Viewing Exim X-Source information in mail queue

[porcupine]

Does anybody know where you'd locate the exim X-Source information that is normally appended to the message headers, before the email leaves the server?

I've dug around the eximstats mysql db (hasn't been updated since Jan though?!), grep'd my way through all of /var/lib/spool, etc. without much luck. Purpose here should be pretty clear (someones abusing a vulnerable script, I'm catching the load related issues days down the road (at which point apache logfiles have long since cycled) yet we're not receiving any complaints (.... yet). Short of using phpsuexec, this seems like the most obvious method to locate abuse thats gotten past the other filters, short of waiting for the complaints to stream in with the x-source information in the forwarded headers.

Does anyone know how this can be retrieved before the email leaves the server?

 

[networxhosting]

I've had the same issue before in the past and what i ended up doing (after substantial digging all over the place to no avail) was temporarily turning on phpsuexec, and then commenting it back out quickly after i found who's site/scripts were being abused.

But besides that never really found a better way to do it, as any research would end with just user "nobody". I suppose if you saw a trend of addresses being spammed you could alway try temporarily hijacking/forwarding one of those addresses being emailed to an account that you check in order to investigate the headers, otherwise its a wait-until-complaint comes in kind of thing without phpsuexec enabled

 

[porcupine]

Perhaps one of the moderators or CPanel staff know something we do not however (at least I'm hoping).

 

[WestBend]

disable your log rotate for 24 hours?

 

[chirpy]

It's suggest enabling limited extra exim logging by adding this to the first textarea in the exim configuration editor:

log_selector = +arguments

This will add the context for the scripts that send out email into /var/log/exim_mainlog, i.e. you will usually get the directory within which the php that is sending out the email lives and you can then track it down from there.

I'd also suggest the BCC mod_security secfilters to help indicate problem scripts too.