Find and fix spam abuse on your server

Start by enabling admin access on your server.

Connect to your server via SSH.

Next, you will need to switch to the root user.

Check the mail queue within your server by entering the following command:

[root@server ~]# exim -bp | exiqsumm

You will then see the total number of messages stuck in the mail queue. To get a list of scripts that are sending mail, enter the following command:

[root@server ~]# for message in $(exiqgrep -i); do exim -Mvh $message | grep "X-PHP-Script" | awk '{print $3}' >> /tmp/scriptslist.txt; done && cat /tmp/scriptslist.txt | uniq -c | sort -nr && rm -f /tmp/scriptslist.txt

If, however, the queue is empty, you will need to enter the following command instead:

[root@server ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -rn

If your results don’t show any emails from a cPanel account or script, then enter the following command to see all the email account that have been accessed and sending mail:

[root@server ~]# grep '_login' /var/log/exim_mainlog | cut -d '_' -f2 | cut -d ":" -f2 | awk '{print $1}' | sort | uniq -c | sort -rn | awk '{ if ($1 > 1) print $0}'

From there, you may wish to reset the account’s password and inform that user they shouldn’t be sending large volumes of emails from their account.

If, after resolving this issue, there is still a large amount of emails within your queue, you can clear your email queue by entering the following command:

for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done

Please note: this is an irreversible action and will delete all messages.

Start by logging in to Plesk.

From there, select Tools and Settings within the left-hand menu.

On the next page, click Mail Server Settings below Mail.

Select Mail Queue.

You can now find any spam by sorting your messages by subject or sender. You can then delete any suspicious emails by selecting the checkbox next to each message.

Start by enabling admin access on your server.

Connect to your server via Remote Desktop.

Access your C:/ drive and create a new directory called temp.

Select the Windows icon and open the built-in Notepad app.

Depending on which version of Windows you have on your server, you’ll need to enter the following into your Notepad doc.

Windows 2016 and newer
#Specify the path of the SMTP logs

$Path = “C:\Program Files (x86)\Mail Enable\Logging\SMTP”

#Specify the files you wish to scan

$FileType = “SMTP-Activity-*.log”

#Specify where you want the output to be logged

$OutputFile = “C:\temp\spamcheck.log”

#Get all lines from the log file(s) which contain “SMTP-OU” and “FROM:<“

$i = Get-ChildItem $Path -Filter $FileType|

        Get-Content |

        Where-Object { $_ -Match “SMTP-OU”} |

                Select-String -Pattern ‘FROM:<‘ -CaseSensitive

#Extract the email addresses from the prior results, get a count for each unique address, and print those results to a file

[Regex]::Matches($i, ‘(?<=FROM\:\<).+?(?=\>)’) |

    %{$_.value} |

       Group-Object -NoElement |

            Sort-Object -Descending Count|

                FT -Auto |

            Out-File -FilePath $OutputFile

Windows 2012
#Specify the path of the SMTP logs

$Path = “C:\Program Files (x86)\Parallels\Plesk\Mail Servers\Mail Enable\Logging\SMTP”

Save your Notepad file in the C:/temp directory with the name spamcheck.ps1

Find your file within Windows Explorer, right-click it and select Run with Powershell

A file called spamcheck.log will now appear in the same folder. Open this file and you will see a list of email accounts that have sent messages from the server.

This may take a few hours to complete, depending on how much data there is. If, however, the script doesn’t work, you will receive a specific error instead.