My Website Is Sending Spam Email: How to Find and Stop It

By · Updated · 6 min read

If your website is sending spam email, an attacker has almost certainly planted a PHP mailer script on your server, or hijacked one of your contact forms, and is pumping out thousands of messages under your domain's name. The fix is to find the sending script, remove it along with the backdoor that put it there, and then work your domain and server IP off the email blacklists you landed on while it ran.

This one tends to announce itself loudly. Your inbox fills with bounce messages for mail you never sent. Your host emails a warning about "outbound spam from your account," or just suspends mail without asking. Customers mention your invoices are going to their junk folder. By the time you notice, the damage to your sending reputation is already underway, so this is worth treating as urgent.

How spammers use your site to send mail

The usual tool is a mailer script: a single PHP file uploaded through some hole in your site, often sitting in wp-content/uploads where nobody expects executable code. The attacker sends it instructions over the web, a list of addresses and a message, and it churns out mail using your server's mail function. Your server, your IP, your reputation, their spam.

The second route is a contact or comment form that got hijacked. Forms with exploitable plugins, or forms that let a sender control headers, can be scripted into remailers. And occasionally it isn't a script at all: the attacker stole your actual email password, or an SMTP credential stored in a plugin's settings, and is sending through your account directly. Each version leaves different fingerprints, which is why a little diagnosis beats guessing.

Finding the thing that's sending

Bounce messages are evidence, so stop deleting them for a moment and open a few. The headers of the bounced original often show which script sent it. Many servers stamp outgoing PHP mail with a header like X-PHP-Script naming the exact file and path. When you see X-PHP-Script: yourdomain.com/wp-content/uploads/2019/03/cache.php, you've found your mailer, and I promise there's no legitimate reason for a PHP file to live there.

If you have cPanel or similar, look at the mail queue and the delivery logs (Track Delivery does this on cPanel). You're looking for the volume pattern, when it started, and the script or account doing the sending. On one cleanup, the queue held eleven thousand unsent messages advertising loans; the timestamps started the same hour a stale plugin was exploited, which made the entry-point question easy.

Hosts can usually tell you too. If your host flagged the spam, ask support for the path of the sending script. They generally know and will happily share, since they want it gone as much as you do.

Cleaning it up

Removal follows the same discipline as any hack cleanup, and I'd point you to my indicators checklist for the full evidence-first routine. In short: snapshot files, database, and logs before changing anything. Delete the mailer script, but don't stop there, because mailers get planted alongside backdoors, and a backdoor means a new mailer next week. Check for other PHP files in uploads, plugins you didn't install, and modified core files. Then close the entry point: update everything, rotate your WordPress, hosting, FTP, database, and email passwords, and check your forms plugin against known vulnerabilities.

If the spam went out through a stolen mailbox password rather than a script, rotating that password stops it immediately, and you should turn on two-factor authentication for the mail account while you're in there.

Two settings worth changing after cleanup: block PHP execution inside wp-content/uploads (a few lines in .htaccess do it), and set up SPF and DKIM records if you never have, so receiving servers can tell your real mail from forged mail. Neither prevents a break-in, but both shrink what a spammer can do with one.

Getting off the email blacklists

Here's the part people underestimate. A few hours of outbound spam can put your server's IP or your domain on blacklists like Spamhaus, SORBS, SpamCop, and Barracuda, and once listed, your legitimate mail starts bouncing or landing in junk folders. The listings do not clear themselves just because you cleaned the site; most want the spam stopped and then a delisting request.

Start by finding out where you're listed. My free blacklist checker tests your domain against the major lists in one pass. Then work through delisting one list at a time; I keep step-by-step pages for the big ones, including Spamhaus and SORBS. Be honest in the requests: say the site was compromised, the script was removed on this date, and the hole was closed. Delisting teams read these all day and reward specifics.

One caution for shared hosting: if the spam came from another customer on your shared IP, or your host's IP range has a bad history, your delisting requests can only do so much. That's a conversation with your host about a cleaner IP, and occasionally a reason to move.

WordPress-specific places to check

A few spots deserve special attention on WordPress sites. If you use an SMTP plugin (WP Mail SMTP and its cousins), the credentials stored in its settings are a prize; an attacker who reads them can send authenticated mail through your provider from anywhere, no script on your server required. Rotate that SMTP password during cleanup, always.

Look at your plugins list for anything you didn't install, and at wp_users for administrators you don't recognize, since a spare admin account is the most durable backdoor there is. Contact-form plugins are worth a version check against their changelogs; several popular ones have patched header-injection or file-upload bugs over the years, and "I never updated the form plugin" is a sentence I hear on a lot of these cases. If any of this inspection feels over your head, my malware removal service does it daily, and a $19.95 Simple Inspection will tell you conclusively whether a mailer is present before you commit to anything.

How fast does mail get back to normal?

Once the sending stops, most blacklist entries clear within a few days of a proper request, and some expire on their own inside a week. Reputation with the big mailbox providers, Gmail and Microsoft especially, rebuilds more gradually; expect a couple of weeks of your mail being treated with suspicion even after every list shows green. Keep sending normal, low-volume, wanted mail during that window and it recovers.

If you'd rather hand the whole mess over, the cleanup side is exactly what my Bulletproof Cleaning package ($195) covers, and the delisting side is my blacklist removal service. I've walked a lot of domains back from a spam incident. The ones that recover fastest are the ones that stop the sending today instead of Friday.

Common questions

Why is my website sending spam emails?

An attacker has planted a PHP mailer script on your server, hijacked a contact form, or stolen an email password, and is sending bulk spam through your domain. The script usually arrives through an outdated plugin or theme. You will typically notice bounce messages for mail you never sent, or a warning from your hosting company about outbound spam.

How do I find the script that is sending spam from my site?

Open a few of the bounce messages and read the headers of the original mail; many servers include an X-PHP-Script header naming the exact file. Check your host's mail queue and delivery logs for the sending path, and look for PHP files inside wp-content/uploads, which should never contain executable code. Your host's support team can usually name the file too.

Will cleaning my site remove my domain from email blacklists?

No. Blacklist entries stay until they expire or you request delisting, and most lists want the spam stopped first. After cleanup, check your status on the major lists, then file delisting requests one by one, stating when the compromise was fixed. Legitimate mail usually recovers within days of delisting, though Gmail and Microsoft reputations take longer.

My host suspended my email because of spam. What do I do first?

Ask the host for the path of the sending script and the time the spam started; they almost always know. Remove the script and any backdoors, update everything, and rotate your hosting, WordPress, FTP, and email passwords. Then show the host what you removed and ask them to restore mail. Most hosts re-enable service quickly once you demonstrate a real cleanup.

How do I stop my website from being used to send spam again?

Close the entry point: update WordPress, plugins, and themes, rotate every credential, and remove any admin users you did not create. Then block PHP execution in the uploads folder, keep your forms plugin current, and set up SPF and DKIM for your domain. Ongoing monitoring helps too, since mailers are quiet and a second one can sit dormant for weeks.