How to find a spammer using nobody on a cpanel server

There is two ways I know to accomplish this, the first seems to be better but I am still testing it out.

The first way is another great script from Script Mantra called Sendmail Logger. Once installed and php has Mail Headers compiled with it then you can see easily whats being sent through nobody or any php script for that matter.

First you will need two dependencies:

1. You will need to install Dialog:

yum -y install dialog

2. You will need to compile mail headers into php, if you have cpanel check your easy apache for help on this.

Open your server WHM click on easy apache, click on Previously Saved Config and then go to Exhaustive Options List and add headers and mailheaders.

cd /usr/src
wget http://scriptmantra.info/scripts/A-AST_sendmail_installer
chmod +x A-AST_sendmail_installer
./A-AST_sendmail_installer

Option two is easier but not always effective.

First go to your exim editor in cpanel “Exim Configuration Editor”  clicked advanced, then in the first slot add this code:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher

Next run this from root to see the top sending users:

awk ‘$3 ~ /^cwd/{print $3}’ /var/log/exim_mainlog | sort | uniq -c | sed “s|^ *||g” | sort -nr

Also see SuPHP for tightening security. This will make the server run php scripts as the username rather then nobody.