Follow these steps to check if emails are being send from a compromised account. If there are too many emails send from specific email id its compromised:
zgrep 'sasl_method=LOGIN' /usr/local/psa/var/log/maillog* | awk '{print $9}' | sort | uniq -c | sort -nr | head
981476 [email protected]
Here test@cpanelpleskcom is compromised so change its password immediately and we can clear queue using the below command:
postsuper -d ALL
To view mail ids of email run following command:
postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'
To Find total no of emails in queue when using qmail run:
mailq | tail -n 1
Find total no of emails in queue when using Postfix:
postqueue -p|egrep "[A-F0-9]{11}"|awk '{print $1}'|wc -l
To list all message in queue for Postfix mail server
postqueue -p
If the email are sending from php script, you can get the script from its ID using the below command:
postcat -q 679E745AC97E
From that we can find the script.
X-PHP-Originating-Script: 33:spam.php
Here the script is spam.php we can verify it by accessing access log
/var/www/vhosts/domain.com/logs/access_log