There was someone using my WHMCS system to send SPAM email. Here are the steps:
1. register many accounts and login
2. modify the first name and last name with the spam contents, such as First name -" $50 Gift Card for Amazon" Last name -" Contact **@**.** to get it for free"
3. change the email address
4. resend email verification email
Then the target email address will receive the spam email contain the frist name and last name. And then repeat with step 3 and 4.
There should be a restriction for every single IP to limit account registration number and email sending number.