Blacklist & Reputation Guides

Identifying Spam and Malware Sources on Your Server

Learn how to find spam and malware sources on a server by checking mail logs, queues, compromised mailboxes, PHP scripts, WordPress malware and cron jobs.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Beginner

Introduction

When a server appears on a blacklist, the listing is usually a symptom. The real problem is often a compromised mailbox, hacked website, vulnerable script, abused contact form, malware, bad mailing list or misconfigured mail service sending unwanted messages.

Before requesting delisting, you need to identify the source and stop it. If the spam source remains active, the server or IP can be listed again quickly, even after a successful removal request.

Quick answer

Quick answer

To find spam or malware sources on a server, check outbound mail logs, mail queue, authentication failures, compromised mailboxes, PHP scripts, WordPress files, contact forms, cron jobs, unusual sending volume and recent file changes. Stop the source before requesting delisting.

Why servers send spam

Servers usually send spam because something on the account or system is abused.

  • Compromised email account
  • Weak mailbox password
  • Hacked WordPress website
  • Infected plugin or theme
  • Abused contact form
  • PHP mail script
  • Malicious cron job
  • Uploaded malware
  • Open relay or SMTP misconfiguration
  • Bad bulk mailing campaign
  • Stolen SMTP credentials

The goal is to find which account, script, website, user or process generated the unwanted mail.

First signs

Blacklist listing

The sending IP appears on one or more DNSBLs.

Bounce flood

The server receives many returned messages for mail it should not have sent.

Mail queue spike

Thousands of messages appear in the queue.

High outbound volume

A single account or script sends much more than usual.

Suspicious PHP mail

Messages are sent from website files instead of authenticated mailboxes.

Login abuse

Many failed or unusual mailbox logins appear in logs.

Unknown files

New PHP files, hidden files or suspicious scripts appear in web directories.

Recipient complaints

Users report spam, phishing or strange outgoing messages.

Check mail logs

Mail logs are usually the best starting point.

  • Sender address
  • Authenticated username
  • Source IP address
  • Script path
  • Message ID
  • Recipient count
  • Repeated failed logins
  • Unusual sending time
  • Remote SMTP connections
  • Bounce or rejection messages

On cPanel/WHM servers, Exim logs often show whether mail was sent by an authenticated mailbox, local script or system user.

Compromised mailboxes

A stolen mailbox password is one of the most common spam sources.

  • Unusual login IPs
  • Many SMTP authentications
  • Sent mail volume
  • Failed login attempts
  • Password age
  • Weak passwords
  • Forwarding rules
  • Filters created by attacker
  • Webmail access logs
  • Mailbox used from many countries
  • Reset password
  • Revoke active sessions
  • Remove suspicious forwards and filters
  • Enable stronger authentication if available
  • Review all devices using the mailbox
  • Limit outbound sending temporarily

Website scripts

Hacked websites often send spam through PHP scripts or vulnerable forms.

  • Recently modified PHP files
  • Unknown files in uploads directories
  • Suspicious filenames
  • Base64, eval or obfuscated code
  • mail() function usage
  • Contact form abuse
  • Abandoned test scripts
  • Old CMS installations
  • Writable directories
  • Suspicious cron jobs

If mail logs show a script path, investigate that file and the surrounding directory immediately.

WordPress malware

WordPress spam sources often come from outdated plugins, nulled themes, weak admin passwords or uploaded backdoors.

  • wp-content/uploads for PHP files
  • Unknown admin users
  • Recently modified plugin files
  • Nulled themes or plugins
  • Suspicious wp-config.php changes
  • Hidden files
  • Cron events
  • Form plugins
  • SMTP plugins
  • Abandoned staging copies
  • Old backup archives exposed publicly

Cleaning one file is not enough if the entry point remains open.

Why this matters

Why this matters

Finding the source matters because blacklist delisting only helps after abuse stops. If a compromised mailbox or malware script continues sending, the IP can be re-listed and reputation damage can become worse.

Root-cause cleanup protects email delivery, server reputation, customer trust and hosting account stability.

How to investigate

Use Blacklist Checker to confirm the reputation issue, then investigate the server source.

  1. Sending IP — confirm which IP is listed or rejected.
  2. Mail queue — look for large numbers of queued messages.
  3. Mail logs — identify sender, username, script path or source process.
  4. Authenticated users — check whether a mailbox is sending abnormally.
  5. Local scripts — check whether PHP or website files generated messages.
  6. Website files — look for malware, backdoors or suspicious file changes.
  7. Cron jobs — check scheduled tasks that send mail or run unknown scripts.
  8. DNS and authentication — review SPF, DKIM, DMARC and rDNS after abuse is stopped.

Investigate spam source

Use Blacklist Checker to confirm the reputation issue, then investigate the server source.

Run Blacklist Check →

Common problems

Compromised mailbox

High

A stolen mailbox password is used to send spam through authenticated SMTP.

Next step: Reset password, remove suspicious rules and review login activity.

PHP spam script

High

A website file sends spam through the local mail function.

Next step: Identify the script path in mail logs and clean the infected website.

Abused contact form

Medium

Bots use a form to generate unwanted messages.

Next step: Add CAPTCHA, rate limits, validation and SMTP authentication.

WordPress malware

High

A plugin, theme or uploaded backdoor sends mail or injects spam links.

Next step: Scan WordPress, remove malware, patch plugins and reset admin passwords.

