Identifying Spam and Malware Sources on Your Server
Learn how to find spam and malware sources on a server by checking mail logs, queues, compromised mailboxes, PHP scripts, WordPress malware and cron jobs.
Introduction
When a server appears on a blacklist, the listing is usually a symptom. The real problem is often a compromised mailbox, hacked website, vulnerable script, abused contact form, malware, bad mailing list or misconfigured mail service sending unwanted messages.
Before requesting delisting, you need to identify the source and stop it. If the spam source remains active, the server or IP can be listed again quickly, even after a successful removal request.
Quick answer
To find spam or malware sources on a server, check outbound mail logs, mail queue, authentication failures, compromised mailboxes, PHP scripts, WordPress files, contact forms, cron jobs, unusual sending volume and recent file changes. Stop the source before requesting delisting.
Why servers send spam
Servers usually send spam because something on the account or system is abused.
- Compromised email account
- Weak mailbox password
- Hacked WordPress website
- Infected plugin or theme
- Abused contact form
- PHP mail script
- Malicious cron job
- Uploaded malware
- Open relay or SMTP misconfiguration
- Bad bulk mailing campaign
- Stolen SMTP credentials
The goal is to find which account, script, website, user or process generated the unwanted mail.
First signs
Blacklist listing
The sending IP appears on one or more DNSBLs.
Bounce flood
The server receives many returned messages for mail it should not have sent.
Mail queue spike
Thousands of messages appear in the queue.
High outbound volume
A single account or script sends much more than usual.
Suspicious PHP mail
Messages are sent from website files instead of authenticated mailboxes.
Login abuse
Many failed or unusual mailbox logins appear in logs.
Unknown files
New PHP files, hidden files or suspicious scripts appear in web directories.
Recipient complaints
Users report spam, phishing or strange outgoing messages.
Check mail logs
Mail logs are usually the best starting point.
- Sender address
- Authenticated username
- Source IP address
- Script path
- Message ID
- Recipient count
- Repeated failed logins
- Unusual sending time
- Remote SMTP connections
- Bounce or rejection messages
On cPanel/WHM servers, Exim logs often show whether mail was sent by an authenticated mailbox, local script or system user.
Compromised mailboxes
A stolen mailbox password is one of the most common spam sources.
- Unusual login IPs
- Many SMTP authentications
- Sent mail volume
- Failed login attempts
- Password age
- Weak passwords
- Forwarding rules
- Filters created by attacker
- Webmail access logs
- Mailbox used from many countries
- Reset password
- Revoke active sessions
- Remove suspicious forwards and filters
- Enable stronger authentication if available
- Review all devices using the mailbox
- Limit outbound sending temporarily
Website scripts
Hacked websites often send spam through PHP scripts or vulnerable forms.
- Recently modified PHP files
- Unknown files in uploads directories
- Suspicious filenames
- Base64, eval or obfuscated code
- mail() function usage
- Contact form abuse
- Abandoned test scripts
- Old CMS installations
- Writable directories
- Suspicious cron jobs
If mail logs show a script path, investigate that file and the surrounding directory immediately.
WordPress malware
WordPress spam sources often come from outdated plugins, nulled themes, weak admin passwords or uploaded backdoors.
- wp-content/uploads for PHP files
- Unknown admin users
- Recently modified plugin files
- Nulled themes or plugins
- Suspicious wp-config.php changes
- Hidden files
- Cron events
- Form plugins
- SMTP plugins
- Abandoned staging copies
- Old backup archives exposed publicly
Cleaning one file is not enough if the entry point remains open.
Why this matters
Finding the source matters because blacklist delisting only helps after abuse stops. If a compromised mailbox or malware script continues sending, the IP can be re-listed and reputation damage can become worse.
Root-cause cleanup protects email delivery, server reputation, customer trust and hosting account stability.
How to investigate
Use Blacklist Checker to confirm the reputation issue, then investigate the server source.
- Sending IP — confirm which IP is listed or rejected.
- Mail queue — look for large numbers of queued messages.
- Mail logs — identify sender, username, script path or source process.
- Authenticated users — check whether a mailbox is sending abnormally.
- Local scripts — check whether PHP or website files generated messages.
- Website files — look for malware, backdoors or suspicious file changes.
- Cron jobs — check scheduled tasks that send mail or run unknown scripts.
- DNS and authentication — review SPF, DKIM, DMARC and rDNS after abuse is stopped.
Investigate spam source
Use Blacklist Checker to confirm the reputation issue, then investigate the server source.
Common problems
Compromised mailbox
HighA stolen mailbox password is used to send spam through authenticated SMTP.
Next step: Reset password, remove suspicious rules and review login activity.
PHP spam script
HighA website file sends spam through the local mail function.
Next step: Identify the script path in mail logs and clean the infected website.
Abused contact form
MediumBots use a form to generate unwanted messages.
Next step: Add CAPTCHA, rate limits, validation and SMTP authentication.
WordPress malware
HighA plugin, theme or uploaded backdoor sends mail or injects spam links.
Next step: Scan WordPress, remove malware, patch plugins and reset admin passwords.
Mail queue full of spam
HighSpam remains queued and may continue sending.
