user using:
exiqgrep -i -f cpaneluser1 | xargs exim -Mrm
This command:
✅ Uses exiqgrep to search the Exim mail queue for messages from weboptim.
✅ Feeds the message IDs to exim -Mrm to delete them.
Replace weboptim with the actual username or email address you want to purge.
3️⃣ List Email Senders in Mail Queue
Get a sorted list of email addresses currently sending messages in the Exim mail queue. This helps you identify the most active (or abusive) senders:
exim -bpr | grep "<" | awk '{print $4}' | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
This command:
✅ Lists senders in the queue.
✅ Counts how many messages each sender has queued.
✅ Sorts output by the number of messages, making it easy to spot spamming accounts.
4️⃣ Check Total Email Count in Queue
Finally, check the total number of emails currently in the Exim mail queue with:
exim -bpc
This outputs a single number indicating how many messages are queued — a sudden spike often points to a spam outbreak.
✅ Next Steps:
- Investigate suspicious directories or scripts found in step 1.
- Remove queued spam as shown in step 2.
- Secure the compromised account or website (e.g., update CMS/plugins, change passwords, audit file uploads).