SOLVED My server is sending spam

Hi,

My VPS server send spams what causes emails to stuck in Mail Queued, and recently I exceeded the SMTP Relays set to 5000 by godaddy, and they refused to temporary increase it.

Anyway, how can I find the source of spam, it seems from my server (server.my-server.com).
From Mail Queue Manager the message info:

Code:

Date: Mon, 29 Apr 2019 14:17:15 +0300
From: Mail Delivery System <Mailer-Daemon@server.my-server.com>
To: nbocoze@example.com
Subject: Mail delivery failed: returning message to sender
Auto-Submitted: auto-replied
Content-Type: multipart/report; report-type=delivery-status; boundary=1556536635-eximdsn-1383029932
Message-Id: <E1hL4Hb-0006Zi-I1@server.my-server.com>
MIME-Version: 1.0
Received: from mailnull by server.my-server.com with local (Exim 4.91)
id 1hL4Hb-0006Zi-I1
for nbocoze@example.com; Mon, 29 Apr 2019 14:17:15 +0300
X-Failed-Recipients:purchase@example.net

In this header info, we can found 2 emails: nbocoze@example.com and purchase@example.net, both do not belong to any user on my server.

How can I stop it ?

 

I have 65 accounts, the header indicate the message is sent from my server
Mailer-Daemon@server.my-server.com

 

Alright, may I know some more information please ? I have to learn how to spot the spam source and the solution.

For e.g. this account is on my server k**a.com.lb, have sent 12000 email today, from Mail Delivery Report, I can find those details:

[removed due to use of real domains]

What should I look for and what to do with those information ? is the source of spam my server or user computer or stolen password ? or some other possibilities ?

Regards,

 

Hello,

The most used subjects

[removed due to use of real SPAM terms]

The most logged in user

Code:

126 __cpanel__service__auth__icontact__
1542 info@the****removed.com
12986 ism@k**removed.lb

The most used mailing script

Code:

9167 /usr/local/cpanel/whostmgr/docroot

The user ism@k**a.com.lb have sent 12986 email with the subject "removed" and "removed"

But what does it mean if the most used mail script is "/usr/local/cpanel/whostmgr/docroot" ? the spam is sent from my server ? or from the user computer or from Jupiter ?

 

What if there is a malware on my server sending spams from inside. How can I know the source ?

In 10 days, I found 3 different domains sending spams and I got blocked by Godaddy relays 3 times, 24h each.

 

When I run the command

The out put is

Why all regular emails are sent from the home account, but the 9174 spams are sent from /usr/local/cpanel/whostmgr/docroot , what is it ?

 

Emails by user:

Email accounts sending out mail:

Directories mail is originating from:

Top 20 Email Titles:

Thank you

 

Thank you for the explanation, the missing point is clear now.

What is more important is how to make sure I receive a notification email before my server get blocked by Godaddy or blacklisted. This discussion is opened in another topic in this forums.

Thanks again