Hey everybody I want to let you know that I have undertaken the grueling task of getting the heck away from WordPress. I was so sick of the problems and updates I had to do all the time. I am now using my ezbloo system and I am integrating all my old posts into the new system. It sucks, but in the end, I will save bundles of time. I needed to keep things simple and that is why I created ezbloo. I'll have more on this later for you guys after I am done with the total integration of my old posts here. So if you are looking for a post and need it faster, shoot me an email and I will make it a priority. [email protected]

Find Track Down That Filthy Spammer AND BLOCK THEM! Edit
Last Update:2024-10-17 13:10:51
The Change:2024-10-16 10:33:26

What Your Will Learn Here

  1. How to get a list of scripts that are emailing on your server.
  2. Get the IP address of the spammer
  3. Block the IP address


Log Into Your Server

Log into your server via SSH. These are terminal commands and cannot be performed from your cPanel or WHM. If you want to track and kill a spammer you have to be better at the game than he is. Step one enter this command into your terminal. 
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
You will get back something like this 
15 /home/username1/public_html/about-us
25 /home/username2/public_html
12324 /home/username3/public_html/data
We see that username3 has more emails than all the other. In fact its ridiculous! Enter this command to see what scripts are on that directory. 
ls -lahtr /username3/public_html/data
We get back something like this. 
drwxr-xr-x 17 username3 username3 4.0K Jan 20 10:25 ../
-rw-r--r-- 1 username3 username3 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 username3 username3 4.0K Jan 20 11:27 ./
Look at the dirty little script called mailer.php in the directory! To verify that it is a mailer script you can nano into it. 
nano username3/public_html/mailer.php
This just lets you look inside that file and see what is going on there. If you see a mailer script in there you know that is the problem. You can edit that file and make it useless to the spammer. Now that we know that this mailer.php script was the culprit we can access our Apache logs and see what IP address was accessing it. 
grep "mailer.php" /home/username3/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n
You will get back a list like this. 
2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
12324 123.123.123.123
You can plainly see that ip address 123.123.123.123 was the IP address accesing that script to email spam.Block the SOB by entering this into your terminal. 
apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"
For more info see http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim