How can I stop my account from sending spam emails?

Operating System & Version
CENTOS 7.9 kvm
cPanel & WHM Version
v92.0.6

sourabh.garg

Registered
Jan 5, 2021
1
0
1
Bhopal, Madhya Pradesh. India
cPanel Access Level
Root Administrator
For the past two days, we have been receiving "undeliverable" and "failure" notices in our Webmail/MS Outlook inbox for emails sent entitled "SUP", "Good Morning", "Good Evening" etc. I immediately changed our password yesterday & have done multiple virus & Malware scans. We have Godaddy VPS Server running Cpanel/whm, and yet people are still receiving these SPAM messages from us. Strangely, there is no record in our "Sent" folder to show that these emails were sent from our email, as with another time we were hacked. I changed our password again this morning, and still, we are receiving notes from friends saying that they are getting these emails.

What else can we do to stop this????
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Hey there! I'd recommend reading through our support article here:


as that provides more details about tracking down the source of spam messages on the system. Can you work through that and see if that helps?
 

rscalover

Well-Known Member
Dec 16, 2010
99
11
58
cPanel Access Level
Root Administrator
Hello,

You mention friends are telling you that they receive spam ask them to "screenshot" the message headers that should give you an id after that on an ssh shell

Code:
grep the_message_id_here /var/log/exim_mainlog
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
631
207
343
cPanel Access Level
DataCenter Provider
If you find out it's a compromised mailbox after you change the password make sure your restart IMAP and Exim. If not, and they are already authenticated, they can continue to send.

Simply searching /var/log/exim_mainlog for the subjects you gave above should give you a lot of clues. You'll be able to see if it's coming from a compromised script or if they are logging in from a remote IP (compromised mailbox). If it's the later, you'll be able to see the mailbox that they are using to authenticate.