Reading Time: 9 minutes

Introduction

stop spam emails

The most effective method to protect a server from sending spam is to prevent it in the first place. In this article, we provide several techniques to use to keep the server from sending out unwanted spam or junk mail. Typically, unwanted, and unsolicited spam email is usually bulk sent out to an indiscriminate list of recipients. Spam is often used for commercial purposes but can be sent out in massive volume by a botnet or a network of infected computers.

  1. Make sure to use the required DNS entries for each domain on the server, which should be mandatory for better email security.
    • SPF
    • DKIM
    • DMARC
  2. Always use strong passwords on each cPanel and email account on the server. If you use the Default Required Password Strength setting, we recommend setting its value to 60 or greater.
  3. Keep plugins, themes, and software on every website up to date to avoid any compromise or vulnerability.
  4. When a website uses a contact form, use a ReCaptcha test. Recaptcha is a Turing test used to tell if the submitter is a human or a bot. This method is strongly recommended as it prevents automated software from submitting info, which could flood the server with unnecessary requests.

Actions to Take

Even with these measures in place, your server may still send out spam. You can suspect this is happening if your clients cannot send or receive emails, or their emails end up in other people’s spam folders. If this occurs, we recommend taking the following steps in this article to eliminate the problem. 

First, it is essential to track down the source of spam. In most cases,  it is either an existing email account or a specific PHP mailing script already located on the server. When the spamming email account is located, immediately change the password for that account. If a script is causing the problem, disable the script once you find its exact location on the server. The procedures of detecting the spamming source are detailed below. You will need access to WHM or Interworx to complete the investigation.  

cPanel Server

Method 1: Detection using the ‘Mail Queue Manager’ in WHM

Navigate to Mail Queue Manager from WHM (Home » Email » Mail Queue Manager) and enter the search term conditions. It is probably best to choose emails sent out in the last 24 hours or so. In most cases, that will reveal the spammer.

cPanel mail queue manager

Once the search results are provided, check for messages or senders that are continually repeating. At this point, examine that message more closely by clicking on the magnifier icon (View message). 

cPanel mail queue manager
(These are simulated messages created for this article)

Focus on the following parts included in the message headers:

  • From
  • Subject
  • To
Received: from username by mydomain.com with local (Exim 4.93)
 (envelope-from <anne@mydomain.com>)
 id 1l0Oht-000623-I8
 for a1tasks@host2.ebizindia.com; Fri, 15 Jan 2021 18:30:01 +0530
From: "anne@mydomain.com>
To: test@liquidweb.com
Subject: Additional and easy income to earn today
X-PHP-Script: mydomain.com/index.php for xxx.xxx.xxx.xxxX-PHP-Originating-Script: 1153:class-phpmailer.php
Content-Type: text/plain; charset=UTF-8

Step 1: Disable the Spamming Email Account

If the email account name in From and the message’s subject sounds like spam, you will want to change the password for that email account as soon as possible. After you change the password for the email account in question, the continuous outgoing spamming should stop within several minutes of the change, if not immediately.

Step 2: Disable the Mailing Script

If the information in From is blank or does not provide an email address from the server, take a look at the X-PHP-Originating-Script or X-PHP-Script commands. Please pay close attention to the part in the message header that looks like it reveals the domain name associated with the spamming script and a specific IP address.

X-PHP-Script: mydomain.com/index.php for xxx.xxx.xxx.xxx

This part of the header gives the specific name of the malicious script in question.

X-PHP-Originating-Script: xxx:class-mailer.php

The next step is to find the exact location of that script on the server. The best way to do this is to select Terminal from the WHM menu, input the following command (altered to correspond to the information you are dealing with), and press Enter.

find /home/username/public_html -type f -name 'class-phpmailer.php'

Make sure to:

  • Adjust  /home/username/public_html to fit the domain’s document root on the server.
  • Adjust class-phpmailer.php to match the script name you found out earlier.

