Article ID: 766, created on Jan 21, 2009, last review on Jun 17, 2016

  • Applies to:
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux


First, check that all domains have the option "Mail to non-existing user" set to "reject" and not to "forward." You can change this setting for all domains using "Group Operations" in the "Domains" tab in the Control Panel.

The option "Reject mail to nonexistent user" has been available since Plesk 7.5.3.

Also, check that all the IP addresses and networks in the white lists are reliable and familiar to you.

Check how many messages are in the queue with qmail:

# /var/qmail/bin/qmail-qstat
messages in queue: 27645
messages in queue but not yet preprocessed: 82

If the queue has too many messages, try discovering the spam's source.

If mail is being sent by an authorized user and not from a PHP script, you can run the command below to find the user who has sent the most messages (available since Plesk 8.x). Please note you must have "SMTP authorization" activated on the server to see these records:

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk '{print $11}' |sort |uniq -c |sort -n

The path to "maillog" may differ depending on the operating system you are using.

The next step is using qmail-qread, which can be used to read the message headers:

# /var/qmail/bin/qmail-qread
18 Jul 2005 15:03:07 GMT #2996948 9073 <> bouncing
done remote
done remote
done remote

This shows the senders and recipients of messages. If a message contains many recipients, it is probably spam. Now, try finding this message in the queue using its ID (#2996948 in our example):

# find /var/qmail/queue/mess/ -name 2996948

Examine the message and find the line "Received" to determine from where and how it was sent the first time. For example, if you find the following ...

Received: (qmail 19514 invoked by uid 10003); 13 Sep 2005 17:48:22 +0700

... this means the message was sent via a CGI script by a user with UID 10003. Using this UID, it is possible to find the domain:

# grep 10003 /etc/passwd

If the "Received" line contains a UID of the user "apache" (for example, invoked by UID 48), this means spam was sent through a PHP script. In this case, you can try finding the spammer using information from the spam email (from/to address or any other information).

It is usually very difficult to discover the source of spam. If you are absolutely sure a script is sending the spam (because the tail grows rapidly for no apparent reason), you can use the following script to determine which PHP scripts currently are running:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

You can also apply the solution from another Knowledgebase article, which describes the procedure of discovering which domains are sending mail through PHP scripts.

Lines in the "Received" section like below ...

Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700
Received: from (

... mean the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user.

IMPORTANT: Learn how to recreate the queue in qmail

Search Words


mail queue ful with spams

cannot send and receive email

email server very slow

server send mail to spam

server send mail spam


Mail Queue stuck and many spam messages

attachment won't send

spam abuse

spam email

outgoing spam


Remote host said: 550-5.7.1

flooded mail queue

postfix spam

mail enable open relay

qmail is not prepocessing mails

mail message is bounced

spam attack

a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 29d1e90fd304f01e6420fbe60f66f838 aea4cd7bfd353ad7a1341a257ad4724a 0a53c5a9ca65a74d37ef5c5eaeb55d7f 01bc4c8cf5b7f01f815a7ada004154a2 caea8340e2d186a540518d08602aa065 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF