Hundreds of emails being sent from fake email accounts

I had a very similar situation recently. Just a hunch but look for a menu87.php ( find / -name menu87.php) deep in that domains public_html directory. delete it and restart services.
or do below

If you suspect there is a PHP script sending out email (and it is still doing so) try adding these two lines:
mail.add_x_header = On
mail.log = /var/log/php_mail.log
to the [mail] section of:
/usr/local/lib/php.ini


D-

 

Just chiming in,

In my experience with this kind of situation it's either been a compromised email account (if it's one account in particular sending the spam) or an infected computer sending a ton of spam. Though it could be something like dmacomber said above, a malicious script.

For me I started to see a ton of failed delivery messages being returned to one user in particular. Hundreds of them. So I immediately remotely connected to the infected computer and ran TCPview to see if something was abusing port 25 on their machine. Sure enough, something was. This has happened twice for us at different locations and each time blocking port 25 on the router or firewall stopped the emails from going out. We just made sure to use port 587 for our email afterwards.

If you can view your mail activity you can look for scripts that have sent a lot of mail.
I don't know who your host is, but check out this link here from InmotionHosting. It should give you an idea of how to go about it:
Find spam script location with Exim | InMotion Hosting

If you can see that it's only one account sending the spam, change that accounts password and make sure it's nice and secure.

If you think it's an infected computer, get on that computer then download and run TCPview. This will show you TCP and UDP activity. If there are a ton of SMTP or Port 25 connections being made (green) and then dying (red) you know you've found the problem.
Here is a link to TCPview TCPView for Windows

If it is an infected machine, you can track down which service is sending the emails through TCPview. You're going to have to clean it out thoroughly. I typically run a combination of programs like MalwareBytes, CCleaner, and TDSSKiller.

Getting yourself removed from the blacklists isn't hard but it requires a little time. Also, make sure the problem is resolved before requesting de-listing, otherwise, if you are de-listed and re-listed multiple times they'll just permanently list you.