Once the command’s output is provided, you can go ahead and disable that script by restricting the permissions to 0 by using the below command in the terminal.

chmod 000 /path/to/script

Make sure to adjust /path/to/script to match the exact script location given from the previous command you ran. Please note that this command will disable the script’s functionality. While this may cause problems on the website, the entire focus is on stopping spam. 

Step 3: Clear the Mail Queue

After the spam is stopped, you can go ahead and clear the messages from that particular email address from the mail queue by going back to Mail Queue Manager, selecting the checkbox for each email you wish to delete.

Method 2: Detection Using the Exim Command in the Terminal 

Step 1: Determine the Number of Frozen Emails

We first need to find out how many messages are frozen in the email queue. If the server is actively spamming, there can be several thousand messages in the queue. To move forward, SSH into the server or use the Terminal option from WHM. Type in the below command and press Enter. The output should be the number of emails in the queue. Note this number for later reference.

exim -bpc

Step 2: Determine the Spammer

Now, we want to find who the sender of those messages is. Use the command below in that same Terminal and press Enter

exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -rn

The command’s output will look similar to the example below and show how many frozen messages belong to each sender.

430 anne@mydomain.com
225
25 mary@mydomain.com
4 mark@domain.com
4 john@domain.com
1 diane@newdomain.org
1 edf.efs23@gmail.com

Disregard any lines missing a sender email address as they represent system messages which often sit in the frozen queue. Using the information from the output above, we see that the anne@mydomain.com email account sends multiple messages, which requires further investigation. 

Step 3: Investigate the Spammer

Use the following command to generate a list of the first ten emails in the queue sent from ann@mydomain.com.

exim -bp | grep 'anne@mydomain.com' | head 10 

You will notice several similar outputs. The string of symbols 1l06xA-00014u-J8 represents the message ID.

13h  2.5K 1l06xA-00014u-J8 <> *** frozen ***
          anne@mydomain.com

Next, check the header of the message by using the command below.

exim -Mvh <message-id>

The output will contain a lot of information but focus on the following parts.

From
Subject
To

If the Subject of a message sounds spammy, then this is most likely the spam email message. If you have determined the subject doesn’t sound like a regular message, the email account listed under From is most likely the spammer you are looking for, so you should stop its ongoing activity.

To stop the spammer, you will need to change the password for anne@mydomain.com as soon as possible. The continuous outgoing spamming should stop within several minutes after changing the password, if not immediately. If the From, auth_sender, or auth_id are blank, please refer back to the section above "Method 1 Step 2: Disable the Mailing Script" on stopping the spamming script.

Now it is time to check and see if the number of frozen messages has changed from the original amount in the mail queue by again running the exim command

exim -bpc

By using this command several times, you can determine if messages have stopped arriving in the queue. After we are sure the spam has stopped, delete the spam messages from the email queue, it is best to clear them over ‘Mail queue Manager’ in WHM. Should you wish to use the commandline to clean out all messages, using one of the following commands will accomplish this task. 

exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

or

exim -bp | exiqgrep -i | xargs exim -Mrm

InterWorx Server 

Method 1: Detecting Spam by Using the Terminal

Step 1: Determine the Number of Frozen Emails

The first step in eliminating spam on an InterWorx server is to find out how many frozen messages exist in the queue. To find that out, run the following command as a root user.

/var/qmail/bin/qmail-qstat

The qmail-stat command provides a human-readable breakdown of the number of messages at various spots in the mail queue. The qmail-qstat must be run either as root or with group id qmail.

You will notice an output similar to what is seen below.

messages in queue: 76
messages in queue but not yet preprocessed: 0

If this command prints out 0 messages in the queue or, in some cases, doesn’t print anything under it, it means the email queue doesn’t hold any messages. If you get a number as a result, then that is the number of messages waiting to be delivered in the server’s frozen queue. In this case, we would want to check that queue more thoroughly.

