Spam messages often have a bad effect on the reliability of a domain name and the corresponding IP address. In most cases, mass spam messages lead to an entry of the server IP to a blacklist.
To identify such scripts the exim log files can be used. Exim or MTA are responsible for sending messages - all activities are recorded in the log file /var/log/exim_mainlog.
- Login on your server using SSH
- Execute the following command:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | awk '{print $1}' | sort | uniq -c | sort -n - The output could be the following:
1 /home/demoacc/public_html/test
45189 /home/demoacc3/public_html/fraud - We can see that there is a script in /home/demoacc3/public_html/fraud that is sending a few thousend messages
Now you know the path to the script that is sending mass spam messages.