We help IT Professionals succeed at work.

Server being used to send spam

Hi Experts,

It's been reported that our web server has been sending out spam. On checking the logs i can see that a considerable amount of emails have been sent using the mailenable smtp service.
On looking at the logs the emails being sent are coming from which is an allowed relay address so that our websites can send out mail.

Is there anyway that I can trace or detect what is sending out the email. I've run a couple of virus scanners and Malwarebytes and so far nothing has detected anything that shouldn't be there.

So far I've not seen a pattern in when the emails so any suggestions of how i could possibly detect when there is sudden increase of outgoing messages.
Watch Question

How many computers are in your network?  We use Packet Shaper to trace usage, but if you had that, you would have already used it.  

If you do not have too many computers, just go to each, command line, netstat -b and find out what apps are using which port.  I think you will find some very strange usage on the infected computer on the 25 or 587 ports, maybe others.

Good luck!


Hi thanks for reply, the server is a dedicated webserver so there are no other computers connected to it via the network.

I will try the netstat approach and look into Packet Shaper.

I experinced same problem on my server few years ago.
Someone installed a "hidden" service that send spam mails.
To avoid it I did many action like the following:
1) reinstalled the server (I wanted to be sure that the system was clear)
2) installed all security patches
3) changed my firewall rules to restrict to only ip and ports known (web server, only http, https, and so on...)
4) followed an internet guide to hardening my system (rename the admin user, use 12 char strong password, disable unused services, and so on...)

Good luck!
Top Expert 2005

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.