Find and fix spam abuse on your server

This article will show you how to resolve spam abuse on your Virtual Private Server.

If you believe that your server is being used to send large volumes of unsolicited emails, there are steps you can take to pinpoint which email address(es) are being used and how many messages they’ve been sending.

Depending on which tool you use, you’ll need to follow a different set of instructions. Simply click the relevant title below and follow the provided instructions to get started:

Please note: the following article was originally created for our current generation of Virtual Private Servers. As such, these instructions may not be relevant to our previous generation of Virtual Private Servers.

Via cPanel

Step 2 of 7

Connect to your server via SSH.

Step 3 of 7

Next, you will need to switch to the root user.

Step 4 of 7

Check the mail queue within your server by entering the following command:

[root@server ~]# exim -bp | exiqsumm

Step 5 of 7

You will then see the total number of messages stuck in the mail queue. To get a list of scripts that are sending mail, enter the following command:

[root@server ~]# for message in $(exiqgrep -i); do exim -Mvh $message | grep "X-PHP-Script" | awk '{print $3}' >> /tmp/scriptslist.txt; done && cat /tmp/scriptslist.txt | uniq -c | sort -nr && rm -f /tmp/scriptslist.txt

If, however, the queue is empty, you will need to enter the following command instead:

[root@server ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -rn

Step 6 of 7

If your results don’t show any emails from a cPanel account or script, then enter the following command to see all the email account that have been accessed and sending mail:

[root@server ~]# grep '_login' /var/log/exim_mainlog | cut -d '_' -f2 | cut -d ":" -f2 | awk '{print $1}' | sort | uniq -c | sort -rn | awk '{ if ($1 > 1) print $0}'

From there, you may wish to reset the account’s password and inform that user they shouldn’t be sending large volumes of emails from their account.

Step 7 of 7

If, after resolving this issue, there is still a large amount of emails within your queue, you can clear your email queue by entering the following command:

for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done

Please note: this is an irreversible action and will delete all messages.

Via Plesk Linux

Step 1 of 5

Start by logging in to Plesk.

Step 2 of 5

From there, select Tools and Settings within the left-hand menu.

Step 3 of 5

On the next page, click Mail Server Settings below Mail.

Step 4 of 5

Select Mail Queue.

Step 5 of 5

You can now find any spam by sorting your messages by subject or sender. You can then delete any suspicious emails by selecting the checkbox next to each message.

Via Plesk Windows

Step 2 of 8

Connect to your server via Remote Desktop.

Step 3 of 8

Access your C:/ drive and create a new directory called temp.

Step 4 of 8

Select the Windows icon and open the built-in Notepad app.

Step 5 of 8

Depending on which version of Windows you have on your server, you’ll need to enter the following into your Notepad doc.

Windows 2016 and newer
#Specify the path of the SMTP logs

$Path = “C:\Program Files (x86)\Mail Enable\Logging\SMTP”


#Specify the files you wish to scan

$FileType = “SMTP-Activity-*.log”


#Specify where you want the output to be logged

$OutputFile = “C:\temp\spamcheck.log”


#Get all lines from the log file(s) which contain “SMTP-OU” and “FROM:<“

$i = Get-ChildItem $Path -Filter $FileType|

        Get-Content |

        Where-Object { $_ -Match “SMTP-OU”} |

                Select-String -Pattern ‘FROM:<‘ -CaseSensitive


#Extract the email addresses from the prior results, get a count for each unique address, and print those results to a file

[Regex]::Matches($i, ‘(?<=FROM\:\<).+?(?=\>)’) |

    %{$_.value} |

       Group-Object -NoElement |

            Sort-Object -Descending Count|

                FT -Auto |

            Out-File -FilePath $OutputFile

Windows 2012
#Specify the path of the SMTP logs

$Path = “C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Logging\SMTP”

Step 6 of 8

Save your Notepad file in the C:/temp directory with the name spamcheck.ps1

Step 7 of 8

Find your file within Windows Explorer, right-click it and select Run with Powershell

Step 8 of 8

A file called spamcheck.log will now appear in the same folder. Open this file and you will see a list of email accounts that have sent messages from the server.

This may take a few hours to complete, depending on how much data there is. If, however, the script doesn’t work, you will receive a specific error instead.