Mail queue full of spam

High

Spam remains queued and may continue sending.

Next step: Stop the source first, then inspect and clear the queue carefully.

Suspicious cron job

High

A scheduled task repeatedly runs a spam or malware script.

Next step: Disable unknown cron jobs and inspect referenced files.

Open relay or SMTP misconfiguration

High

The server may allow unauthorized mail relay.

Next step: Review SMTP relay settings and block unauthenticated sending.

Bad bulk campaign

Medium

A legitimate user sent poor-quality bulk mail that triggered complaints.

Next step: Pause campaign, clean lists and use proper marketing infrastructure.

Shared hosting neighbor abuse

Medium

Another account on the same server or IP may be responsible.

Next step: Provider must identify the account and isolate the source.

How to stop spam

  1. Step 1: Pause outbound abuse

    Temporarily limit or stop suspicious sending while investigating.

  2. Step 2: Identify the sending path

    Use mail logs to determine whether mail came from SMTP auth, local script, cron or system process.

  3. Step 3: Secure compromised accounts

    Reset passwords, remove suspicious forwards and review login activity.

  4. Step 4: Clean infected websites

    Remove malware, patch CMS, plugins and themes and delete backdoors.

  5. Step 5: Check cron jobs

    Remove unknown or suspicious scheduled tasks.

  6. Step 6: Review mail queue

    Inspect queued messages and clear spam only after the source is stopped.

  7. Step 7: Fix authentication and identity

    Review SPF, DKIM, DMARC, rDNS and HELO/EHLO.

  8. Step 8: Request delisting after cleanup

    Only request removal after abuse has stopped and logs look normal.

  9. Step 9: Monitor for recurrence

    Watch outbound volume, queue size, login attempts and blacklist status.

Investigation commands

Useful investigation commands
Check Exim queue:
exim -bp

Count queue:
exim -bpc

Search Exim logs for a sender:
grep "user@example.com" /var/log/exim_mainlog

Find mail sent by local scripts:
grep "cwd=" /var/log/exim_mainlog | tail -50

Check recent PHP files:
find /home/USERNAME/public_html -type f -name "*.php" -mtime -7

Find suspicious PHP mail usage:
grep -R "mail(" /home/USERNAME/public_html --include="*.php"

Check user cron jobs:
crontab -u USERNAME -l

Check suspicious files in uploads:
find /home/USERNAME/public_html/wp-content/uploads -type f -name "*.php"

Commands are illustrative. Paths and commands vary by server, control panel and mail system. Review output carefully before deleting files or queue messages.

Cleanup checklist

Mail accounts

Secure mailboxes that may have sent abuse.

Reset compromised passwords

Change passwords for affected accounts.

Remove suspicious forwards

Delete attacker-created forwarding rules.

Remove suspicious filters

Check for hidden mail rules.

Review login IPs

Look for unusual access locations.

Check sent volume

Compare normal vs abnormal sending.

Websites

Clean web applications that may generate spam.

Scan files

Look for malware and backdoors.

Patch CMS/plugins/themes

Update vulnerable software.

Remove unknown admin users

Delete unauthorized accounts.

Delete backdoors

Remove malicious uploaded files.

Secure uploads directory

Block PHP execution where possible.

Review contact forms

Add CAPTCHA and rate limits.

Server

Review server-level mail and abuse signals.

Check mail queue

Inspect queued messages.

Check cron jobs

Review scheduled tasks.

Check outbound volume

Watch for unusual spikes.

Check SMTP relay settings

Block unauthorized relay.

Check logs

Preserve evidence during investigation.

Check firewall rules

Review security controls.

DNS and mail identity

Confirm authentication after abuse is stopped.

SPF checked

Verify authorized senders only.

DKIM checked

Confirm signing is enabled.

DMARC checked

Review policy and reports.

rDNS checked

Confirm PTR matches mail identity.

HELO/EHLO checked

Verify server hostname.

Blacklist status checked

Monitor IP and domain listings.

After cleanup, reduce the chance of repeat abuse.

  • Enforce strong mailbox passwords
  • Update CMS, plugins and themes
  • Remove abandoned websites
  • Limit PHP mail where possible
  • Use authenticated SMTP for forms
  • Add CAPTCHA and rate limiting
  • Monitor outbound volume
  • Enable malware scanning
  • Restrict cron jobs
  • Review new admin users
  • Keep backups
  • Monitor blacklist status

Prevention is easier than repeated delisting.

Frequently asked questions

How do I know if spam came from a mailbox or website?

Mail logs usually show whether the message was sent by authenticated SMTP or a local script path.

Should I clear the mail queue immediately?

Identify and stop the source first. Otherwise the queue may refill.

Can WordPress cause blacklist problems?

Yes. Hacked WordPress sites, vulnerable plugins or abused forms can send spam or host spam links.

What if the spam came from a shared server?

The hosting provider must identify which account or process caused the abuse.

Can SPF/DKIM/DMARC stop server malware?

No. They help authentication, but malware and compromised accounts must be cleaned separately.

When should I request delisting?

After the spam source is stopped, cleanup is complete and logs show normal sending.

How do I prevent this from happening again?

Secure accounts, patch websites, monitor outbound mail, limit abuse-prone scripts and check reputation regularly.

Use these free tools to verify your configuration after applying changes.

Browse all Blacklist & Reputation guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.