how to know the spam source

Hello,

 Is there any way to know which site sending spam email in the server, i have scanned the server many times, how to know the source of the spam ?

The non privacy invasive way to check is to look in the email header of the spam email, if it was sent using PHP.
But I would assume you don't have a copy of the message, you would have to manually go into the vmail folder and check the correct mailbox in the sent folder, but only if this was not sent using a script...

Also, what are you "scanning"?
/var/log/maillog ?

Can you paste the logs of when a spam happened?

Hello,

 Is there any way to know which site sending spam email in the server, i have scanned the server many times, how to know the source of the spam ?

How did you conclude that there is mail spam on your server?
What log files?

The datacenter,

 and the mail Queue i found a thousand of emails

The non privacy invasive way to check is to look in the email header of the spam email, if it was sent using PHP.
But I would assume you don't have a copy of the message, you would have to manually go into the vmail folder and check the correct mailbox in the sent folder, but only if this was not sent using a script...

Also, what are you "scanning"?
/var/log/maillog ?

Can you paste the logs of when a spam happened?

okay that if not was sent via php script, what if it was ? what should i do beside scanning the server? 

i am scanning with "maldet " and it should be fine now because the spam email stopped.

which log you need.

Thanks you for helping..

If the datacenter was forced to tell you about it themselves, then your IP has its reputation already destroyed and blacklisted many places. You need to fix it fast before the damage is hard to revert. Some email providers simply completely block sending your mails to them. Happened to me once with Outlook. They rejected all my emails and had to go through a lengthy process to whitelist me again after I corrected my server's configuration. Good thing that the IP was only blacklisted with them, no place else.

First of all, check your /var/log/maillog
Paste it here: https://pastebin.com/
Change Paste Exposure to "Unlisted", Create new paste and post here the link.

Notice: Everything is in the log. IP addresses, email addresses, and maybe other sensitive data. If it's ok for you, then share the link here. If not, then just PM it to me if you like

simple info:
http://wiki.centos-webpanel.com/tracking-php-script-spam
http://wiki.centos-webpanel.com/track-spam-infected-scripts
there are also other instruction related to mail on the same page

simple info:
http://wiki.centos-webpanel.com/tracking-php-script-spam
http://wiki.centos-webpanel.com/track-spam-infected-scripts
there are also other instruction related to mail on the same page

/usr/local/apache/logs/phpmail.log

That is the key man, thank you so much..

simple info:
http://wiki.centos-webpanel.com/tracking-php-script-spam
http://wiki.centos-webpanel.com/track-spam-infected-scripts
there are also other instruction related to mail on the same page

/usr/local/apache/logs/phpmail.log

That is the key man, thank you so much..

So, it was a php script?

Make sure "mail" in php is disabled to avoid such problem in the future.

Check "disable_functions = mail"
PHP-FPM- /opt/alt/php-fpm**/usr/php/php.ini
PHP-CGI- /opt/alt/php**/usr/php/php.ini
PHP-Main- /usr/local/php/php.ini

Hi,
and where is phpmail.log located if I'm using apache + nginx.
In that case papmail.log located in /usr/local/apache/logs/phpmail.log is empty.
Thank you

if you check the wiki links you will see the location of the file. If the file is empty then maybe you didn't sent emails over php.
This is a PHP log so it not related to webservers like apache/nginx.