LiveChat
Support
Blog
Affiliates
When cPanel reports max defers occurring for an account, the server has detected excessive email delivery failures from that domain. This is typically caused by a compromised email account sending spam or a hacked website injecting mail. This guide covers how to investigate and resolve it from the server admin side.
# Find what the account is sending
grep "yourdomain.com" /var/log/exim_mainlog | tail -100
# Count defers vs deliveries
exigrep "yourdomain.com" /var/log/exim_mainlog | grep -c "defer"
exigrep "yourdomain.com" /var/log/exim_mainlog | grep -c "=>"01. Check the Mail Logs
# Recent activity for the domain
grep "yourdomain.com" /var/log/exim_mainlog | tail -200
# Check for authentication (compromised password)
grep "login authenticator" /var/log/exim_mainlog | grep "yourdomain.com"
# Check for script-based sending (compromised website)
grep "cwd=/home/username" /var/log/exim_mainlog | tail -50
# See which script is sending
grep "X-PHP-Originating-Script" /var/log/exim_mainlog | grep "username"02. Identify the Source
Compromised Email Account
If you see authenticated SMTP sessions sending to many different recipients:
# Find which email address is authenticating
grep "A=dovecot" /var/log/exim_mainlog | grep "yourdomain.com" | \
awk '{print $6}' | sort | uniq -c | sort -rn | headCompromised Website/Script
If you see cwd=/home/username/public_html in the log lines:
# Find the exact PHP script sending mail
grep "cwd=/home/username" /var/log/exim_mainlog | \
grep "X-PHP-Originating-Script" | awk -F'X-PHP-Originating-Script: ' '{print $2}' | \
sort | uniq -c | sort -rnForwarder Loops
# Check for forwarding issues
grep "router=virtual" /var/log/exim_mainlog | grep "yourdomain.com" | grep "defer"03. Remediation Steps
- If compromised email account: change the password immediately in WHM or cPanel
# Or via command line /scripts/realchpass username@yourdomain.com 'newStrongPassword' - If compromised website: suspend the script or scan for malware
# Find and quarantine the malicious script chmod 000 /home/username/public_html/path/to/malicious.php # Run ClamAV scan clamscan -ri /home/username/public_html/ - Flush the mail queue for that account:
# Delete all queued mail from the domain exiqgrep -i -f "yourdomain.com" | xargs exim -Mrm - Reset the defer counter - cPanel tracks this hourly. The counter resets on its own, but you can clear it:
rm -f /var/cpanel/email_send_limits/yourdomain.com
Increasing the defer limit without fixing the root cause will damage the server's IP reputation and potentially get the entire server blacklisted. Always fix the source of the spam first.
04. Adjusting Defer Limits
The defer limit is configured in WHM:
- WHM > Tweak Settings > search "defer"
- Max defers - default is typically 5-10 per hour per domain
- Per-account override - in WHM > Email > Mail Delivery Reports, you can adjust limits per domain
On CloudLinux servers with LVE, you can also control email rate limits per account via /etc/container/ve.cfg.
Need Help With Email Abuse?
If you are seeing persistent defer issues or need help cleaning up after a compromise, our team can assist with investigation and remediation.
Open a Support TicketQuick Recap
- Check exim logs to identify what is sending
- Determine source - compromised email, hacked script, or forwarder loop
- Fix the source - change password, quarantine script, or fix forwarder
- Flush the queue to remove spam from the outbound queue
- Monitor to ensure the issue does not recur
14,720 users found this article useful · Last updated March 2026 · Browse all Server Maintenance articles
