Suspend outgoing email for a cPanel account in WHM
Goal: instantly stop a specific cPanel username from sending email to external recipients, without necessarily taking their website offline.
This is our go-to containment move during spam bursts, compromised CMS incidents, or credential leaks.
⚠️ What this does (and what it does not)
- Blocks outbound email to remote mail servers. The server rejects the message before it enters the queue.
- Local delivery can still work. Email sent to mailboxes hosted on the same server may continue to deliver.
- This is a containment lever, not a full cleanup.
When to use this
Use account-level outgoing suspension when:
- You see sudden spikes in mail queue, bounces, or spam complaints tied to one cPanel user.
- A WordPress site is compromised and sending via PHP mailer or SMTP auth.
- A mailbox password was guessed and is spraying outbound mail.
- You need to stop the bleeding first, then investigate safely.
Prerequisites
- Root access to the server (or appropriate WHM API permissions).
- The cPanel username (example:
exampleuser).
Fast path (recommended): WHM API from SSH
Suspend outgoing email
whmapi1 suspend_outgoing_email user=exampleuserUnsuspend (rollback)
whmapi1 unsuspend_outgoing_email user=exampleuser💡 Operational note
This is the cleanest control because it is account-scoped, quick to execute, and harder for the customer to bypass from inside cPanel.
Verify it worked
1. Quick API confirmation
Run the suspend command again. You should get a success response and the state remains enforced.
2. Check mail queue behavior
If the account is still trying to send, you should see rejected outbound attempts rather than growing queued deliveries.
# Check current Exim queue size
exim -bpc# Inspect the queue (top items)
exim -bp | head -n 503. Check Exim logs for the account
Typical locations:
/var/log/exim_mainlog/var/log/exim_rejectlog
Example greps:
# Search Exim logs for the cPanel username
grep -R "exampleuser" /var/log/exim_*log | tail -n 100Alternative: Suspend the entire hosting account (bigger blast radius)
If the whole account is compromised and you want a hard stop across services:
- WHM: Account Functions → Manage Account Suspension
- CLI:
whmapi1 suspendacct user=exampleuser reason="Email abuse containment"🚨 Blast radius warning
Full suspension can disrupt the website, cron jobs, FTP, and more. Use it when you want maximum containment and downtime is acceptable.
Need to block specific mailboxes too?
If local delivery must be blocked too, or only one mailbox is the problem, apply mailbox restrictions.
Suspend a single mailbox outgoing
uapi --user=exampleuser Email suspend_outgoing email='user@example.com'Hold outgoing instead of rejecting
uapi --user=exampleuser Email hold_outgoing email='user@example.com'Unsuspend / release
# Unsuspend outgoing
uapi --user=exampleuser Email unsuspend_outgoing email='user@example.com'
# Release held outgoing mail
uapi --user=exampleuser Email release_outgoing email='user@example.com'ℹ️ Choose the right mode
- Suspend = reject immediately (best for stopping spam).
- Hold = keeps messages queued (useful if you need evidence or want to review before release).
Post-containment checklist
Containment is step 1. Cleanup is step 2.
| Action | Description |
|---|---|
| Rotate passwords | cPanel, mailbox, and CMS admin passwords |
| Patch the app | Update WordPress core, themes, plugins |
| Remove malware | Delete cron jobs, PHP mailer scripts, web shells |
| Review logs | Identify sender mailbox, auth IP, script path |
| Add rate limits | Per-domain hourly limits, SMTP restrictions, WAF rules |
✅ GOZEN HOST standard
We suspend outgoing email first, then we run a structured cleanup. Fast containment reduces reputation damage and keeps the rest of the server healthy.
Related guides
- Need to set up professional email correctly from the start? Read our guide on custom business email setup - includes SPF, DKIM, and DMARC configuration.
- For a step-by-step walkthrough of managing mailboxes in cPanel, see our KB guide on setting up email accounts.
- Explore our Shared Hosting plans with built-in email hosting and security defaults.
Follow along on real infrastructure.
NVMe Gen 4 storage, LiteSpeed, 99.9% uptime SLA. Starting at $4.00/mo.
Published by the team at GOZEN HOST LLC, a Top 25 WordPress Hosting Provider for 2026 (HostAdvice). We write about infrastructure, performance, and the tools that keep your business online.
Last updated: Mar 09, 2026