Step 2: Investigate the Messages

If the queue is not empty, the next thing you want to do is to find more information about each message using the qmail-read command. This command reviews all messages in the queue and shows us the envelope sender, the creation time, the queue ID, and the current delivery status to each recipient. Now, run this command.

/var/qmail/bin/qmail-qread

This will provide output with lines that look similar to this.

30 Jan 2021 03:34:30 GMT  #3676617  525  <anne@mydomain.com>

We need to note the sender’s email address at the end of the line for further troubleshooting. The email within the ‘<>’ symbols and the message ID starts with the pound ‘#’ symbol are the main attributes to pay attention to.

The queue lists all available messages. The sender’s email account containing the most messages is the first account we will review. The commands below will show us how to review the header information of each message in detail.  Run this command to locate the message on the server. Replace the pound symbol with the message ID and press Enter.

find /var/qmail/queue/mess/ -iname #

Example: 

find /var/qmail/queue/mess/ -iname 3676617

This command provides the location on the server,  similar to what is seen below.

/var/qmail/queue/mess/22/3676617

The final step is to examine the file using the cat command.

cat /var/qmail/queue/mess/22/3676617

Example output:

Received: (qmail 24703 invoked by uid 1153); 30 Jan 2021 10:06:42 -0500
To: test@liquidweb.com
Subject: Thank You for Signing Up
X-PHP-Originating-Script: 1153:class-phpmailer.php
X-PHP-Script: mydomain.com/index.php for xxx.xxx.xxx.xxx
Date: Sat, 30 Jan 2021 15:06:42 +0000
From: mary <mary@mydomain.com>
Reply-To: mary@mydomain.com
Message-ID: <33f50b7b0591eaa61a81aacafbfc9155@mydomain.com>
X-Mailer: PHPMailer 5.2.22 
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Check the Subject and From output. If you notice a subject that resembles a typical spam message, review the From email account. If we see a significant number of similar emails, we should change the email account password., This will stop any active spam from leaving the server. 

Method 2: Using the Mail Queue Manager

Using the terminal to detect a spammer can be complicated, so here are the instructions on using the Interworx Mail Queue Manager. Once you are logged in to your server’s Nodeworx dashboard, follow the steps below: 

  1. Click on System Services, then Mail Server, then Mail Queue.
  2. Locate the Queue section.

    IW mail queue manager

  3. Select remote, local, todo, or remote+local from the drop-down list.
    IW mail queue manager

  4. If there are no messages in a given queue, you will see No Messages In Queue.

  5. If there are messages in a given queue, they will be displayed in the Queue section table.

  6. Next, we need to review the messages’ contents. This is how we determine if a message is spam, based on the sender/recipient. In the Message ID column, click on the number of the message you wish to view. The message will be displayed in a new window. If you notice multiple messages from the same user, you will want to examine those messages more closely. Click on ‘View message’ and focus on the subject of each message, as well as the sender. 

  7. If the ‘Subject’ sounds like spam, then this message’s sender is most likely the spamming account. To stop the spam, change the email account password as soon as possible. 

  8. The final step is removing the queue’s unwanted messages by checking them and ‘Delete’ what you have selected. 

Whichever method you choose to follow, the server should finally be free from ongoing spam if everything went well. We also recommend monitoring the server briefly afterward to verify you have successfully eliminated the spam issue.

Conclusion

Without the proper tools, controlling spam can be difficult and time consuming. We hope this information will provide the administrator a better methodology to begin addressing the issue of outgoing spam email.

We pride ourselves on being The Most Helpful Humans In Hosting™! Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article. Should you have any questions regarding this information, we will always answer any inquiries with issues related to this article, 24 hours a day, 7 days a week, 365 days a year.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.

Avatar for Danielle Vult

About the Author: Danielle Vult

Latest Articles

How to Edit Your DNS Hosts File

Read Article

How to Edit Your DNS Hosts File

Read Article

Microsoft Exchange Server Security Update

Read Article

How to Monitor Your Server in WHM

Read Article

How to Monitor Your Server in WHM

Read Article