If your Plesk server suddenly starts sending large volumes of unwanted emails or your IP gets blacklisted, there’s a good chance that one of your mailboxes or websites has been compromised.

In this guide, you’ll learn exactly how to find and stop a spammer on a Plesk server using both the control panel and the command line.

1. Identify the Symptoms of Spamming

The first sign of a spammer is often unusual server behavior such as:

• A rapidly growing mail queue

• High CPU or RAM usage from the mail service

• Outbound mail rejections or delivery delays

• Abuse complaints from recipients or RBL listings

Before taking drastic action, confirm that the spam is really coming from your server.

2. Check the Mail Queue in Plesk

Using the GUI

Go to Tools & Settings → Mail Server Settings → Mail Queue.

Here you can see which users or domains are generating the most messages.

Sort by Sender or Count to spot suspicious accounts quickly.

Using the Command Line

SSH into your server and check the queue directly:

# For Postfix
postqueue -p

# For Qmail
qmail-qstat
qmail-qread

Look for any single sender with hundreds of messages or unknown domains.

3. Trace the Spam Source in Mail Logs

Plesk stores detailed mail logs in /var/log/maillog.

To find the top sending users, run:

grep "status=sent" /var/log/maillog | awk '{print $7}' | sort | uniq -c | sort -nr | head

If you see results like apache@hostname or www-data, the messages are being sent from a PHP script instead of a real mailbox.

4. Detect Spamming PHP Scripts

Check which site or file is sending mail through PHP:

grep "PHP script" /var/log/maillog | grep sendmail | tail -20

A result like

/var/www/vhosts/example.com/httpdocs/wp-content/themes/tmpmail.php

means a web shell or hacked script is responsible. Delete or quarantine it immediately.

5. Find Compromised Mailboxes

Sometimes a legitimate mailbox gets hijacked and used for SMTP spamming.

Run this command to check authentication logs:

grep "auth" /var/log/maillog | grep "sasl_username"

If one address appears excessively, reset that mailbox password and force TLS authentication only.

6. Limit Outgoing Mail in Plesk

Go to Mail → Mail Settings → Outgoing Mail Control and set hourly message limits.

Recommended limits:

• Per mailbox: 200 messages/hour

• Per domain: 500 messages/hour

This prevents a single account from flooding the mail queue.

7. Scan for Malware and Infected Files

Use a scanner like ImunifyAV or ClamAV to locate malicious scripts:

clamscan -r /var/www/vhosts/ --infected --remove

Also check for recently modified PHP files:

find /var/www/vhosts/ -type f -mtime -1 -name "*.php"

Delete or isolate any suspicious files found under user directories.

8. Check for Suspicious Cron Jobs

Attackers often schedule scripts to restart spam campaigns automatically.

List cron jobs and search for strange commands:

crontab -l
grep -r "curl" /etc/cron*

Remove any job that executes unknown PHP or curl commands.

9. Secure and Harden the Server

Once you’ve removed the spam source, lock down your system:

• Update Plesk and all installed CMSs like WordPress or Joomla.

• Change every FTP, database, and email password.

• Enable Fail2Ban jails for mail and Apache.

• Apply SPF, DKIM, and DMARC DNS records.

• Disable unused mail accounts or domains.

This prevents reinfection and strengthens overall mail security.

10. Prevent Future Spam Incidents

• Monitor mail queue and system load regularly.

• Limit PHP mail() and encourage SMTP authentication.

• Set up alert scripts for unusual outbound volume.

• Keep PHP, web apps, and plugins up to date.

• Run malware scans at least weekly.

Conclusion

Finding a spammer on a Plesk server takes patience and a methodical approach.

Check your mail logs, trace the sender, scan for infected scripts, and lock down compromised accounts.

Once you’ve cleaned up, set proper limits and monitoring to prevent it from happening again.

If you need help tracking persistent spam or blacklist issues, iServerSupport can clean, secure, and restore your Plesk mail server fast.