谁或什么从我的服务器 ( CentOS / Apache / suPHP ) 发送垃圾邮件

我的服务器发送了大量垃圾邮件，我花了几个小时寻找问题所在。在谷歌搜索后，我找到了一个论坛，他们讨论了这个问题，并提到要深入研究 exim 日志，所以我照做了，发现电子邮件是从 [用户名]@vps1.[主机名].[tld] 发送的。他们在论坛上说这些电子邮件可能是从我的服务器发送的，因为这不是使用过的电子邮件地址。他们还提到要深入研究 php 日志。

我试过这个，但什么也没找到，所以我现在通过电子邮件标题尝试检测发送所有这些电子邮件的脚本。这就是我现在陷入困境的地方。

我通过添加以下规则更改了 php.ini：

mail.add_x_header = On
mail.log = /var/log/phpmail.log

我还添加了exim.conf这一行：

+arguments \

重新启动了 exim 和 apache，但我在 exim 日志中没有看到任何 X-PHP-Script 标头，并且没有创建 php 邮件日志。

我唯一看到的是 exim 日志中的 X 标头：

X=TLSv1:RC4-SHA:128

谁能告诉我下一步该怎么做？

编辑

以下是来自 exim 日志的一些内容：

bash-3.2# cat /var/log/exim/mainlog | grep 1W9FsC-0003qq-S2
2014-01-31 16:19:16 1W9FsC-0003qq-S2 <= [email protected] U=instijl P=local S=816 T="Re:  It's good to see you," from <[email protected]> for [email protected]
2014-01-31 16:19:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9FsC-0003qq-S2
2014-01-31 16:19:17 1W9FsC-0003qq-S2 ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after initial connection: host extmail.bigpond.com [61.9.168.122]: 554 nskntcmgw02p BigPond Inbound IB103. Connection refused. 141.138.199.65 has a poor reputation on the Cloudmark Sender Intelligence (CSI) list. Please visit http://csi.cloudmark.com/reset-request/?ip=141.138.199.65 to request a delisting.
2014-01-31 16:19:17 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1W9FsC-0003qq-S2
2014-01-31 16:19:17 1W9FsD-0003r9-H9 <= <> R=1W9FsC-0003qq-S2 U=mail P=local S=2006 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2014-01-31 16:19:17 1W9FsC-0003qq-S2 Completed

bash-3.2# cat /var/log/exim/mainlog | grep 1W9FsC-0003qc-M7
2014-01-31 16:19:16 1W9FsC-0003qc-M7 <= [email protected] U=instijl P=local S=822 T="Re:  It's good to see you," from <[email protected]> for [email protected]
2014-01-31 16:19:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9FsC-0003qc-M7
2014-01-31 16:19:17 1W9FsC-0003qc-M7 ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.65.26]: 550-5.7.1 [141.138.199.65      12] Our system has detected that this message is\n550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,\n550-5.7.1 this message has been blocked. Please visit\n550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for\n550 5.7.1 more information. y48si18631040eew.58 - gsmtp
2014-01-31 16:19:17 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1W9FsC-0003qc-M7
2014-01-31 16:19:17 1W9FsD-0003r1-BS <= <> R=1W9FsC-0003qc-M7 U=mail P=local S=2146 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2014-01-31 16:19:17 1W9FsC-0003qc-M7 Completed

bash-3.2# cat /var/log/exim/mainlog | grep 1W9Frw-0003oS-Gd
2014-01-31 16:19:00 1W9Frw-0003oS-Gd <= [email protected] U=instijl P=local S=823 T="FW:  Yo" from <[email protected]> for [email protected]
2014-01-31 16:19:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9Frw-0003oS-Gd
2014-01-31 16:19:02 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [98.136.217.203]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:03 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [98.136.216.26]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:04 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.36]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:06 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [98.138.112.33]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:07 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.35]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:07 1W9Frw-0003oS-Gd == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.35]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html

bash-3.2# cat /var/log/exim/mainlog | grep 1W9Frg-0003mP-S6
2014-01-31 16:18:44 1W9Frg-0003mP-S6 <= [email protected] U=instijl P=local S=814 T="call me" from <[email protected]> for [email protected]
2014-01-31 16:18:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9Frg-0003mP-S6
2014-01-31 16:18:45 1W9Frg-0003mP-S6 => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=837 H=mx-ha03.web.de [213.165.67.104] X=TLSv1:AES256-SHA:256 C="250 Requested mail action okay, completed: id=0Le6s0-1VUM4v1jno-00pvEX"
2014-01-31 16:18:45 1W9Frg-0003mP-S6 Completed