To find out who is sending spam on a CloudLinux server using Exim server, you can use the following SSH commands:
Check the exim_mainlog:
grep "<=.*spam" /var/log/exim_mainlog
This command will search for any messages containing the word “spam” in the Exim mail log file. The output will show the sender and recipient of the email, as well as the time and date of the message.
Check the exim_rejectlog:
grep "cwd=/home" /var/log/exim_rejectlog | awk '{print $3}' | xargs -n 1 -I {} sh -c 'grep {} /var/log/exim_mainlog | awk '\''$3~/cwd=\/home\/[a-zA-Z0-9]+\/public_html/ {print $3}'\'' | sort -n | uniq -c | sort -nk 1'
This command will search for any rejected messages containing the directory path of the sender’s home directory in the Exim reject log file. It will then use awk and xargs to search for any messages from that sender in the Exim mail log file, and sort them by the number of occurrences. This will help you identify the user account that is sending the spam.
Check the mail queue:
exim -bp | grep "<" | awk '{print $4}' | sort | uniq -c | sort -n
This command will show you the number of messages in the mail queue, grouped by sender email address. This will help you identify any users who are sending a large number of messages and potentially spamming.
Once you have identified the user account that is sending spam, you can take steps to address the issue. This may involve disabling the user’s email account, removing any malicious scripts or software on their account, or working with them to ensure that their account is not being used to send spam.