Mail delivery failed: returning message to sender


Aug 27, 2019
cPanel Access Level
Root Administrator
Hi Folks, currently one of my user-facing receiving spamming mail from " Mail Delivery Failed", and at the same time my other user can't sending mail due to it's had over limit the CPanel quota which in 200 mail Per hours. Furthermore, all the address(es) failed: are from different email and none of them are familiar.
I had scans the mail directory using the CPanel Virus scanner, and Anti-virus in the PC system to scan, end up non of the malware or virus are available.

Below are the attachments, Please advise anyone that experience this situation before.

Thank You


Last edited by a moderator:


Well-Known Member
Nov 20, 2014
cPanel Access Level
Root Administrator
The images you post would indicate to me that these are the inbound bounce messages, ideally, you need to try and find what's sending the outgoing messages.

A few things to try.
Change the password on the email account.
If the password has been compromised, this should stop it.

Ensure DKIM and SPF are configured on the account, This should help with spoofing.

If you have a compromised PC, then taking this down and finding the culprit woud be the next thing to do.
Last edited:


Well-Known Member
Sep 14, 2004
inside a catfish
cPanel Access Level
Root Administrator
I understand that you may not have posted the contents of one of the messages because you would not want to reveal anything about your server, but great clues as to what is going on can be found in the bounce messages themselves that you see in webmail. Open them up and takea look at them. They are going to tell you why the messages were bounced by the remote system (or cpanel, if they were bounced from the server itself).

Not that you should trust me, Im nobody you know. But if you want to PM me what one of the messages shows in your webmail (including all of the message headers it reveals), I'd be glad to take a look. But I'm betting you can figure it out for yourself once you look at the one of the bounce messages.



Product Owner II
Staff member
Nov 14, 2017

Those look like inbound messages because they're all bouncebacks and in this instance, the account is suspended and not accepting anything due to the exceeding mail limits.


You need to identify the source of the email. If your users on this account haven't sent this mail then you need to determine how it's being sent. Internally we have a really helpful script we use for this:

perl <(curl -s -s
Which will break down the users sending mail and the directory mail is originating from. If it's a specific email account sending most of the mail then you'll most likely want to change the password if mail is originating from a specific directory you'll want to look in the directory to identify the script that is responsible for the mail.