Hello, Version: 3.0.5.4p5 Our ISP Config 3 can't send out email, I checked mail.log has a lot of email sent from one of customer domain, but this domain no any email address hosted on this server ..... and MX record is hosted by Namecheao. And then used MXtools to check out on which RBL blacklisted, it is Protected Sky
Sounds as if a website got hacked and the spammers send out emails trough this website now, thats quite common and not ispconfig related. Scan the directory that contains all websites (most likely /var/www) with a malware scanner, you can e.g. use the free trial from ISPProtect for that: https://ispprotect.com/ you can also check the headers of the emails that are still stuck in the outgoing queue to find out how the mails are send and if they are send from a webiste, then the headers might contain the name of the PHP script.
You should use the scan for the complete /var/www directory, not just this domain. It can be that another website on the same server has been hacked and this domain name is just used to send out the emails, so scanning just one domain makes not much sense.
After scanning detected this domain has 14 Malware files, now I disabled this domain website / FTP / databases account first.
file malware quarantined /var/www/clients/client10/web9/web/wp-admin/ms-admin.php {ISPP}suspect.globals.eval /var/www/clients/client10/web9/web/wp-admin/nav-menus.php {ISPP}suspect.globals.eval /var/www/clients/client10/web9/web/wp-admin/user/user-edit.php {ISPP}suspect.globals.eval /var/www/clients/client10/web9/web/wp-content/languages/plugins/error88.php {ISPP}suspect.crypted.globals /var/www/clients/client10/web9/web/wp-content/plugins/disable-comments/languages/general.php {HEX}php.base64.v23au.185 /var/www/clients/client10/web9/web/wp-content/themes/dt-nimble/phpini.php {ISPP}suspect.upload.insecure /var/www/clients/client10/web9/web/wp-content/themes/naturo-lite/no-results.php {ISPP}suspect.globals.eval /var/www/clients/client10/web9/web/wp-content/uploads/2016/start94.php {ISPP}suspect.crypted.globals /var/www/clients/client10/web9/web/wp-includes/certificates/user97.php {ISPP}suspect.globals.eval /var/www/clients/client10/web9/web/wp-includes/js/jquery/page50.php {ISPP}suspect.globals.eval /var/www/clients/client10/web9/web/wp-includes/js/tinymce/langs/page.php {ISPP}suspect.crypted.globals /var/www/clients/client14/web12/web/wp-content/plugins/google-captcha-pro/bws_update.php {ISPP}suspect.eval.base64 /var/www/clients/client14/web12/web/wp-content/plugins/google-captcha-pro/captcha_for_cf7.php {ISPP}suspect.eval.base64 /var/www/clients/client14/web12/web/wp-content/plugins/google-captcha-pro/google-captcha-pro.php {ISPP}suspect.eval.base64
The spam mails are probably already in your mail queue, so you have to clean the mailqueue to stop the already generated spam from leaving your server. http://www.faqforge.com/linux/serve...mailqueue-with-postsuper-postqueue-und-mailq/
After deleted all mailq email, no spam email send out, now I have to release the IP address in RBL, thanks!!
