URGENT: Server Compromised - Massive SMTP Spam Activity

Support and Discussion
1

Server Details:

  • IP: XXX.XXX.XXX.XXX (hidden for security)
  • Hostname: [REDACTED].contaboserver.net
  • Panel: CyberPanel
  • Issue: High volume SMTP traffic causing ISP warnings

Problem Description

I received a warning from my hosting provider (Contabo) about unusually high SMTP traffic on port 25. The server is sending massive amounts of spam emails, and I’m about to hit the daily limit which will result in port blocking.

Current Status

Mail Queue Analysis:

  • 99 emails stuck in queue
  • All emails originating from: wwwuser@[REDACTED].contaboserver.net
  • Multiple delivery failures due to IP reputation issues

Common Error Messages:

554-Bad DNS PTR resource record
554 IP=XXX.XXX.XXX.XXX - None/bad reputation
452-4.2.2 The recipient's inbox is out of storage space
450 4.7.1 Recipient address rejected: Service temporarily unavailable

Sample Queue Output:

mailq shows 99 requests totaling 101 Kbytes
All emails from wwwuser@[hostname].contaboserver.net to various Gmail, GMX, Web.de addresses
Many emails bouncing due to bad IP reputation

What I’ve Done So Far

  1. :white_check_mark: Identified the issue through mailq command
  2. :white_check_mark: Confirmed high SMTP traffic via netstat
  3. :white_check_mark: Checked Postfix status (running normally)
  4. :hourglass_not_done: Need to investigate website compromise

Questions for the Community

  1. How can I identify which website/script is sending these emails?
  2. What’s the best way to trace the source in CyberPanel?
  3. Should I immediately disable SMTP or investigate first?
  4. How can I clean up the mail queue safely?
  5. What security measures should I implement to prevent this?

Immediate Actions Needed

  • Identify compromised website/script
  • Clean mail queue
  • Secure the vulnerability
  • Restore IP reputation
  • Implement monitoring

Technical Environment

  • OS: Ubuntu (assumed)
  • Web Server: LiteSpeed (via CyberPanel)
  • Mail Server: Postfix
  • PHP: Multiple versions
  • Websites: Multiple domains hosted

Has anyone experienced similar issues with CyberPanel? What’s the recommended approach for:

  1. Tracing email origins in CyberPanel logs?
  2. Identifying compromised PHP scripts?
  3. Cleaning up after a spam incident?

Any help would be greatly appreciated as this is affecting my server’s reputation and could lead to service suspension.

Update: Will provide more details as I investigate further.

Priority: URGENT - Server reputation at risk