How do I find the spammer on my server. All I have to go on is the below.

---------- Forwarded message ----------
Return-Path: <akagire@yahoo.com>
Received: from SUPER1.MYSERVER.COM (host002.myhostcompany.net [204.216.128.2] (may
be forged))
by util.inch.com (8.12.6/8.12.6/UTIL-INCH-3.0.9) with ESMTP id
h01A4KLW026458
for <@inch.com>; Wed, 1 Jan 2003 05:04:20 -0500 (EST)
(envelope-from akagire@yahoo.com)
Received: from [200.60.181.66] (helo=mx2.mail.yahoo.com)
by SUPER1.MYSERVER.COM with esmtp (Exim 3.36 #1)
id 18IZst-0004Yo-00; Sun, 01 Dec 2002 12:36:13 -0700
Message-ID: <000005630a28$00003f2b$0000378e@mx2.mail.yahoo.com>
To: <Undisclosed.Recipients>
From: "Sales" <akagire@yahoo.com>
Subject: Our DVD Selection has Increased! All Free!
LL
Date: Sun, 01 Dec 2002 14:36:59 -1700
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Reply-To: akagire@yahoo.com
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - SUPER1.MYSERVER.COM
X-AntiAbuse: Original Domain - inch.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [0 0]
X-AntiAbuse: Sender Address Domain - yahoo.com
-----------------------------------------------------------------

Now, I looked at the only section that can't be forged, the 'recieved' section. And I located all the messages that exim had logged with the id 18IZst-0004Yo-00 which included three files.

18IZst-0004Yo-00
18IZst-0004Yo-00-H
18IZst-0004Yo-00-D

None of which really helped. The first one had the logs of the results of the sending the e-mails. The second had the list of e-mails to send to, and the forged headers, and the third was the body of the e-mail. None of which led me to who is SENDING the spam. Please, someone help me.

I've already tried locating any spam scripts on the server. Can't find any. So what would you guys do to catch this stupid spammer?

Thanks alot to anyone who can share their thoughts on how to catch this SOB.

I am not sure if this helps but if you have WHM installed, look under 'Email Statistics' option, there is something called 'Relayed Messages' within that report. This should show all the mails which were relayed through your server. You should be able to find some information from there, I hope.

Hi, Thanks for responding.

I looked at the relayed messages area. And I don't see anything
off the bat that will help me find the spammer. Could you tell me
anything specific I should look for? I did a search through the relayed messages statistics for the IP 200.60.181.66 that was in the e-mails header, and also for akagire@yahoo.com, and also for any e-mails that were in the list that was in the text file I talked about above. What should I be looking for.

Thank you very much for your help. I really need to catch this guy.

Is Inch.com one of the domain found on your server ?

In any case, you could shell into your server and check under /var/log/ for the exim logs . That should give you some clue as to what is happened.

I hope that helps.

Inch.com is the domain that forwarded the spam to me. I've looked through the exim logs, but I don't know exactly what I am looking for. I can see e-mail being sent all over the place, and spam being sent, but I can't see from where. Is there anything peticular I can look for?

I see what you mean. The exim logs would be useful in determining if the email was made through your server or not. If it shows up as virtual delivery then it would be sent by someone who mailed out via a client based software which is not located on your server but I would supposed they would appear up at 'mail relay' site.

Usually an email sent through the server via a script would be sent through root or localhost and that should be reflected in the email.

If you take the email ticket number, you could trace within the exim_mainlog which IP address was used to send the mail and some other information.

If you could merge the date and time with the smtp log in by looking at the maillog , you might be able to pinpoint at which time and by who the mail was sent from. That is assuming if you have POP before SMTP enabled.

If you check the mail statistics, you can see at which time there is the breach took place, this would usually show as a high number of emails sent at that point of time.

If there is an open relay than probably it is harder to detect. Another telltale sign would be to read the contents of the emails, sometimes the poster would place a legitimate email address, url or phone number especially in this case when they are trying to sell something.

If you cannot find any trace, it might be possible that the mail was not sent through your host but by something tagging your email address to it or something.

I am not good at this thing and I am sure some experts out here would be able to assist you better.

Sorry.

It would probably be easier if you were running suexec, since the headers would be tagged with the UID of the spammer. However...

The first thing I'd do is look for the most recently set up accounts, regular or resold, on that server. Spammers do not tend to wait very long before outliving their welcome. Take a look in each new account's /cgi-bin for the typical spammish scripts. Nine times out of ten, it's someone set up within the 24 hour period immediately preceding the first spam run.

X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [0 0]
Hmm, UID 0 and GID 0 is root:eek:

Check this site out

www.dnsstuff.com I use it for these kinds of cases. I believe the server accepted the email from Peru. Hablas castellano?

http://www.dnsstuff.com/tools/whois.ch?ip=200.60.181.66

Hope this helps ;)