Running Cpanel/WHM with exim. How/what logs would be checked to see if a user is sending spam? well not for content, but for volume. i have WHM setup with a max of 200 emails per domain per hour, but I dunno how solid that restriction is, and if it's surpassable

/var/log/exim_mainlog

i have try, but
"-bash: /var/log/exim_mainlog: Permission denied"
y?

are you logges in as root?

when you are in SSH type su -

yes, i am root...

just type # /var/log/exim_mainlog ?
or...

tail -f /var/log/exim_mainlog

will show you a running list

root@xn [/usr/sbin]# more /usr/sbin/sendmail
#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);


Someone posted some code similar to above, I made a few modifications after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody!

Originally posted by MattF

root@xn [/usr/sbin]# more /usr/sbin/sendmail
#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);


Someone posted some code similar to above, I made a few modifications after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody!

That's a pretty nifty script there - I think I might consider implementing that.

In addition to formmail, you can run some kind of parser on your outbound mail logs, this is what we do. We have a script that runs every 6 hours and tallies ALL outgoing mail per domain on the machines, it saves it all to a database and we can easily see who's doing what. It keeps track daily, weekly, monthly and total. If someone's pushing a lot of outbound messages, we know which domain/user to investigate.

Originally posted by MattF

root@xn [/usr/sbin]# more /usr/sbin/sendmail
#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {

print INFO "$date - $PWD - @info\n";

}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);




I find this script very nice. :)

To use it I should:
1) rename "sendmail" as "sendmail.real";
2) save this script as "sendmail";
3) give it execute permissions.

Are these steps correct?