Next step: Stop the source first, then inspect and clear the queue carefully.
Suspicious cron job
HighA scheduled task repeatedly runs a spam or malware script.
Next step: Disable unknown cron jobs and inspect referenced files.
Open relay or SMTP misconfiguration
HighThe server may allow unauthorized mail relay.
Next step: Review SMTP relay settings and block unauthenticated sending.
Bad bulk campaign
MediumA legitimate user sent poor-quality bulk mail that triggered complaints.
Next step: Pause campaign, clean lists and use proper marketing infrastructure.
Shared hosting neighbor abuse
MediumAnother account on the same server or IP may be responsible.
Next step: Provider must identify the account and isolate the source.
How to stop spam
-
Step 1: Pause outbound abuse
Temporarily limit or stop suspicious sending while investigating.
-
Step 2: Identify the sending path
Use mail logs to determine whether mail came from SMTP auth, local script, cron or system process.
-
Step 3: Secure compromised accounts
Reset passwords, remove suspicious forwards and review login activity.
-
Step 4: Clean infected websites
Remove malware, patch CMS, plugins and themes and delete backdoors.
-
Step 5: Check cron jobs
Remove unknown or suspicious scheduled tasks.
-
Step 6: Review mail queue
Inspect queued messages and clear spam only after the source is stopped.
-
Step 7: Fix authentication and identity
Review SPF, DKIM, DMARC, rDNS and HELO/EHLO.
-
Step 8: Request delisting after cleanup
Only request removal after abuse has stopped and logs look normal.
-
Step 9: Monitor for recurrence
Watch outbound volume, queue size, login attempts and blacklist status.
Investigation commands
Check Exim queue:
exim -bp
Count queue:
exim -bpc
Search Exim logs for a sender:
grep "user@example.com" /var/log/exim_mainlog
Find mail sent by local scripts:
grep "cwd=" /var/log/exim_mainlog | tail -50
Check recent PHP files:
find /home/USERNAME/public_html -type f -name "*.php" -mtime -7
Find suspicious PHP mail usage:
grep -R "mail(" /home/USERNAME/public_html --include="*.php"
Check user cron jobs:
crontab -u USERNAME -l
Check suspicious files in uploads:
find /home/USERNAME/public_html/wp-content/uploads -type f -name "*.php"
Commands are illustrative. Paths and commands vary by server, control panel and mail system. Review output carefully before deleting files or queue messages.
Cleanup checklist
Mail accounts
Secure mailboxes that may have sent abuse.
Reset compromised passwords
Change passwords for affected accounts.
Remove suspicious forwards
Delete attacker-created forwarding rules.
Remove suspicious filters
Check for hidden mail rules.
Review login IPs
Look for unusual access locations.
Check sent volume
Compare normal vs abnormal sending.
Websites
Clean web applications that may generate spam.
Scan files
Look for malware and backdoors.
Patch CMS/plugins/themes
Update vulnerable software.
Remove unknown admin users
Delete unauthorized accounts.
Delete backdoors
Remove malicious uploaded files.
Secure uploads directory
Block PHP execution where possible.
Review contact forms
Add CAPTCHA and rate limits.
Server
Review server-level mail and abuse signals.
Check mail queue
Inspect queued messages.
Check cron jobs
Review scheduled tasks.
Check outbound volume
Watch for unusual spikes.
Check SMTP relay settings
Block unauthorized relay.
Check logs
Preserve evidence during investigation.
Check firewall rules
Review security controls.
DNS and mail identity
Confirm authentication after abuse is stopped.
SPF checked
Verify authorized senders only.
DKIM checked
Confirm signing is enabled.
DMARC checked
Review policy and reports.
rDNS checked
Confirm PTR matches mail identity.
HELO/EHLO checked
Verify server hostname.
Blacklist status checked
Monitor IP and domain listings.
After cleanup, reduce the chance of repeat abuse.
- Enforce strong mailbox passwords
- Update CMS, plugins and themes
- Remove abandoned websites
- Limit PHP mail where possible
- Use authenticated SMTP for forms
- Add CAPTCHA and rate limiting
- Monitor outbound volume
- Enable malware scanning
- Restrict cron jobs
- Review new admin users
- Keep backups
- Monitor blacklist status
Prevention is easier than repeated delisting.
Frequently asked questions
How do I know if spam came from a mailbox or website?
Mail logs usually show whether the message was sent by authenticated SMTP or a local script path.
Should I clear the mail queue immediately?
Identify and stop the source first. Otherwise the queue may refill.
Can WordPress cause blacklist problems?
Yes. Hacked WordPress sites, vulnerable plugins or abused forms can send spam or host spam links.
What if the spam came from a shared server?
The hosting provider must identify which account or process caused the abuse.
Can SPF/DKIM/DMARC stop server malware?
No. They help authentication, but malware and compromised accounts must be cleaned separately.
When should I request delisting?
After the spam source is stopped, cleanup is complete and logs show normal sending.
How do I prevent this from happening again?
Secure accounts, patch websites, monitor outbound mail, limit abuse-prone scripts and check reputation regularly.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Blacklist & Reputation guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!