How to track spammers on the cpanel server

As you know, exim is generally used as mail servers in Cpanel.

1) Tracking the scripts that send mails:

The following command will be helpful to get the path of the script that is
sending mails.

ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD |sort -n

ignore the following lines if any line that contains


If it was happened few times ago, you can use the following command.

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

The output format of the above command is the same.

That’s all about tracking a spamming script.

In most of the servers, the SMTP port would be 25. If we know the SMTP port, we can trace the spammer IP address using the following command.

netstat -plan |grep :25 | awk ‘{print $5}’ |cut -d: -f1 |sort |uniq -c |sort -n

If you are using another port for SMTP ( not 25 ), you should replace the port 25 with the correct one.

If you are not sure about the SMTP port, please use the following command to get the port number.

cat /etc/services | grep smtp

Hope it will work to catch spammers 😀