Question IP Address Mail Blacklisted SORBS- Cannot remove

[BubbleDuck]

Hi
Forgive me as I'm quite new to this VPS stuff.
I have a plesk vps to host some websites, and I'm getting a number of my website clients contact me as people contacting them are getting email bouncebacks.
Turns out the IP address for my VPS has been added to a few blacklist. I was able to remove most however SORBS is automatically rejecting my requests with a bot and not responding to my tickets.

SORBS Response:
"Not all the IP space you requested can be delisted at this
time. Please review carefully our FAQ, located at the following URI

DUHL FAQ

For efficiency, I review segments of IP space that may be larger than
what you requested, although I will delist your IP space once it is
eligible, regardless of its surroundings. In this case, I found the
following IP space, not eligible for delisting:

XX.XX.XX.XXX (my server IP)


Please review our FAQ very carefully for actions you might need to
take. You may want to review your rDNS information for these IP
ranges. When checking the rDNS information, please don't forget to
consider the TTL. It must be 43200 seconds or longer"

I've gotten in touch with my VPS providor and they say since this is an unmanaged server, they are unable to assist.
Any help would be appreciated!

 

[Peter Debik]

What have you already tried to ensure that your server is not sending spam?

 

[BubbleDuck]

What have you already tried to ensure that your server is not sending spam?

All I have done/know to do is keeping an eye on the Mail Queue recently to check if anything is abnormal, which so far has been clear.
And in the settings (since I started the Plesk server) limited each mailbox to a max of 50 outgoing messages per hour.
Any further things I should be doing please let me know, I would be very grateful.

 

[Peter Debik]

With an outgoing mail limit set to 50, is any mailbox, domain or subscription exceeding that limit?

Another good starting point is probably the /var/log/maillog file. Try to identify some spams in there. Mostly what is logged for outgoing mail already hints at the source of the spam.

Another good source can be looking into the mail headers from the mail queue entries.

Plesk has this article that can help to find the source of spam:

https://support.plesk.com/hc/en-us/articles/12377887555479-Many-email-messages-are-sent-from-PHP-scripts-on-a-Plesk-server-How-to-find-domains-on-which-these-scripts-are-running-if-Postfix-is-used-

You could check the process list with "ps" for any unusual scripts that should not be there, for example "exim". But sometimes you'll also see some user account processes that run software they should not be running. That software can have cryptic names, so it is difficult to give specific advice what to look for. It normally won't be php, nginx, httpd, apache2, postfix. Also pay attention to anything that is run from the /tmp partition (or directory). That could also be a malware sending spam, circumventing security mechanisms.