Hi hj2la96
Welcome to interworx forums
I am not too sure if you have full server access, which you will need to address your issue, if I am correct in my thinking of what your issue is
I am thinking your server has been infected
I would firstly set the mail service to not autorestart if stopped
If you do not have details of one of the emails, then you will have to wait until it happens again, and then ssh into server, change to root user or sudo service send stop
Then login to nodeworx, system services, mail server, queue, and view one of the emails, which will tell you the form used to send it
You then run from ssh, and use find / -type f -name filename.ext
This should find the file and you can delete it
Also, if you run top, I wonder if you’ll see a lot of perl been used by one or more of your siteworx accounts, if so, these are the perl scripts the infection is using, so run killall -9 perl to stop them
I do not believe it is email been sent through your server by normal email but by a mail form on your hosting, given what you’ve posted.
So
Do you have full root access to server
Have you installed rkhunter
Have you installed maldet
Have you installed BFD
Is your server updated to the latest updates for your distro
Have you stopped direct root access by ssh login
If you want to post the email detail, that would help but if it is what I think it is, you may not be able to fully clean the server, and therefore your only real option if I am correct, would be a full clean install from a trusted source
I hope that helps and sorry if I am wrong
Many thanks
John