System account sending spam


Oct 4, 2011
cPanel Access Level
Root Administrator
i have searched many days in this forum about this thread, but could find anything...

I have a cpanel account that is sending about 20k emails / day, this account have a limit to 100 emails/hour, but this realy slow down my server all the time... thw emails is sending by the system account:

[email protected]
([email protected])

How can i block this to sending mail, or track from where it being sent?

i cant block this account, because its my main site, system and mails.

thanks in advanced

sorry poor english

greetings from brazil


aditional info

this account has been hacked 1 time, but i have scanned all files by php mail() funtion and can't find anything suspicious;

my server is CentOS;

i have CSF and all the warnings in the check server security:

Check /dev/shm is mounted noexec,nosuid
Check /etc/cron.daily/logrotate for /tmp noexec workaround
Check /tmp is mounted as a filesystem
Check /var/tmp is mounted as a filesystem
Check Accounts that can access a cPanel user account
Check apache for FileETag
Check apache for FrontPage
Check apache for mod_security
Check apache for ServerSignature
Check apache for ServerTokens
Check apache for TraceEnable
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Check boxtrapper is disabled
Check cPanel login is SSL only
Check cPanel version
Check csf PT_SKIP_HTTP option
Check csf SAFECHAINUPDATE option
Check for cxs
Check incoming MySQL port
Check MySQL LOAD DATA disallows LOCAL
Check nameservers
Check php for ini_set disabled
Check php for Suhosin
Check Referrer Blank Security
Check Referrer Security
Check root forwarder
Check SMTP Tweak
Check SSH PasswordAuthentication

anything i can REALY need to do special atention?

thanks again
Last edited:


Well-Known Member
Sep 3, 2006
cPanel Access Level
Website Owner
Recompile Apache with PHP mail patch this will help you to track the origin of folder/file sending the emails.


Staff member
Apr 11, 2011
Hello :)

You should try to determine where the mail is being sent from. If it's coming from the account username, there is likely a PHP script uploaded to the account that is sending email. Try enabling the following option under the "Mail" tab in "WHM >> Server Configuration >> Tweak Settings":

Track email origin via X-Source email headers
Also, check the following thread for useful information on how to track messages sent from PHP scripts:

PHP Scripts Sending Mail

Thank you.


Oct 4, 2011
cPanel Access Level
Root Administrator
thanks for all replys, i'm trying all alternatives, when i got the results i'll post a feedback.

now again, very thanks!


this is the cionfig:

send all unrouted emails to "cirquito" (this is the cpanel account)



cant find this option under "easy apache"... but i have upgrade my php from 5.2.x to 5.3.8
Last edited: